From a5d054d692e36ec47155c6e1fa12ea1ceb2d844b Mon Sep 17 00:00:00 2001 From: Dan Walsh Date: Mar 02 2011 15:47:28 +0000 Subject: Elminate dac perms from svirt, should not be needed --- diff --git a/modules-mls.conf b/modules-mls.conf index ec38586..156fff2 100644 --- a/modules-mls.conf +++ b/modules-mls.conf @@ -30,7 +30,7 @@ acct = base # # Ainit ALSA configuration tool # -alsa = base +alsa = module # Layer: apps # Module: ada @@ -451,7 +451,7 @@ dmesg = base # # Decode DMI data for x86/ia64 bioses. # -dmidecode = base +dmidecode = module # Layer: system # Module: domain @@ -1690,7 +1690,7 @@ uucp = module # # run real-mode video BIOS code to alter hardware state # -vbetool = base +vbetool = module # Layer: apps # Module: webalizer @@ -2088,7 +2088,7 @@ rhcs = module # # Policy for shorewall # -shorewall = base +shorewall = module # Layer: admin # Module: shutdown diff --git a/modules-targeted.conf b/modules-targeted.conf index 6ed801c..a2dfb10 100644 --- a/modules-targeted.conf +++ b/modules-targeted.conf @@ -114,7 +114,7 @@ amavis = module # # Policy for the Anaconda installer. # -anaconda = base +anaconda = module # Layer: services # Module: apache @@ -128,7 +128,7 @@ apache = module # # Advanced power management daemon # -apm = base +apm = module # Layer: system # Module: application @@ -136,7 +136,7 @@ apm = base # # Defines attributs and interfaces for all user applications # -application = base +application = module # Layer: services # Module: arpwatch @@ -157,7 +157,7 @@ audioentropy = module # # Common policy for authentication and user login. # -authlogin = base +authlogin = module # Layer: services # Module: asterisk @@ -242,8 +242,7 @@ ubac = base # # Policy for the kernel modules, kernel image, and bootloader. # -bootloader = base - +bootloader = module # Layer: services # Module: canna @@ -342,7 +341,7 @@ clamav = module # # Policy for reading and setting the hardware clock. # -clock = base +clock = module # Layer: services # Module: consolekit @@ -356,7 +355,7 @@ consolekit = module # # Determine of the console connected to the controlling terminal. # -consoletype = base +consoletype = module # Layer: kernel # Module: corecommands @@ -380,14 +379,14 @@ corenetwork = base # # Services for loading CPU microcode and CPU frequency scaling. # -cpucontrol = base +cpucontrol = module # Layer: services # Module: cron # # Periodic execution of scheduled commands. # -cron = base +cron = module # Layer: services # Module: cups @@ -436,7 +435,7 @@ dbskk = module # # Desktop messaging bus # -dbus = base +dbus = module # Layer: services # Module: dcc @@ -493,16 +492,16 @@ distcc = off # # Policy for dmesg. # -dmesg = base +dmesg = module # Layer: admin # Module: dmidecode # # Decode DMI data for x86/ia64 bioses. # -dmidecode = base +dmidecode = module -# Layer: system +# Layer: kernel # Module: domain # Required in base # @@ -610,7 +609,7 @@ finger = module # Final system configuration run during the first boot # after installation of Red Hat/Fedora systems. # -firstboot = base +firstboot = module # Layer: apps # Module: firewallgui @@ -631,7 +630,7 @@ fprintd = module # # Tools for filesystem management, such as mkfs and fsck. # -fstools = base +fstools = module # Layer: services # Module: ftp @@ -652,7 +651,7 @@ games = module # # Policy for getty. # -getty = base +getty = module # Layer: apps # Module: gnome @@ -722,8 +721,7 @@ psad = module # # Policy for changing the system host name. # -hostname = base - +hostname = module # Layer: system # Module: hotplug @@ -731,7 +729,7 @@ hostname = base # Policy for hotplug system, for supporting the # connection and disconnection of devices at runtime. # -hotplug = base +hotplug = module # Layer: services # Module: howl @@ -752,7 +750,7 @@ inetd = module # # System initialization programs (init and init scripts). # -init = base +init = module # Layer: services # Module: inn @@ -766,7 +764,7 @@ inn = module # # Policy for iptables. # -iptables = base +iptables = module # Layer: system # Module: ipsec @@ -880,7 +878,7 @@ ktalk = module # # Hardware detection and configuration tools # -kudzu = base +kudzu = module # Layer: services # Module: ldap @@ -901,21 +899,21 @@ likewise = module # # Policy for system libraries. # -libraries = base +libraries = module # Layer: apps # Module: loadkeys # # Load keyboard mappings. # -loadkeys = base +loadkeys = module # Layer: system # Module: locallogin # # Policy for local logins. # -locallogin = base +locallogin = module # Layer: apps # Module: lockdev @@ -929,21 +927,21 @@ lockdev = module # # Policy for the kernel message logger and system logging daemon. # -logging = base +logging = module # Layer: admin # Module: logrotate # # Rotate and archive system logs # -logrotate = base +logrotate = module # Layer: services # Module: logwatch # # logwatch executable # -logwatch = base +logwatch = module # Layer: services # Module: lpd @@ -964,7 +962,7 @@ lircd = module # # Policy for logical volume management programs. # -lvm = base +lvm = module # Layer: services # Module: mailman @@ -978,7 +976,7 @@ mailman = module # # Policy for mcelog. # -mcelog = base +mcelog = module # Layer: kernel # Module: mcs @@ -1000,7 +998,7 @@ mediawiki = module # # Miscelaneous files. # -miscfiles = base +miscfiles = module # Layer: kernel # Module: mls @@ -1029,7 +1027,7 @@ mojomojo = module # # Policy for kernel module utilities # -modutils = base +modutils = module # Layer: apps # Module: mono @@ -1043,7 +1041,7 @@ mono = module # # Policy for mount. # -mount = base +mount = module # Layer: apps # Module: mozilla @@ -1113,7 +1111,7 @@ mrtg = module # # Policy common to all email tranfer agents. # -mta = base +mta = module # Layer: services # Module: mysql @@ -1148,14 +1146,14 @@ ncftool = module # # Network analysis utilities # -netutils = base +netutils = module # Layer: services # Module: networkmanager # # Manager for dynamically switching between networks. # -networkmanager = base +networkmanager = module # Layer: services # Module: nis @@ -1170,7 +1168,7 @@ nis = module # # Name service cache daemon # -nscd = base +nscd = module # Layer: services @@ -1236,7 +1234,7 @@ openct = module # # PCMCIA card management services # -pcmcia = base +pcmcia = module # Layer: services # Module: pegasus @@ -1292,7 +1290,7 @@ ppp = module # # Manage temporary directory sizes and file ages # -prelink = base +prelink = module # Layer: services # Module: procmail @@ -1348,14 +1346,14 @@ qpidd = module # # File system quota management # -quota = base +quota = module # Layer: system # Module: raid # # RAID array management tools # -raid = base +raid = module # Layer: services # Module: radius @@ -1383,7 +1381,7 @@ razor = module # # Readahead, read files into page cache for improved performance # -readahead = base +readahead = module # Layer: services # Module: rgmanager @@ -1474,14 +1472,14 @@ roundup = module # # Remote Procedure Call Daemon for managment of network based process communication # -rpc = base +rpc = module # Layer: admin # Module: rpm # # Policy for the RPM package manager. # -rpm = base +rpm = module # Layer: services @@ -1562,14 +1560,14 @@ selinux = base # # Policy for SELinux policy and userland applications. # -selinuxutil = base +selinuxutil = module # Layer: services # Module: sendmail # # Policy for sendmail. # -sendmail = base +sendmail = module # Layer: apps # Module: seunshare @@ -1583,7 +1581,7 @@ seunshare = module # # Policy for shorewall # -shorewall = base +shorewall = module # Layer: admin # Module: shutdown @@ -1605,14 +1603,14 @@ sectoolm = module # # Policy for setrans # -setrans = base +setrans = module # Layer: services # Module: setroubleshoot # # Policy for the SELinux troubleshooting utility # -setroubleshoot = base +setroubleshoot = module # Layer: services # Module: slrnpull @@ -1675,7 +1673,7 @@ squid = module # # Secure shell client and server policy. # -ssh = base +ssh = module # Layer: services # Module: sssd @@ -1703,14 +1701,14 @@ stunnel = module # # Run shells with substitute user and group # -su = base +su = module # Layer: admin # Module: sudo # # Execute a command with a substitute user # -sudo = base +sudo = module # Layer: system # Module: systemd @@ -1724,7 +1722,7 @@ systemd = module # # Policy for network configuration: ifconfig and dhcp client. # -sysnetwork = base +sysnetwork = module # Layer: services @@ -1760,7 +1758,7 @@ tgtd = module # # Policy for udev. # -udev = base +udev = module # Layer: services # Module: usbmuxd @@ -1774,7 +1772,7 @@ usbmuxd = module # # Policy for user domains # -userdomain = base +userdomain = module # Layer: system # Module: unconfined @@ -1845,7 +1843,7 @@ telepathy = module # # Policy for tzdata-update # -tzdata = base +tzdata = module # Layer: apps # Module: userhelper @@ -1929,7 +1927,7 @@ qemu = module # # Utilities for configuring the linux ethernet bridge # -brctl = base +brctl = module # Layer: services # Module: telnet @@ -1992,7 +1990,7 @@ xfs = module # # X windows login display manager # -xserver = base +xserver = module # Layer: services # Module: zarafa @@ -2013,7 +2011,7 @@ zebra = module # # Policy for managing user accounts. # -usermanage = base +usermanage = module # Layer: admin # Module: updfstab @@ -2205,7 +2203,7 @@ staff = module # # System Administrator # -sysadm = base +sysadm = module # Layer: role # Module: unprivuser diff --git a/policy/modules/kernel/domain.te b/policy/modules/kernel/domain.te index 5843cad..af7396b 100644 --- a/policy/modules/kernel/domain.te +++ b/policy/modules/kernel/domain.te @@ -202,10 +202,14 @@ selinux_getattr_fs(domain) selinux_search_fs(domain) selinux_dontaudit_read_fs(domain) -seutil_dontaudit_read_config(domain) +optional_policy(` + seutil_dontaudit_read_config(domain) +') -init_sigchld(domain) -init_signull(domain) +optional_policy(` + init_sigchld(domain) + init_signull(domain) +') ifdef(`distro_redhat',` files_search_mnt(domain) diff --git a/selinux-policy.spec b/selinux-policy.spec index e937066..c34aa10 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -26,6 +26,7 @@ License: GPLv2+ Group: System Environment/Base Source: serefpolicy-%{version}.tgz patch: policy-F15.patch +patch2: policy-test.patch Source1: modules-targeted.conf Source2: booleans-targeted.conf Source3: Makefile.devel @@ -204,6 +205,7 @@ Based off of reference policy: Checked out revision 2.20091117 %prep %setup -n serefpolicy-%{version} -q %patch -p1 +%patch2 -p1 %install mkdir selinux_config