From: Dan Walsh Date: Tue, 12 Jul 2011 18:34:16 +0000 (-0400) Subject: Allow logrotate_t to read symbolic links with the logrotate_var_lib_t label. One... X-Git-Tag: 000~725 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=b61dc5a071e724100a59335602ead66d0d8ca2c5;p=people%2Fstevee%2Fselinux-policy.git Allow logrotate_t to read symbolic links with the logrotate_var_lib_t label. One of our customers set this up --- diff --git a/policy/modules/admin/logrotate.te b/policy/modules/admin/logrotate.te index ee8eaf6b..6eac7b93 100644 --- a/policy/modules/admin/logrotate.te +++ b/policy/modules/admin/logrotate.te @@ -61,6 +61,7 @@ files_tmp_filetrans(logrotate_t, logrotate_tmp_t, { file dir }) # for /var/lib/logrotate.status and /var/lib/logcheck create_dirs_pattern(logrotate_t, logrotate_var_lib_t, logrotate_var_lib_t) manage_files_pattern(logrotate_t, logrotate_var_lib_t, logrotate_var_lib_t) +read_lnk_files_pattern(logrotate_t, logrotate_var_lib_t, logrotate_var_lib_t) files_var_lib_filetrans(logrotate_t, logrotate_var_lib_t, file) kernel_read_system_state(logrotate_t) diff --git a/policy/modules/services/virt.if b/policy/modules/services/virt.if index 5c0a7a4d..411edf39 100644 --- a/policy/modules/services/virt.if +++ b/policy/modules/services/virt.if @@ -15,6 +15,7 @@ template(`virt_domain_template',` gen_require(` attribute virt_image_type, virt_domain; attribute virt_tmpfs_type; + attribute virt_ptynode; ') type $1_t, virt_domain; @@ -24,7 +25,7 @@ template(`virt_domain_template',` mcs_untrusted_proc($1_t) role system_r types $1_t; - type $1_devpts_t; + type $1_devpts_t, virt_ptynode; term_pty($1_devpts_t) type $1_tmp_t; diff --git a/policy/modules/services/virt.te b/policy/modules/services/virt.te index 4dec4ad2..26cd637f 100644 --- a/policy/modules/services/virt.te +++ b/policy/modules/services/virt.te @@ -6,6 +6,7 @@ policy_module(virt, 1.4.0) # attribute virsh_transition_domain; +attribute virt_ptynode; ## ##

@@ -253,6 +254,7 @@ manage_blk_files_pattern(virtd_t, virt_image_type, virt_image_type) manage_lnk_files_pattern(virtd_t, virt_image_type, virt_image_type) allow virtd_t virt_image_type:file relabel_file_perms; allow virtd_t virt_image_type:blk_file relabel_blk_file_perms; +allow virtd_t virt_ptynode:chr_file { read write }; manage_dirs_pattern(virtd_t, virt_tmp_t, virt_tmp_t) manage_files_pattern(virtd_t, virt_tmp_t, virt_tmp_t)