Re: [PATCH misc 1/3] backup boinc fetchmail, gdomap jabber mon syncthing ssh and login

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On 1/2/19 3:40 AM, Russell Coker wrote:

Lots of little things that are self-explanatory.

Boinc has some unusual stuff for lsb_release -a and for mmaping ld.so.cache.

Remove obsolete policy from syncthing as we have it in
sysnet_dns_name_resolve().



[...]

Index: refpolicy-2.20180701/policy/modules/services/boinc.te
===================================================================
--- refpolicy-2.20180701.orig/policy/modules/services/boinc.te
+++ refpolicy-2.20180701/policy/modules/services/boinc.te

[...]


@@ -169,7 +173,7 @@ optional_policy(`
  #
allow boinc_project_t self:capability { setgid setuid }; 
-allow boinc_project_t self:process { execmem execstack noatsecure ptrace setcap getcap setpgid setsched signal_perms };
+allow boinc_project_t self:process { execmem execstack noatsecure ptrace setcap getcap setpgid setsched signal signal_perms };


This change shouldn't be necessary since signal is already in signal_perms.

[...]


--- refpolicy-2.20180701.orig/policy/modules/system/authlogin.if
+++ refpolicy-2.20180701/policy/modules/system/authlogin.if
@@ -823,6 +823,25 @@ interface(`auth_append_lastlog',`
####################################### 
  ## <summary>
+##	relabel the last logins log.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`auth_relabel_lastlog',`
+	gen_require(`
+		type lastlog_t;
+	')
+
+	logging_search_logs($1)
+	allow $1 lastlog_t:file { relabelfrom relabelto };
+')
+
+#######################################
+## <summary>
  ##	Read and write to the last logins log.
  ## </summary>
  ## <param name="domain">
@@ -841,6 +860,25 @@ interface(`auth_rw_lastlog',`
  ')
######################################## 
+## <summary>
+##     Manage the last logins log.
+## </summary>
+## <param name="domain">
+##     <summary>
+##     Domain allowed access.
+##     </summary>
+## </param>
+#
+interface(`auth_manage_lastlog',`
+	gen_require(`
+		type lastlog_t;
+	')
+
+	allow $1 lastlog_t:file { relabelfrom relabelto manage_file_perms };
The relabel perms shouldn't be in here. I'd say split it into a new interface, but you're adding the other interface earlier in the patch. 




--
Chris PeBenito
[Index of Archives]     [AMD Graphics]     [Linux USB Devel]     [Linux Audio Users]     [Yosemite News]     [Linux Kernel]     [Linux SCSI]

  Powered by Linux