diff --git a/refpolicy/Changelog b/refpolicy/Changelog index 2aa3642a4..33d8754f5 100644 --- a/refpolicy/Changelog +++ b/refpolicy/Changelog @@ -1,3 +1,4 @@ +- Miscellaneous fixes from Thomas Bleher. - Deprecate module name as first parameter of optional_policy() now that optionals are allowed everywhere. - Enable optional blocks in base module and monolithic policy. diff --git a/refpolicy/policy/modules/services/cups.te b/refpolicy/policy/modules/services/cups.te index cc38a0ccc..0c5fe4015 100644 --- a/refpolicy/policy/modules/services/cups.te +++ b/refpolicy/policy/modules/services/cups.te @@ -32,7 +32,8 @@ logging_log_file(cupsd_log_t) type cupsd_lpd_t; type cupsd_lpd_exec_t; -inetd_service_domain(cupsd_lpd_t,cupsd_lpd_exec_t) +domain_type(cupsd_lpd_t) +domain_entry_file(cupsd_lpd_t,cupsd_lpd_exec_t) role system_r types cupsd_lpd_t; type cupsd_lpd_tmp_t; @@ -724,6 +725,10 @@ miscfiles_read_localization(cupsd_lpd_t) sysnet_read_config(cupsd_lpd_t) +optional_policy(` + inetd_service_domain(cupsd_lpd_t,cupsd_lpd_exec_t) +') + optional_policy(` nis_use_ypbind(cupsd_lpd_t) ') diff --git a/refpolicy/policy/modules/services/postgresql.fc b/refpolicy/policy/modules/services/postgresql.fc index 66acc3678..a77d9eb38 100644 --- a/refpolicy/policy/modules/services/postgresql.fc +++ b/refpolicy/policy/modules/services/postgresql.fc @@ -14,6 +14,10 @@ /usr/lib(64)?/postgresql/bin/.* -- gen_context(system_u:object_r:postgresql_exec_t,s0) +ifdef(`distro_debian', ` +/usr/lib/postgresql/.*/bin/.* -- gen_context(system_u:object_r:postgresql_exec_t,s0) +') + ifdef(`distro_redhat', ` /usr/share/jonas/pgsql(/.*)? gen_context(system_u:object_r:postgresql_db_t,s0) ') diff --git a/refpolicy/policy/modules/services/xfs.fc b/refpolicy/policy/modules/services/xfs.fc index e5d320e4e..8e70038b2 100644 --- a/refpolicy/policy/modules/services/xfs.fc +++ b/refpolicy/policy/modules/services/xfs.fc @@ -1,6 +1,7 @@ /tmp/\.font-unix(/.*)? gen_context(system_u:object_r:xfs_tmp_t,s0) +/usr/bin/xfs -- gen_context(system_u:object_r:xfs_exec_t,s0) /usr/bin/xfstt -- gen_context(system_u:object_r:xfs_exec_t,s0) /usr/X11R6/bin/xfs -- gen_context(system_u:object_r:xfs_exec_t,s0) diff --git a/refpolicy/policy/modules/services/xserver.fc b/refpolicy/policy/modules/services/xserver.fc index d0ba41633..3d19691df 100644 --- a/refpolicy/policy/modules/services/xserver.fc +++ b/refpolicy/policy/modules/services/xserver.fc @@ -55,6 +55,9 @@ ifdef(`strict_policy',` /usr/bin/Xair -- gen_context(system_u:object_r:xserver_exec_t,s0) /usr/bin/xauth -- gen_context(system_u:object_r:xauth_exec_t,s0) /usr/bin/Xorg -- gen_context(system_u:object_r:xserver_exec_t,s0) +ifdef(`distro_debian', ` +/usr/sbin/gdm -- gen_context(system_u:object_r:xdm_exec_t,s0) +') /usr/lib(64)?/qt-.*/etc/settings(/.*)? gen_context(system_u:object_r:xdm_var_run_t,s0) diff --git a/refpolicy/policy/modules/system/init.te b/refpolicy/policy/modules/system/init.te index 9ab09ccee..1dc2d5a73 100644 --- a/refpolicy/policy/modules/system/init.te +++ b/refpolicy/policy/modules/system/init.te @@ -380,8 +380,6 @@ seutil_read_config(initrc_t) sysnet_read_config(initrc_t) -udev_rw_db(initrc_t) - userdom_read_all_users_home_content_files(initrc_t) # Allow access to the sysadm TTYs. Note that this will give access to the # TTYs to any process in the initrc_t domain. Therefore, daemons and such @@ -708,6 +706,10 @@ optional_policy(` sysnet_read_dhcpc_state(initrc_t) ') +optional_policy(` + udev_rw_db(initrc_t) +') + optional_policy(` uml_setattr_util_sockets(initrc_t) ') diff --git a/refpolicy/policy/modules/system/selinuxutil.te b/refpolicy/policy/modules/system/selinuxutil.te index 54a401355..632acdb41 100644 --- a/refpolicy/policy/modules/system/selinuxutil.te +++ b/refpolicy/policy/modules/system/selinuxutil.te @@ -395,7 +395,9 @@ ifdef(`distro_redhat', ` ') ifdef(`hide_broken_symptoms',` - udev_dontaudit_rw_dgram_sockets(restorecon_t) + optional_policy(` + udev_dontaudit_rw_dgram_sockets(restorecon_t) + ') ') optional_policy(`