Skip to content

Commit

Permalink
Merge branch 'fedora-selinux:rawhide' into systemd-homed
Browse files Browse the repository at this point in the history
  • Loading branch information
@richiedaze
richiedaze authored Oct 10, 2024
2 parents 929354d + d4d7a75 commit 7c92394
Show file tree
Hide file tree
Showing 6 changed files with 50 additions and 44 deletions.
7 changes: 7 additions & 0 deletions dist/targeted/modules.conf
View file
Original file line number Diff line number Diff line change
Expand Up @@ -3063,3 +3063,10 @@ systemd-homed = module
# Policy for iio-sensor-proxy - IIO sensors to D-Bus proxy
#
iiosensorproxy = module

# Layer: system
# Module: powerprofiles
#
# Policy for power-profiles-daemon - power profiles handling over D-Bus
#
powerprofiles = module
2 changes: 1 addition & 1 deletion policy/modules/contrib/linuxptp.te
View file
Original file line number Diff line number Diff line change
Expand Up @@ -159,7 +159,7 @@ allow ptp4l_t self:packet_socket create_socket_perms;
allow ptp4l_t self:unix_stream_socket create_stream_socket_perms;
allow ptp4l_t self:shm create_shm_perms;
allow ptp4l_t self:udp_socket create_socket_perms;
allow ptp4l_t self:capability { net_admin net_raw sys_time };
allow ptp4l_t self:capability { net_admin net_raw sys_admin sys_time };
allow ptp4l_t self:capability2 { bpf wake_alarm };
allow ptp4l_t self:netlink_route_socket rw_netlink_socket_perms;

Expand Down
3 changes: 3 additions & 0 deletions policy/modules/contrib/powerprofiles.fc
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,3 @@
/usr/libexec/power-profiles-daemon -- gen_context(system_u:object_r:powerprofiles_exec_t,s0)

/var/lib/power-profiles-daemon(/.*)? gen_context(system_u:object_r:powerprofiles_var_lib_t,s0)
1 change: 1 addition & 0 deletions policy/modules/contrib/powerprofiles.if
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1 @@
## <summary>Power profiles handling over D-Bus</summary>
37 changes: 37 additions & 0 deletions policy/modules/contrib/powerprofiles.te
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,37 @@
policy_module(powerprofiles, 1.0)

########################################
#
# Declarations
#

type powerprofiles_t;
type powerprofiles_exec_t;
init_daemon_domain(powerprofiles_t, powerprofiles_exec_t)
init_nnp_daemon_domain(powerprofiles_t)

type powerprofiles_var_lib_t;
files_type(powerprofiles_var_lib_t);

permissive powerprofiles_t;

allow powerprofiles_t self:netlink_kobject_uevent_socket create_socket_perms;

manage_files_pattern(powerprofiles_t, powerprofiles_var_lib_t, powerprofiles_var_lib_t)

kernel_read_proc_files(powerprofiles_t)

dev_list_sysfs(powerprofiles_t)

optional_policy(`
dbus_connect_system_bus(powerprofiles_t)
dbus_system_bus_client(powerprofiles_t)

optional_policy(`
policykit_dbus_chat(powerprofiles_t)
')
')

optional_policy(`
udev_search_pids(powerprofiles_t)
')
44 changes: 1 addition & 43 deletions policy/modules/kernel/corecommands.fc
View file
Original file line number Diff line number Diff line change
@@ -1,21 +1,3 @@
#
# /bin
#
/bin gen_context(system_u:object_r:bin_t,s0)
/bin/.* gen_context(system_u:object_r:bin_t,s0)
/bin/d?ash -- gen_context(system_u:object_r:shell_exec_t,s0)
/bin/esh -- gen_context(system_u:object_r:shell_exec_t,s0)
/bin/bash -- gen_context(system_u:object_r:shell_exec_t,s0)
/bin/bash2 -- gen_context(system_u:object_r:shell_exec_t,s0)
/bin/fish -- gen_context(system_u:object_r:shell_exec_t,s0)
/bin/ksh.* -- gen_context(system_u:object_r:shell_exec_t,s0)
/bin/mksh -- gen_context(system_u:object_r:shell_exec_t,s0)
/bin/mountpoint -- gen_context(system_u:object_r:bin_t,s0)
/bin/sash -- gen_context(system_u:object_r:shell_exec_t,s0)
/bin/tcsh -- gen_context(system_u:object_r:shell_exec_t,s0)
/bin/yash -- gen_context(system_u:object_r:shell_exec_t,s0)
/bin/zsh.* -- gen_context(system_u:object_r:shell_exec_t,s0)

#
# /dev
#
Expand Down Expand Up @@ -146,31 +128,6 @@ ifdef(`distro_debian',`

/etc/dhcp/scripts(/.*)? gen_context(system_u:object_r:bin_t,s0)

#
# /lib
#

/lib/nut/.* -- gen_context(system_u:object_r:bin_t,s0)
/lib/readahead(/.*)? gen_context(system_u:object_r:bin_t,s0)
/lib/security/pam_krb5/pam_krb5_storetmp -- gen_context(system_u:object_r:bin_t,s0)
/usr/lib64/security/pam_krb5/pam_krb5_cchelper -- gen_context(system_u:object_r:bin_t,s0)
/lib/udev/[^/]* -- gen_context(system_u:object_r:bin_t,s0)
/lib/udev/devices/MAKEDEV -l gen_context(system_u:object_r:bin_t,s0)
/lib/udev/scsi_id -- gen_context(system_u:object_r:bin_t,s0)
/lib/upstart(/.*)? gen_context(system_u:object_r:bin_t,s0)
/lib/security/pam_krb5(/.*)? gen_context(system_u:object_r:bin_t,s0)

ifdef(`distro_gentoo',`
/lib/dhcpcd/dhcpcd-run-hooks -- gen_context(system_u:object_r:bin_t,s0)

/lib/rcscripts/addons(/.*)? gen_context(system_u:object_r:bin_t,s0)
/lib/rcscripts/sh(/.*)? gen_context(system_u:object_r:bin_t,s0)
/lib/rcscripts/net\.modules\.d/helpers\.d/dhclient-.* -- gen_context(system_u:object_r:bin_t,s0)
/lib/rcscripts/net\.modules\.d/helpers\.d/udhcpc-.* -- gen_context(system_u:object_r:bin_t,s0)
')

/usr/lib/erlang/erts.*/bin(/.*)? gen_context(system_u:object_r:bin_t,s0)

#
# /opt
#
Expand Down Expand Up @@ -239,6 +196,7 @@ ifdef(`distro_gentoo',`
/usr/lib/cyrus-imapd/.* -- gen_context(system_u:object_r:bin_t,s0)
/usr/lib/dotnet/dotnet -- gen_context(system_u:object_r:bin_t,s0)
/usr/lib/dpkg/.+ -- gen_context(system_u:object_r:bin_t,s0)
/usr/lib/erlang/erts.*/bin(/.*)? gen_context(system_u:object_r:bin_t,s0)
/usr/lib/emacsen-common/.* gen_context(system_u:object_r:bin_t,s0)
/usr/lib/gimp/.*/plug-ins(/.*)? gen_context(system_u:object_r:bin_t,s0)
/usr/lib/gnome-settings-daemon/.* -- gen_context(system_u:object_r:bin_t,s0)
Expand Down

0 comments on commit 7c92394

Please sign in to comment.