[DSE-Dev] policy patch

[Mika Pflüger]

Hi,

Am Sat, 13 Oct 2012 19:06:06 +1100
schrieb Russell Coker <russell at coker.com.au>:
> 
>   * Label ~/.adobe(/.*)? as mozilla_home_t for flash
>   * Label /usr/sbin/opendkim as dkim_milter_exec_t
>   * Make postfix.pp not depend on unconfined.pp for "strict"
> configurations
>   * Label postalias as postfix_master_exec_t for newaliases

I split those into individual patches, checked upstream refpolicy and
fedora how it's done over there, modified some of the patches slightly
and committed the result into git.

>   * Allow watchdog_t to read syslog pid files for process watching
>   * Allow lvm_t (systemd-cryptsetup) systemd_manage_passwd_run()
> access
>   * Allow systemd_passwd_agent_t access to search selinuxfs and write
> to the console for getting a password for encrypted filesystems
>   * Label /sbin/xtables-multi (the new iptables) as iptables_exec_t
>   * Label /run/pm-utils(/.*)? as devicekit_var_run_t not
> hald_var_run_t
>   * Allow user_t to access mozilla_tmp_t
>   * Label /usr/lib/kde4/libexec/* and /usr/lib/gvfs/* as bin_t
>   * Label port 5546 as dhcpc_port_t for the client control port and
> allow dhcpc_t to bind to it for TCP
>   * Label /usr/lib/dovecot/auth as dovecot_auth_exec_t.
>     Label /usr/lib/dovecot/dovecot-lda as lda_exec_t
>     Label /usr/lib/dovecot/(.*/)?lib.*\.so.* as lib_t
>     Closes: #690225
>   * Allow user_t etc to access mozilla_t classes
> shm and sem for sharing the sound device

I hope to get those splitted + checked + committed to git over the next
few days.
At the same time I will try to propose upstream what makes sense there
(mostly debian locations, I guess).

Cheers,

Mika

-- 
Own your own computer. Don't use Windows 7. <http://windows7sins.org>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: not available
URL: <http://lists.alioth.debian.org/pipermail/selinux-devel/attachments/20121015/47a0bdf4/attachment.pgp>