Fix sandbox to always use sandbox_file_t, so generated policy will work.
- Update Translations
This commit is contained in:
parent
72cc2c98e2
commit
55520d61bb
|
@ -248304,7 +248304,7 @@ index d1b435c..1c323d2 100644
|
||||||
account include system-auth
|
account include system-auth
|
||||||
password include system-auth
|
password include system-auth
|
||||||
diff --git a/policycoreutils/sandbox/sandbox b/policycoreutils/sandbox/sandbox
|
diff --git a/policycoreutils/sandbox/sandbox b/policycoreutils/sandbox/sandbox
|
||||||
index b629006..6631c2d 100644
|
index b629006..49f735a 100644
|
||||||
--- a/policycoreutils/sandbox/sandbox
|
--- a/policycoreutils/sandbox/sandbox
|
||||||
+++ b/policycoreutils/sandbox/sandbox
|
+++ b/policycoreutils/sandbox/sandbox
|
||||||
@@ -243,7 +243,7 @@ class Sandbox:
|
@@ -243,7 +243,7 @@ class Sandbox:
|
||||||
|
@ -248325,6 +248325,17 @@ index b629006..6631c2d 100644
|
||||||
help=_("alternate window manager"))
|
help=_("alternate window manager"))
|
||||||
|
|
||||||
parser.add_option("-l", "--level", dest="level",
|
parser.add_option("-l", "--level", dest="level",
|
||||||
|
@@ -403,9 +403,7 @@ sandbox [-h] [-c] [-l level ] [-[X|M] [-H homedir] [-T tempdir]] [-I includefile
|
||||||
|
|
||||||
|
con = selinux.getcon()[1].split(":")
|
||||||
|
self.__execcon = "%s:%s:%s:%s" % (con[0], con[1], self.setype, level)
|
||||||
|
- self.__filecon = "%s:%s:%s:%s" % (con[0], "object_r",
|
||||||
|
- "%s_file_t" % self.setype[:-2],
|
||||||
|
- level)
|
||||||
|
+ self.__filecon = "%s:object_r:sandbox_file_t:%s" % (con[0], level)
|
||||||
|
def __setup_dir(self):
|
||||||
|
if self.__options.level or self.__options.session:
|
||||||
|
return
|
||||||
diff --git a/policycoreutils/sandbox/sandbox.8 b/policycoreutils/sandbox/sandbox.8
|
diff --git a/policycoreutils/sandbox/sandbox.8 b/policycoreutils/sandbox/sandbox.8
|
||||||
index 521afcd..0c8cd1e 100644
|
index 521afcd..0c8cd1e 100644
|
||||||
--- a/policycoreutils/sandbox/sandbox.8
|
--- a/policycoreutils/sandbox/sandbox.8
|
||||||
|
@ -249866,18 +249877,70 @@ index 82fea52..6efd463 100644
|
||||||
fi
|
fi
|
||||||
COMPREPLY=( $(compgen -W '${OPTS[$verb]}' -- "$cur") )
|
COMPREPLY=( $(compgen -W '${OPTS[$verb]}' -- "$cur") )
|
||||||
diff --git a/policycoreutils/sepolicy/sepolicy-generate.8 b/policycoreutils/sepolicy/sepolicy-generate.8
|
diff --git a/policycoreutils/sepolicy/sepolicy-generate.8 b/policycoreutils/sepolicy/sepolicy-generate.8
|
||||||
index fb84af6..c2fa601 100644
|
index fb84af6..84a96f1 100644
|
||||||
--- a/policycoreutils/sepolicy/sepolicy-generate.8
|
--- a/policycoreutils/sepolicy/sepolicy-generate.8
|
||||||
+++ b/policycoreutils/sepolicy/sepolicy-generate.8
|
+++ b/policycoreutils/sepolicy/sepolicy-generate.8
|
||||||
@@ -8,12 +8,18 @@ sepolicy-generate \- Generate an initial SELinux policy module template.
|
@@ -4,16 +4,69 @@ sepolicy-generate \- Generate an initial SELinux policy module template.
|
||||||
.B sepolicy generate [\-h] [\-d DOMAIN] [\-u USER] [\-w WRITE_PATH ] [\-a ADMIN_DOMAIN] [\-n NAME] [\-p PATH] [\-\-admin_user | \-\-application | \-\-cgi | \-\-confined_admin | \-\-customize | \-\-dbus | \-\-desktop_user | \-\-inetd | \-\-newtype | \-\-init | \-\-sandbox | \-\-term_user | \-\-x_user]
|
|
||||||
|
.SH "SYNOPSIS"
|
||||||
|
|
||||||
|
+Common options
|
||||||
|
+
|
||||||
|
+.B sepolicy generate [\-h ] [\-p PATH]
|
||||||
|
+
|
||||||
|
+.br
|
||||||
|
+
|
||||||
|
+Confined Applications
|
||||||
|
+
|
||||||
|
+.br
|
||||||
|
+.B sepolicy generate \-\-application [\-n NAME] [\-w WRITE_PATH ] command
|
||||||
|
+.br
|
||||||
|
+.B sepolicy generate \-\-init [\-n NAME] [\-w WRITE_PATH ] command
|
||||||
|
+.br
|
||||||
|
+.B sepolicy generate \-\-cgi [\-n NAME] [\-w WRITE_PATH ] command
|
||||||
|
+.br
|
||||||
|
+.B sepolicy generate \-\-dbus [\-n NAME] [\-w WRITE_PATH ] command
|
||||||
|
+.br
|
||||||
|
+.B sepolicy generate \-\-inetd [\-n NAME] [\-w WRITE_PATH ] command
|
||||||
|
+.br
|
||||||
|
+.B sepolicy generate \-\-inetd [\-n NAME] [\-w WRITE_PATH ] command
|
||||||
|
+.br
|
||||||
|
+
|
||||||
|
+Confined Users
|
||||||
|
+
|
||||||
|
+.br
|
||||||
|
+.B sepolicy generate \-\-admin_user \-n NAME
|
||||||
|
+.br
|
||||||
|
+.B sepolicy generate \-\-confined_admin \-n NAME [\-a ADMIN_DOMAIN] [\-u USER] [\-n NAME] [\-p PATH]
|
||||||
|
+.br
|
||||||
|
+.B sepolicy generate \-\-desktop_user \-n NAME [\-p PATH]
|
||||||
|
+.br
|
||||||
|
+.B sepolicy generate \-\-term_user \-n NAME [\-p PATH]
|
||||||
|
+.br
|
||||||
|
+.B sepolicy generate \-\-x_user \-n NAME [\-p PATH]
|
||||||
|
.br
|
||||||
|
-.B sepolicy generate [\-h] [\-d DOMAIN] [\-u USER] [\-w WRITE_PATH ] [\-a ADMIN_DOMAIN] [\-n NAME] [\-p PATH] [\-\-admin_user | \-\-application | \-\-cgi | \-\-confined_admin | \-\-customize | \-\-dbus | \-\-desktop_user | \-\-inetd | \-\-newtype | \-\-init | \-\-sandbox | \-\-term_user | \-\-x_user]
|
||||||
|
+
|
||||||
|
+Miscellaneous Policy
|
||||||
|
+
|
||||||
|
+.br
|
||||||
|
+.B sepolicy generate \-\-customize \-d DOMAIN \-n NAME [\-a ADMIN_DOMAIN]
|
||||||
|
+.br
|
||||||
|
+.B sepolicy generate \-\-newtype \-t type \-n NAME
|
||||||
|
+.br
|
||||||
|
+.B sepolicy generate \-\-sandbox \-n NAME
|
||||||
|
|
||||||
.SH "DESCRIPTION"
|
.SH "DESCRIPTION"
|
||||||
-Use sepolicy generate to generate an SELinux policy Module. sepolicy generate will generate 4 files.
|
-Use sepolicy generate to generate an SELinux policy Module. sepolicy generate will generate 4 files.
|
||||||
+Use \fBsepolicy generate\fP to generate an SELinux policy Module. \fBsepolicy generate\fP will create 5 files.
|
+Use \fBsepolicy generate\fP to generate an SELinux policy Module.
|
||||||
+
|
+
|
||||||
+If you specify a binary path, \fBsepolicy generate\fP will use the rpm payload of the binary along with \fBnm -D BINARY\fP to discover types and policy rules to generate these template files.
|
+.br
|
||||||
|
+\fBsepolicy generate\fP will create 5 files.
|
||||||
+
|
+
|
||||||
|
+When specifying a \fBconfined application\fP you must specify a
|
||||||
|
+path. \fBsepolicy generate\fP will use the rpm payload of the
|
||||||
|
+application along with \fBnm -D APPLICATION\fP to help it generate
|
||||||
|
+types and policy rules for your policy files.
|
||||||
|
|
||||||
.B Type Enforcing File NAME.te
|
.B Type Enforcing File NAME.te
|
||||||
.br
|
.br
|
||||||
|
@ -249889,7 +249952,7 @@ index fb84af6..c2fa601 100644
|
||||||
.B Interface File NAME.if
|
.B Interface File NAME.if
|
||||||
.br
|
.br
|
||||||
This file defines the interfaces for the types generated in the te file, which can be used by other policy domains.
|
This file defines the interfaces for the types generated in the te file, which can be used by other policy domains.
|
||||||
@@ -25,7 +31,7 @@ file paths to the types. Tools like restorecon and RPM will use these paths to
|
@@ -25,7 +78,7 @@ file paths to the types. Tools like restorecon and RPM will use these paths to
|
||||||
|
|
||||||
.B RPM Spec File NAME_selinux.spec
|
.B RPM Spec File NAME_selinux.spec
|
||||||
.br
|
.br
|
||||||
|
@ -249898,6 +249961,27 @@ index fb84af6..c2fa601 100644
|
||||||
|
|
||||||
.B Shell File NAME.sh
|
.B Shell File NAME.sh
|
||||||
.br
|
.br
|
||||||
|
@@ -39,13 +92,19 @@ If a generate is possible, this tool will print out all generate paths from the
|
||||||
|
.I \-h, \-\-help
|
||||||
|
Display help message
|
||||||
|
.TP
|
||||||
|
+.I \-d, \-\-domain
|
||||||
|
+Enter domain type(s) which you will be extending
|
||||||
|
+.TP
|
||||||
|
.I \-n, \-\-name
|
||||||
|
-Specify alternate name of policy. The policy will default to the executable or name specified.
|
||||||
|
+Specify alternate name of policy. The policy will default to the executable or name specified
|
||||||
|
.TP
|
||||||
|
.I \-p, \-\-path
|
||||||
|
Specify the directory to store the created policy files. (Default to current working directory )
|
||||||
|
optional arguments:
|
||||||
|
.TP
|
||||||
|
+.I \-t, \-\-type
|
||||||
|
+Enter type(s) for which you will generate new definition and rule(s)
|
||||||
|
+.TP
|
||||||
|
.I \-u, \-\-user
|
||||||
|
SELinux user(s) which will transition to this domain
|
||||||
|
.TP
|
||||||
diff --git a/policycoreutils/sepolicy/sepolicy-interface.8 b/policycoreutils/sepolicy/sepolicy-interface.8
|
diff --git a/policycoreutils/sepolicy/sepolicy-interface.8 b/policycoreutils/sepolicy/sepolicy-interface.8
|
||||||
index 4fc9792..02c4c1a 100644
|
index 4fc9792..02c4c1a 100644
|
||||||
--- a/policycoreutils/sepolicy/sepolicy-interface.8
|
--- a/policycoreutils/sepolicy/sepolicy-interface.8
|
||||||
|
@ -250657,7 +250741,7 @@ index a179d95..9b9a09a 100755
|
||||||
tlist = []
|
tlist = []
|
||||||
for l in map(lambda y: y[sepolicy.TARGET], filter(lambda x: set(perm).issubset(x[sepolicy.PERMS]), allows)):
|
for l in map(lambda y: y[sepolicy.TARGET], filter(lambda x: set(perm).issubset(x[sepolicy.PERMS]), allows)):
|
||||||
diff --git a/policycoreutils/sepolicy/sepolicy/generate.py b/policycoreutils/sepolicy/sepolicy/generate.py
|
diff --git a/policycoreutils/sepolicy/sepolicy/generate.py b/policycoreutils/sepolicy/sepolicy/generate.py
|
||||||
index 26f8390..4739025 100644
|
index 26f8390..837d3e3 100644
|
||||||
--- a/policycoreutils/sepolicy/sepolicy/generate.py
|
--- a/policycoreutils/sepolicy/sepolicy/generate.py
|
||||||
+++ b/policycoreutils/sepolicy/sepolicy/generate.py
|
+++ b/policycoreutils/sepolicy/sepolicy/generate.py
|
||||||
@@ -63,20 +63,6 @@ except IOError:
|
@@ -63,20 +63,6 @@ except IOError:
|
||||||
|
@ -250811,6 +250895,38 @@ index 26f8390..4739025 100644
|
||||||
for u in self.transition_users:
|
for u in self.transition_users:
|
||||||
tmp = re.sub("TEMPLATETYPE", self.name, script.admin_trans)
|
tmp = re.sub("TEMPLATETYPE", self.name, script.admin_trans)
|
||||||
newsh += re.sub("USER", u, tmp)
|
newsh += re.sub("USER", u, tmp)
|
||||||
|
@@ -1143,6 +1145,8 @@ allow %s_t %s_t:%s_socket name_%s;
|
||||||
|
newsh = re.sub("TEMPLATEFILE", "%s" % self.file_name, temp)
|
||||||
|
else:
|
||||||
|
newsh = re.sub("TEMPLATEFILE", self.file_name, temp)
|
||||||
|
+ newsh += re.sub("DOMAINTYPE", self.name, script.manpage)
|
||||||
|
+
|
||||||
|
if self.program:
|
||||||
|
newsh += re.sub("FILENAME", self.program, script.restorecon)
|
||||||
|
if self.initscript != "":
|
||||||
|
@@ -1165,6 +1169,7 @@ allow %s_t %s_t:%s_socket name_%s;
|
||||||
|
newsh += re.sub("TEMPLATETYPE", self.name, t1)
|
||||||
|
|
||||||
|
newsh += self.generate_user_sh()
|
||||||
|
+ newsh += re.sub("TEMPLATETYPE", self.name, script.rpm)
|
||||||
|
|
||||||
|
return newsh
|
||||||
|
|
||||||
|
@@ -1198,7 +1203,13 @@ allow %s_t %s_t:%s_socket name_%s;
|
||||||
|
if self.type not in APPLICATIONS:
|
||||||
|
newspec = re.sub("%relabel_files", "", newspec)
|
||||||
|
|
||||||
|
- return newspec
|
||||||
|
+ # Remove man pages from EUSER spec file
|
||||||
|
+ if self.type == EUSER:
|
||||||
|
+ newspec = re.sub(".*%s_selinux.8.*" % self.name,"", newspec)
|
||||||
|
+ # Remove user context file from non users spec file
|
||||||
|
+ if self.type not in ( TUSER, XUSER, AUSER, LUSER, RUSER):
|
||||||
|
+ newspec = re.sub(".*%s_u.*" % self.name,"", newspec)
|
||||||
|
+ return newspec
|
||||||
|
|
||||||
|
def write_spec(self, out_dir):
|
||||||
|
specfile = "%s/%s_selinux.spec" % (out_dir, self.file_name)
|
||||||
diff --git a/policycoreutils/sepolicy/sepolicy/interface.py b/policycoreutils/sepolicy/sepolicy/interface.py
|
diff --git a/policycoreutils/sepolicy/sepolicy/interface.py b/policycoreutils/sepolicy/sepolicy/interface.py
|
||||||
index 8b063ca..c7dac62 100644
|
index 8b063ca..c7dac62 100644
|
||||||
--- a/policycoreutils/sepolicy/sepolicy/interface.py
|
--- a/policycoreutils/sepolicy/sepolicy/interface.py
|
||||||
|
@ -251345,6 +251461,111 @@ index 66efe26..a446d68 100755
|
||||||
d={}
|
d={}
|
||||||
tlist = get_types(src, "%s_socket" % protocol, [perm])
|
tlist = get_types(src, "%s_socket" % protocol, [perm])
|
||||||
if len(tlist) > 0:
|
if len(tlist) > 0:
|
||||||
|
diff --git a/policycoreutils/sepolicy/sepolicy/templates/script.py b/policycoreutils/sepolicy/sepolicy/templates/script.py
|
||||||
|
index c139070..54fd40a 100644
|
||||||
|
--- a/policycoreutils/sepolicy/sepolicy/templates/script.py
|
||||||
|
+++ b/policycoreutils/sepolicy/sepolicy/templates/script.py
|
||||||
|
@@ -66,14 +66,17 @@ set -x
|
||||||
|
make -f /usr/share/selinux/devel/Makefile TEMPLATEFILE.pp || exit
|
||||||
|
/usr/sbin/semodule -i TEMPLATEFILE.pp
|
||||||
|
|
||||||
|
-# Generate a man page off the installed module
|
||||||
|
-sepolicy manpage -p . -d DOMAINTYPE_t
|
||||||
|
-
|
||||||
|
+"""
|
||||||
|
+rpm="""\
|
||||||
|
# Generate a rpm package for the newly generated policy
|
||||||
|
|
||||||
|
pwd=$(pwd)
|
||||||
|
rpmbuild --define "_sourcedir ${pwd}" --define "_specdir ${pwd}" --define "_builddir ${pwd}" --define "_srcrpmdir ${pwd}" --define "_rpmdir ${pwd}" --define "_buildrootdir ${pwd}/.build" -ba TEMPLATETYPE_selinux.spec
|
||||||
|
+"""
|
||||||
|
|
||||||
|
+manpage="""\
|
||||||
|
+# Generate a man page off the installed module
|
||||||
|
+sepolicy manpage -p . -d DOMAINTYPE_t
|
||||||
|
"""
|
||||||
|
|
||||||
|
restorecon="""\
|
||||||
|
@@ -107,8 +110,7 @@ admin_trans="""\
|
||||||
|
"""
|
||||||
|
|
||||||
|
min_login_user_default_context="""\
|
||||||
|
-if [ ! -f /etc/selinux/targeted/contexts/users/TEMPLATETYPE_u ]; then
|
||||||
|
-cat > /etc/selinux/targeted/contexts/users/TEMPLATETYPE_u << _EOF
|
||||||
|
+cat > TEMPLATETYPE_u << _EOF
|
||||||
|
TEMPLATETYPE_r:TEMPLATETYPE_t:s0 TEMPLATETYPE_r:TEMPLATETYPE_t
|
||||||
|
system_r:crond_t TEMPLATETYPE_r:TEMPLATETYPE_t
|
||||||
|
system_r:initrc_su_t TEMPLATETYPE_r:TEMPLATETYPE_t
|
||||||
|
@@ -116,12 +118,13 @@ system_r:local_login_t TEMPLATETYPE_r:TEMPLATETYPE_t
|
||||||
|
system_r:remote_login_t TEMPLATETYPE_r:TEMPLATETYPE_t
|
||||||
|
system_r:sshd_t TEMPLATETYPE_r:TEMPLATETYPE_t
|
||||||
|
_EOF
|
||||||
|
+if [ ! -f /etc/selinux/targeted/contexts/users/TEMPLATETYPE_u ]; then
|
||||||
|
+ cp TEMPLATETYPE_u /etc/selinux/targeted/contexts/users/
|
||||||
|
fi
|
||||||
|
"""
|
||||||
|
|
||||||
|
x_login_user_default_context="""\
|
||||||
|
-if [ ! -f /etc/selinux/targeted/contexts/users/TEMPLATETYPE_u ]; then
|
||||||
|
-cat > /etc/selinux/targeted/contexts/users/TEMPLATETYPE_u << _EOF
|
||||||
|
+cat > TEMPLATETYPE_u << _EOF
|
||||||
|
TEMPLATETYPE_r:TEMPLATETYPE_t TEMPLATETYPE_r:TEMPLATETYPE_t
|
||||||
|
system_r:crond_t TEMPLATETYPE_r:TEMPLATETYPE_t
|
||||||
|
system_r:initrc_su_t TEMPLATETYPE_r:TEMPLATETYPE_t
|
||||||
|
@@ -130,5 +133,7 @@ system_r:remote_login_t TEMPLATETYPE_r:TEMPLATETYPE_t
|
||||||
|
system_r:sshd_t TEMPLATETYPE_r:TEMPLATETYPE_t
|
||||||
|
system_r:xdm_t TEMPLATETYPE_r:TEMPLATETYPE_t
|
||||||
|
_EOF
|
||||||
|
+if [ ! -f /etc/selinux/targeted/contexts/users/TEMPLATETYPE_u ]; then
|
||||||
|
+ cp TEMPLATETYPE_u /etc/selinux/targeted/contexts/users/
|
||||||
|
fi
|
||||||
|
"""
|
||||||
|
diff --git a/policycoreutils/sepolicy/sepolicy/templates/spec.py b/policycoreutils/sepolicy/sepolicy/templates/spec.py
|
||||||
|
index dbddf39..d8ee42f 100644
|
||||||
|
--- a/policycoreutils/sepolicy/sepolicy/templates/spec.py
|
||||||
|
+++ b/policycoreutils/sepolicy/sepolicy/templates/spec.py
|
||||||
|
@@ -18,6 +18,7 @@ URL: http://HOSTNAME
|
||||||
|
Source0: MODULENAME.pp
|
||||||
|
Source1: MODULENAME.if
|
||||||
|
Source2: DOMAINNAME_selinux.8
|
||||||
|
+Source3: DOMAINNAME_u
|
||||||
|
|
||||||
|
Requires: policycoreutils, libselinux-utils
|
||||||
|
Requires(post): selinux-policy-base >= %{selinux_policyver}, policycoreutils
|
||||||
|
@@ -36,13 +37,16 @@ install -m 644 %{SOURCE0} %{buildroot}%{_datadir}/selinux/packages
|
||||||
|
install -d %{buildroot}%{_datadir}/selinux/devel/include/contrib
|
||||||
|
install -m 644 %{SOURCE1} %{buildroot}%{_datadir}/selinux/devel/include/contrib/
|
||||||
|
install -d %{buildroot}%{_mandir}/man8/
|
||||||
|
-install -m 644 %{SOURCE2} %{buildroot}%{_mandir}/man8/
|
||||||
|
+install -m 644 %{SOURCE2} %{buildroot}%{_mandir}/man8/DOMAINNAME_selinux.8
|
||||||
|
+install -d %{buildroot}/etc/selinux/targeted/contexts/users/
|
||||||
|
+install -m 644 %{SOURCE3} %{buildroot}/etc/selinux/targeted/contexts/users/DOMAINNAME_u
|
||||||
|
|
||||||
|
%post
|
||||||
|
semodule -n -i %{_datadir}/selinux/packages/MODULENAME.pp
|
||||||
|
if /usr/sbin/selinuxenabled ; then
|
||||||
|
/usr/sbin/load_policy
|
||||||
|
%relabel_files
|
||||||
|
+ /usr/sbin/semanage user -a -R DOMAINNAME_r DOMAINNAME_u
|
||||||
|
fi;
|
||||||
|
exit 0
|
||||||
|
|
||||||
|
@@ -52,6 +56,7 @@ if [ $1 -eq 0 ]; then
|
||||||
|
if /usr/sbin/selinuxenabled ; then
|
||||||
|
/usr/sbin/load_policy
|
||||||
|
%relabel_files
|
||||||
|
+ /usr/sbin/semanage user -d DOMAINNAME_u
|
||||||
|
fi;
|
||||||
|
fi;
|
||||||
|
exit 0
|
||||||
|
@@ -60,6 +65,7 @@ exit 0
|
||||||
|
%attr(0600,root,root) %{_datadir}/selinux/packages/MODULENAME.pp
|
||||||
|
%{_datadir}/selinux/devel/include/contrib/MODULENAME.if
|
||||||
|
%{_mandir}/man8/DOMAINNAME_selinux.8.*
|
||||||
|
+/etc/selinux/targeted/contexts/users/DOMAINNAME_u
|
||||||
|
|
||||||
|
%changelog
|
||||||
|
* TODAYSDATE YOUR NAME <YOUR@EMAILADDRESS> 1.0-1
|
||||||
diff --git a/policycoreutils/sepolicy/sepolicy/templates/test_module.py b/policycoreutils/sepolicy/sepolicy/templates/test_module.py
|
diff --git a/policycoreutils/sepolicy/sepolicy/templates/test_module.py b/policycoreutils/sepolicy/sepolicy/templates/test_module.py
|
||||||
new file mode 100644
|
new file mode 100644
|
||||||
index 0000000..3a3faa6
|
index 0000000..3a3faa6
|
||||||
|
@ -251470,6 +251691,63 @@ index 0000000..3a3faa6
|
||||||
+#
|
+#
|
||||||
+
|
+
|
||||||
+"""
|
+"""
|
||||||
|
diff --git a/policycoreutils/sepolicy/sepolicy/templates/user.py b/policycoreutils/sepolicy/sepolicy/templates/user.py
|
||||||
|
index 79f3997..9c9439c 100644
|
||||||
|
--- a/policycoreutils/sepolicy/sepolicy/templates/user.py
|
||||||
|
+++ b/policycoreutils/sepolicy/sepolicy/templates/user.py
|
||||||
|
@@ -34,6 +34,20 @@ userdom_unpriv_user_template(TEMPLATETYPE)
|
||||||
|
te_admin_user_types="""\
|
||||||
|
policy_module(TEMPLATETYPE, 1.0.0)
|
||||||
|
|
||||||
|
+## <desc>
|
||||||
|
+## <p>
|
||||||
|
+## Allow TEMPLATETYPE to read files in the user home directory
|
||||||
|
+## </p>
|
||||||
|
+## </desc>
|
||||||
|
+gen_tunable(TEMPLATETYPE_read_user_files, false)
|
||||||
|
+
|
||||||
|
+## <desc>
|
||||||
|
+## <p>
|
||||||
|
+## Allow TEMPLATETYPE to manage files in the user home directory
|
||||||
|
+## </p>
|
||||||
|
+## </desc>
|
||||||
|
+gen_tunable(TEMPLATETYPE_manage_user_files, false)
|
||||||
|
+
|
||||||
|
########################################
|
||||||
|
#
|
||||||
|
# Declarations
|
||||||
|
@@ -76,20 +90,6 @@ policy_module(TEMPLATETYPE, 1.0.0)
|
||||||
|
# Declarations
|
||||||
|
#
|
||||||
|
|
||||||
|
-## <desc>
|
||||||
|
-## <p>
|
||||||
|
-## Allow TEMPLATETYPE to read files in the user home directory
|
||||||
|
-## </p>
|
||||||
|
-## </desc>
|
||||||
|
-gen_tunable(TEMPLATETYPE_read_user_files, false)
|
||||||
|
-
|
||||||
|
-## <desc>
|
||||||
|
-## <p>
|
||||||
|
-## Allow TEMPLATETYPE to manage files in the user home directory
|
||||||
|
-## </p>
|
||||||
|
-## </desc>
|
||||||
|
-gen_tunable(TEMPLATETYPE_manage_user_files, false)
|
||||||
|
-
|
||||||
|
userdom_base_user_template(TEMPLATETYPE)
|
||||||
|
"""
|
||||||
|
|
||||||
|
@@ -151,7 +151,9 @@ tunable_policy(`TEMPLATETYPE_read_user_files',`
|
||||||
|
')
|
||||||
|
|
||||||
|
tunable_policy(`TEMPLATETYPE_manage_user_files',`
|
||||||
|
- userdom_manage_user_home_content(TEMPLATETYPE_t)
|
||||||
|
+ userdom_manage_user_home_content_dirs(TEMPLATETYPE_t)
|
||||||
|
+ userdom_manage_user_home_content_files(TEMPLATETYPE_t)
|
||||||
|
+ userdom_manage_user_home_content_symlinks(TEMPLATETYPE_t)
|
||||||
|
userdom_manage_user_tmp_files(TEMPLATETYPE_t)
|
||||||
|
')
|
||||||
|
"""
|
||||||
diff --git a/policycoreutils/sepolicy/sepolicy/transition.py b/policycoreutils/sepolicy/sepolicy/transition.py
|
diff --git a/policycoreutils/sepolicy/sepolicy/transition.py b/policycoreutils/sepolicy/sepolicy/transition.py
|
||||||
index 5850622..5e308e3 100755
|
index 5850622..5e308e3 100755
|
||||||
--- a/policycoreutils/sepolicy/sepolicy/transition.py
|
--- a/policycoreutils/sepolicy/sepolicy/transition.py
|
||||||
|
|
|
@ -7,7 +7,7 @@
|
||||||
Summary: SELinux policy core utilities
|
Summary: SELinux policy core utilities
|
||||||
Name: policycoreutils
|
Name: policycoreutils
|
||||||
Version: 2.1.14
|
Version: 2.1.14
|
||||||
Release: 43%{?dist}
|
Release: 45%{?dist}
|
||||||
License: GPLv2
|
License: GPLv2
|
||||||
Group: System Environment/Base
|
Group: System Environment/Base
|
||||||
# Based on git repository with tag 20101221
|
# Based on git repository with tag 20101221
|
||||||
|
@ -308,13 +308,18 @@ The policycoreutils-restorecond package contains the restorecond service.
|
||||||
%postun restorecond
|
%postun restorecond
|
||||||
%systemd_postun_with_restart restorecond.service
|
%systemd_postun_with_restart restorecond.service
|
||||||
|
|
||||||
%triggerun -- restorecond < 2.0.86-13
|
|
||||||
%{_bindir}/systemd-sysv-convert --save restorecond >/dev/null 2>&1 ||:
|
|
||||||
%{_bindir}/systemctl enable restorecond.service >/dev/null 2>&1
|
|
||||||
%{_sbindir}/chkconfig --del restorecond >/dev/null 2>&1 || :
|
|
||||||
%{_bindir}/systemctl try-restart restorecond.service >/dev/null 2>&1 || :
|
|
||||||
|
|
||||||
%changelog
|
%changelog
|
||||||
|
* Tue May 21 2013 Dan Walsh <dwalsh@redhat.com> - 2.1.14-45
|
||||||
|
- Fix sandbox to always use sandbox_file_t, so generated policy will work.
|
||||||
|
- Update Translations
|
||||||
|
|
||||||
|
* Thu May 16 2013 Dan Walsh <dwalsh@redhat.com> - 2.1.14-44
|
||||||
|
- Fix sepolicy-generate man page to clear up options/policy type
|
||||||
|
- Add Miroslav Grepl to not generate man page when doing
|
||||||
|
sepolicy generate --customize
|
||||||
|
- Add support for executing semanage user within spec file
|
||||||
|
- Fix generation of confined admin domains, to handle booleans properly.
|
||||||
|
|
||||||
* Tue May 14 2013 Dan Walsh <dwalsh@redhat.com> - 2.1.14-43
|
* Tue May 14 2013 Dan Walsh <dwalsh@redhat.com> - 2.1.14-43
|
||||||
- Need to handle gziped policy.xml as well as not compressed.
|
- Need to handle gziped policy.xml as well as not compressed.
|
||||||
|
|
||||||
|
|
Loading…
Reference in New Issue