From e15ae4fa849c728abf3e191d1deef9373b6e969e Mon Sep 17 00:00:00 2001 From: Dan Walsh Date: Sep 30 2011 14:22:41 +0000 Subject: Fixes caused by the labeling of /etc/passwd Add thumb.patch to transition unconfined_t to thumb_t for Rawhide --- diff --git a/passwd.patch b/passwd.patch index f507510..8e496c6 100644 --- a/passwd.patch +++ b/passwd.patch @@ -138,6 +138,31 @@ index 2b348c7..b89658c 100644 logging_send_syslog_msg(entropyd_t) miscfiles_read_localization(entropyd_t) +diff --git a/policy/modules/services/plymouthd.te b/policy/modules/services/plymouthd.te +index 4f9a575..5fc3a55 100644 +--- a/policy/modules/services/plymouthd.te ++++ b/policy/modules/services/plymouthd.te +@@ -75,6 +75,8 @@ init_signal(plymouthd_t) + logging_link_generic_logs(plymouthd_t) + logging_delete_generic_logs(plymouthd_t) + ++auth_read_passwd(plymouthd_t) ++ + miscfiles_read_localization(plymouthd_t) + miscfiles_read_fonts(plymouthd_t) + miscfiles_manage_fonts_cache(plymouthd_t) +diff --git a/policy/modules/services/virt.te b/policy/modules/services/virt.te +index 290f8c4..cd2909f 100644 +--- a/policy/modules/services/virt.te ++++ b/policy/modules/services/virt.te +@@ -881,6 +881,7 @@ fs_getattr_xattr_fs(svirt_lxc_domain) + fs_list_inotifyfs(svirt_lxc_domain) + fs_dontaudit_getattr_xattr_fs(svirt_lxc_domain) + ++auth_dontaudit_read_passwd(svirt_lxc_domain) + auth_dontaudit_read_login_records(svirt_lxc_domain) + auth_dontaudit_write_login_records(svirt_lxc_domain) + auth_search_pam_console_data(svirt_lxc_domain) diff --git a/policy/modules/system/authlogin.fc b/policy/modules/system/authlogin.fc index 59742f4..51ca568 100644 --- a/policy/modules/system/authlogin.fc diff --git a/selinux-policy.spec b/selinux-policy.spec index 49f328f..b772eb9 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -17,13 +17,14 @@ Summary: SELinux policy configuration Name: selinux-policy Version: 3.10.0 -Release: 34.5%{?dist} +Release: 34.6%{?dist} License: GPLv2+ Group: System Environment/Base Source: serefpolicy-%{version}.tgz patch: policy-F16.patch patch1: unconfined_permissive.patch patch2: passwd.patch +patch3: thumb.patch Source1: modules-targeted.conf Source2: booleans-targeted.conf Source3: Makefile.devel @@ -470,8 +471,9 @@ SELinux Reference policy mls base module. %endif %changelog -* Thu Sep 29 2011 Dan Walsh 3.10.0-34.4 +* Fri Sep 29 2011 Dan Walsh 3.10.0-34.4 - Fixes caused by the labeling of /etc/passwd +- Add thumb.patch to transition unconfined_t to thumb_t for Rawhide * Thu Sep 29 2011 Miroslav Grepl 3.10.0-34.3 - Add support for Clustered Samba commands diff --git a/thumb.patch b/thumb.patch new file mode 100644 index 0000000..df9d9da --- /dev/null +++ b/thumb.patch @@ -0,0 +1,16 @@ +diff --git a/policy/modules/roles/unconfineduser.te b/policy/modules/roles/unconfineduser.te +index 1105ff5..620e17b 100644 +--- a/policy/modules/roles/unconfineduser.te ++++ b/policy/modules/roles/unconfineduser.te +@@ -188,6 +188,11 @@ optional_policy(` + rtkit_scheduled(unconfined_usertype) + ') + ++ # Might remove later if this proves to be problematic, but would like to gather AVC's ++ optional_policy(` ++ thumb_role(unconfined_r, unconfined_usertype) ++ ') ++ + optional_policy(` + setroubleshoot_dbus_chat(unconfined_usertype) + setroubleshoot_dbus_chat_fixit(unconfined_t)