[selinux-policy: 128/3172] allow all domains to use /dev/{zero, null, tty}
Daniel J Walsh
dwalsh at fedoraproject.org
Thu Oct 7 19:16:08 UTC 2010
commit a9a20ddaae010961a39b66a5cc5cb2336142d55c
Author: Chris PeBenito <cpebenito at tresys.com>
Date: Mon May 9 19:55:01 2005 +0000
allow all domains to use /dev/{zero,null,tty}
refpolicy/policy/modules/admin/netutils.te | 2 -
refpolicy/policy/modules/admin/usermanage.te | 5 --
refpolicy/policy/modules/kernel/bootloader.te | 1 -
refpolicy/policy/modules/kernel/devices.if | 62 +++++++++++++++++++++--
refpolicy/policy/modules/system/authlogin.if | 52 +++++++++++++++-----
refpolicy/policy/modules/system/authlogin.te | 4 --
refpolicy/policy/modules/system/clock.te | 2 -
refpolicy/policy/modules/system/domain.if | 11 ++++
refpolicy/policy/modules/system/hostname.te | 3 -
refpolicy/policy/modules/system/hotplug.te | 3 -
refpolicy/policy/modules/system/iptables.te | 3 -
refpolicy/policy/modules/system/logging.te | 3 -
refpolicy/policy/modules/system/modutils.te | 4 --
refpolicy/policy/modules/system/selinux.te | 6 +--
refpolicy/policy/modules/system/selinuxutil.te | 6 +--
refpolicy/policy/modules/system/sysnetwork.te | 3 -
16 files changed, 108 insertions(+), 62 deletions(-)
---
diff --git a/refpolicy/policy/modules/admin/netutils.te b/refpolicy/policy/modules/admin/netutils.te
index fcfef78..cdff63f 100644
--- a/refpolicy/policy/modules/admin/netutils.te
+++ b/refpolicy/policy/modules/admin/netutils.te
@@ -118,8 +118,6 @@ corenetwork_bind_tcp_on_all_nodes(ping_t)
filesystem_ignore_get_persistent_filesystem_attributes(ping_t)
-terminal_ignore_use_controlling_terminal(ping_t)
-
domain_use_widely_inheritable_file_descriptors(ping_t)
files_read_general_system_config(ping_t)
diff --git a/refpolicy/policy/modules/admin/usermanage.te b/refpolicy/policy/modules/admin/usermanage.te
index 9bb704b..95206f3 100644
--- a/refpolicy/policy/modules/admin/usermanage.te
+++ b/refpolicy/policy/modules/admin/usermanage.te
@@ -87,7 +87,6 @@ kernel_compute_reachable_user_contexts(chfn_t)
terminal_use_all_users_physical_terminals(chfn_t)
terminal_use_all_users_pseudoterminals(chfn_t)
-terminal_use_controlling_terminal(chfn_t)
filesystem_get_persistent_filesystem_attributes(chfn_t)
@@ -167,8 +166,6 @@ devices_get_pseudorandom_data(crack_t)
filesystem_get_persistent_filesystem_attributes(crack_t)
-terminal_use_controlling_terminal(crack_t)
-
files_read_general_system_config(crack_t)
files_read_runtime_system_config(crack_t)
# for dictionaries
@@ -310,7 +307,6 @@ filesystem_get_persistent_filesystem_attributes(passwd_t)
terminal_use_all_users_physical_terminals(passwd_t)
terminal_use_all_users_pseudoterminals(passwd_t)
-terminal_use_controlling_terminal(passwd_t)
# /usr/bin/passwd asks for w access to utmp, but it will operate
# correctly without it. Do not audit write denials to utmp.
@@ -411,7 +407,6 @@ filesystem_get_persistent_filesystem_attributes(sysadm_passwd_t)
terminal_use_all_users_physical_terminals(sysadm_passwd_t)
terminal_use_all_users_pseudoterminals(sysadm_passwd_t)
-terminal_use_controlling_terminal(sysadm_passwd_t)
# /usr/bin/passwd asks for w access to utmp, but it will operate
# correctly without it. Do not audit write denials to utmp.
diff --git a/refpolicy/policy/modules/kernel/bootloader.te b/refpolicy/policy/modules/kernel/bootloader.te
index 35ece3c..aa2b20e 100644
--- a/refpolicy/policy/modules/kernel/bootloader.te
+++ b/refpolicy/policy/modules/kernel/bootloader.te
@@ -104,7 +104,6 @@ logging_send_system_log_message(bootloader_t)
filesystem_get_persistent_filesystem_attributes(bootloader_t)
-terminal_use_controlling_terminal(bootloader_t)
terminal_get_all_users_physical_terminal_attributes(bootloader_t)
allow bootloader_t bootloader_etc_t:file { getattr read };
diff --git a/refpolicy/policy/modules/kernel/devices.if b/refpolicy/policy/modules/kernel/devices.if
index 5a7713c..1c4f3e7 100644
--- a/refpolicy/policy/modules/kernel/devices.if
+++ b/refpolicy/policy/modules/kernel/devices.if
@@ -297,15 +297,31 @@ class chr_file { getattr write ioctl };
########################################
#
-# devices_discard_data_stream(domain)
+# devices_read_dev_null(domain)
#
-define(`devices_discard_data_stream',`
+define(`devices_read_dev_null',`
+requires_block_template(`$0'_depend)
+allow $1 device_t:dir { getattr read search };
+allow $1 null_device_t:chr_file { getattr read };
+')
+
+define(`devices_read_dev_null_depend',`
+type device_t, null_device_t;
+class device_t:dir { getattr read search };
+class chr_file { getattr read };
+')
+
+########################################
+#
+# devices_write_dev_null(domain)
+#
+define(`devices_write_dev_null',`
requires_block_template(`$0'_depend)
allow $1 device_t:dir { getattr read search };
allow $1 null_device_t:chr_file { getattr append write };
')
-define(`devices_discard_data_stream_depend',`
+define(`devices_write_dev_null_depend',`
type device_t, null_device_t;
class device_t:dir { getattr read search };
class chr_file { getattr append write };
@@ -313,15 +329,24 @@ class chr_file { getattr append write };
########################################
#
-# devices_get_zeros(domain)
+# devices_use_dev_null(domain)
+#
+define(`devices_use_dev_null',`
+devices_read_dev_null($1)
+devices_write_dev_null($1)
+')
+
+########################################
+#
+# devices_read_dev_zero(domain)
#
-define(`devices_get_zeros',`
+define(`devices_read_dev_zero',`
requires_block_template(`$0'_depend)
allow $1 device_t:dir { getattr read search };
allow $1 zero_device_t:chr_file { getattr read };
')
-define(`devices_get_zeros_depend',`
+define(`devices_read_dev_zero_depend',`
type device_t, zero_device_t;
class device_t:dir { getattr read search };
class chr_file { getattr read };
@@ -329,6 +354,31 @@ class chr_file { getattr read };
########################################
#
+# devices_write_dev_zero(domain)
+#
+define(`devices_write_dev_zero',`
+requires_block_template(`$0'_depend)
+allow $1 device_t:dir { getattr read search };
+allow $1 zero_device_t:chr_file { getattr append write };
+')
+
+define(`devices_write_dev_zero_depend',`
+type device_t, zero_device_t;
+class device_t:dir { getattr read search };
+class chr_file { getattr append write };
+')
+
+########################################
+#
+# devices_use_dev_zero(domain)
+#
+define(`devices_use_dev_zero',`
+devices_read_dev_zero($1)
+devices_write_dev_zero($1)
+')
+
+########################################
+#
# devices_read_realtime_clock(domain)
#
define(`devices_read_realtime_clock',`
diff --git a/refpolicy/policy/modules/system/authlogin.if b/refpolicy/policy/modules/system/authlogin.if
index f92ae16..d6222a6 100644
--- a/refpolicy/policy/modules/system/authlogin.if
+++ b/refpolicy/policy/modules/system/authlogin.if
@@ -15,8 +15,8 @@ domain_make_entrypoint_file($1_chkpwd_t,chkpwd_exec_t)
role $1_r types $1_chkpwd_t;
role $1_r types system_chkpwd_t;
-# Use capabilities.
allow $1_chkpwd_t self:capability setuid;
+allow $1_chkpwd_t self:process getattr;
authlogin_read_shadow_passwords($1_chkpwd_t)
logging_send_system_log_message($1_chkpwd_t)
@@ -30,11 +30,23 @@ filesystem_ignore_get_persistent_filesystem_attributes($1_chkpwd_t)
# is_selinux_enabled
kernel_read_system_state($1_chkpwd_t)
-#can_getcon($1_chkpwd_t)
#can_ypbind($1_chkpwd_t)
#can_kerberos($1_chkpwd_t)
#can_ldap($1_chkpwd_t)
-#can_resolve($1_chkpwd_t)
+
+tunable_policy(`use_dns',`
+allow $1_chkpwd_t self:udp_socket { create ioctl read getattr write setattr append bind getopt setopt shutdown connect };
+corenetwork_network_udp_on_all_interfaces($1_chkpwd_t)
+corenetwork_network_raw_on_all_interfaces($1_chkpwd_t)
+corenetwork_network_udp_on_all_nodes($1_chkpwd_t)
+corenetwork_network_raw_on_all_nodes($1_chkpwd_t)
+corenetwork_bind_udp_on_all_nodes($1_chkpwd_t)
+corenetwork_network_udp_on_dns_port($1_chkpwd_t)
+sysnetwork_read_network_config($1_chkpwd_t)
+') dnl end use_dns
+
+# for nscd
+files_ignore_search_system_state_data_directory($1_chkpwd_t)
# Transition from the user domain to this domain.
ifelse($1, system, `
@@ -44,6 +56,7 @@ terminal_use_general_physical_terminal($1_chkpwd_t)
# Transition from the user domain to this domain.
allow $1_t chkpwd_exec_t:file { getattr read execute };
allow $1_t $1_chkpwd_t:process transition;
+type_transition $1_t chkpwd_exec_t:process $1_chkpwd_t;
#allow $1_t sbin_t:dir search;
@@ -59,16 +72,15 @@ domain_use_widely_inheritable_file_descriptors($1_chkpwd_t)
optional_policy(`selinux.te',`
selinux_newrole_use_file_descriptors($1_chkpwd_t)
')
+
') dnl ifelse system
-# for nscd
-dontaudit $1_chkpwd_t var_t:dir search;
-')
+') dnl end authlogin_per_userdomain_template
define(`authlogin_per_userdomain_template_depend',`
type chkpwd_exec_t, system_chkpwd_t;
class file { getattr read execute };
-class process transition;
+class process { getattr transition };
class capability setuid;
class unix_stream_socket { create read getattr write setattr append bind connect getopt setopt shutdown };
class unix_dgram_socket { create read getattr write setattr append bind connect getopt setopt shutdown };
@@ -96,18 +108,32 @@ define(`authlogin_check_password_transition',`
requires_block_template(`$0'_depend)
allow $1 chkpwd_exec_t:file { getattr read execute };
allow $1 system_chkpwd_t:process transition;
+type_transition $1 chkpwd_exec_t:process system_chkpwd_t;
+
dontaudit $1 shadow_t:file { getattr read };
-#allow auth_chkpwd sbin_t:dir search;
-#can_ypbind(auth_chkpwd)
-#can_kerberos(auth_chkpwd)
-#can_ldap(auth_chkpwd)
-#can_resolve(auth_chkpwd)
-')
+#allow $1_t sbin_t:dir search;
+#can_ypbind($1_t)
+#can_kerberos($1_t)
+#can_ldap($1_t)
+
+tunable_policy(`use_dns',`
+allow $1 self:udp_socket { create ioctl read getattr write setattr append bind getopt setopt shutdown connect };
+corenetwork_network_udp_on_all_interfaces($1)
+corenetwork_network_raw_on_all_interfaces($1)
+corenetwork_network_udp_on_all_nodes($1)
+corenetwork_network_raw_on_all_nodes($1)
+corenetwork_bind_udp_on_all_nodes($1)
+corenetwork_network_udp_on_dns_port($1)
+sysnetwork_read_network_config($1)
+') dnl end use_dns
+
+') dnl end check_password_transition
define(`authlogin_check_password_transition_depend',`
type system_chkpwd_t, chkpwd_exec_t, shadow_t;
class file { getattr read execute };
class process transition;
+class udp_socket { create ioctl read getattr write setattr append bind getopt setopt shutdown connect };
')
#######################################
diff --git a/refpolicy/policy/modules/system/authlogin.te b/refpolicy/policy/modules/system/authlogin.te
index 2ed9474..3929d8f 100644
--- a/refpolicy/policy/modules/system/authlogin.te
+++ b/refpolicy/policy/modules/system/authlogin.te
@@ -87,7 +87,6 @@ files_create_private_tmp_data(pam_t, pam_tmp_t, { file dir })
kernel_read_system_state(pam_t)
-terminal_use_controlling_terminal(pam_t)
terminal_use_all_users_physical_terminals(pam_t)
terminal_use_all_users_pseudoterminals(pam_t)
@@ -137,8 +136,6 @@ kernel_read_system_state(pam_console_t)
kernel_read_hardware_state(pam_console_t)
kernel_use_file_descriptors(pam_console_t)
-devices_discard_data_stream(pam_console_t)
-
# Allow to set attributes on /dev entries
storage_get_fixed_disk_attributes(pam_console_t)
storage_set_fixed_disk_attributes(pam_console_t)
@@ -192,7 +189,6 @@ allow pam_console_t rhgb_t:process sigchld;
allow pam_console_t rhgb_t:fd use;
allow pam_console_t rhgb_t:fifo_file { read write };
')
-allow pam_console_t null_device_t:chr_file r_file_perms;
dontaudit pam_console_t unpriv_userdomain:fd use;
allow pam_console_t autofs_t:dir { search getattr };
diff --git a/refpolicy/policy/modules/system/clock.te b/refpolicy/policy/modules/system/clock.te
index 00ee7cb..cf39327 100644
--- a/refpolicy/policy/modules/system/clock.te
+++ b/refpolicy/policy/modules/system/clock.te
@@ -33,7 +33,6 @@ allow hwclock_t adjtime_t:file { setattr ioctl read getattr lock write append };
kernel_read_kernel_sysctl(hwclock_t)
kernel_read_hardware_state(hwclock_t)
-devices_discard_data_stream(hwclock_t)
devices_modify_realtime_clock(hwclock_t)
filesystem_get_persistent_filesystem_attributes(hwclock_t)
@@ -80,7 +79,6 @@ allow hwclock_t rhgb_t:fd use;
allow hwclock_t rhgb_t:fifo_file { read write };
')
-allow hwclock_t null_device_t:chr_file { read getattr lock ioctl };
dontaudit hwclock_t unpriv_userdomain:fd use;
allow hwclock_t autofs_t:dir { search getattr };
diff --git a/refpolicy/policy/modules/system/domain.if b/refpolicy/policy/modules/system/domain.if
index f1ac710..d7a8821 100644
--- a/refpolicy/policy/modules/system/domain.if
+++ b/refpolicy/policy/modules/system/domain.if
@@ -30,8 +30,19 @@ class lnk_file { getattr read };
# domain_make_domain(domain)
#
define(`domain_make_domain',`
+
+# start with basic domain
domain_make_base_domain($1)
+
+# Use trusted objects in /dev
+devices_use_dev_null($1)
+devices_use_dev_zero($1)
+terminal_use_controlling_terminal($1)
+
+# read the root directory
files_read_root_dir($1)
+
+# send init a sigchld
init_sigchld($1)
')
diff --git a/refpolicy/policy/modules/system/hostname.te b/refpolicy/policy/modules/system/hostname.te
index a529979..e51e5a3 100644
--- a/refpolicy/policy/modules/system/hostname.te
+++ b/refpolicy/policy/modules/system/hostname.te
@@ -30,8 +30,6 @@ kernel_read_kernel_sysctl(hostname_t)
kernel_read_hardware_state(hostname_t)
kernel_ignore_use_file_descriptors(hostname_t)
-devices_discard_data_stream(hostname_t)
-
files_read_general_system_config(hostname_t)
files_ignore_search_system_state_data_directory(hostname_t)
filesystem_get_persistent_filesystem_attributes(hostname_t)
@@ -79,7 +77,6 @@ allow hostname_t rhgb_t:fd use;
allow hostname_t rhgb_t:fifo_file { read write };
')
-allow hostname_t null_device_t:chr_file { read getattr lock ioctl };
dontaudit hostname_t unpriv_userdomain:fd use;
allow hostname_t autofs_t:dir { search getattr };
##end daemon_base_domain
diff --git a/refpolicy/policy/modules/system/hotplug.te b/refpolicy/policy/modules/system/hotplug.te
index 988aa86..fd60c4f 100644
--- a/refpolicy/policy/modules/system/hotplug.te
+++ b/refpolicy/policy/modules/system/hotplug.te
@@ -50,7 +50,6 @@ kernel_transition_from(hotplug_t,hotplug_exec_t)
bootloader_read_kernel_modules(hotplug_t)
-devices_discard_data_stream(hotplug_t)
# for SSP
devices_get_pseudorandom_data(hotplug_t)
@@ -59,7 +58,6 @@ filesystem_get_all_filesystems_attributes(hotplug_t)
storage_set_fixed_disk_attributes(hotplug_t)
storage_set_removable_device_attributes(hotplug_t)
-terminal_use_controlling_terminal(hotplug_t)
terminal_ignore_use_console(hotplug_t)
init_use_file_descriptors(hotplug_t)
@@ -120,7 +118,6 @@ updfstab_transition(hotplug_t)
')
ifdef(`TODO',`
-allow hotplug_t null_device_t:chr_file r_file_perms;
dontaudit hotplug_t unpriv_userdomain:fd use;
allow hotplug_t autofs_t:dir { search getattr };
dontaudit hotplug_t sysadm_home_dir_t:dir search;
diff --git a/refpolicy/policy/modules/system/iptables.te b/refpolicy/policy/modules/system/iptables.te
index e9e4b2c..a805952 100644
--- a/refpolicy/policy/modules/system/iptables.te
+++ b/refpolicy/policy/modules/system/iptables.te
@@ -47,8 +47,6 @@ kernel_use_file_descriptors(iptables_t)
filesystem_get_persistent_filesystem_attributes(iptables_t)
-devices_discard_data_stream(iptables_t)
-
terminal_ignore_use_console(iptables_t)
init_use_file_descriptors(iptables_t)
@@ -94,7 +92,6 @@ allow iptables_t rhgb_t:process sigchld;
allow iptables_t rhgb_t:fd use;
allow iptables_t rhgb_t:fifo_file { read write };
')
-allow iptables_t null_device_t:chr_file r_file_perms;
dontaudit iptables_t unpriv_userdomain:fd use;
allow iptables_t autofs_t:dir { search getattr };
tunable_policy(`direct_sysadm_daemon', `
diff --git a/refpolicy/policy/modules/system/logging.te b/refpolicy/policy/modules/system/logging.te
index 9dade39..0e24740 100644
--- a/refpolicy/policy/modules/system/logging.te
+++ b/refpolicy/policy/modules/system/logging.te
@@ -102,9 +102,7 @@ kernel_read_hardware_state(syslogd_t)
kernel_read_kernel_sysctl(syslogd_t)
devices_create_dev_entry(syslogd_t,devlog_t,sock_file)
-devices_discard_data_stream(syslogd_t)
-terminal_use_controlling_terminal(syslogd_t)
terminal_ignore_use_console(syslogd_t)
corenetwork_network_raw_on_all_interfaces(syslogd_t)
@@ -169,7 +167,6 @@ ifdef(`TODO',`
allow syslogd_t proc_t:dir r_dir_perms;
allow syslogd_t proc_t:lnk_file read;
-allow syslogd_t null_device_t:chr_file r_file_perms;
dontaudit syslogd_t unpriv_userdomain:fd use;
allow syslogd_t autofs_t:dir { search getattr };
dontaudit syslogd_t sysadm_home_dir_t:dir search;
diff --git a/refpolicy/policy/modules/system/modutils.te b/refpolicy/policy/modules/system/modutils.te
index 9b36365..4e2571d 100644
--- a/refpolicy/policy/modules/system/modutils.te
+++ b/refpolicy/policy/modules/system/modutils.te
@@ -55,12 +55,9 @@ kernel_read_hotplug_sysctl(insmod_t)
bootloader_read_kernel_modules(insmod_t)
-terminal_use_controlling_terminal(insmod_t)
-
devices_write_mtrr(insmod_t)
devices_get_pseudorandom_data(insmod_t)
devices_direct_agp_access(insmod_t)
-devices_get_zeros(insmod_t)
filesystem_get_persistent_filesystem_attributes(insmod_t)
@@ -204,7 +201,6 @@ devices_get_pseudorandom_data(update_modules_t)
filesystem_get_persistent_filesystem_attributes(update_modules_t)
terminal_use_console(update_modules_t)
-terminal_use_controlling_terminal(update_modules_t)
init_use_file_descriptors(depmod_t)
init_script_use_file_descriptors(depmod_t)
diff --git a/refpolicy/policy/modules/system/selinux.te b/refpolicy/policy/modules/system/selinux.te
index 6a0a865..7f03aab 100644
--- a/refpolicy/policy/modules/system/selinux.te
+++ b/refpolicy/policy/modules/system/selinux.te
@@ -108,7 +108,6 @@ allow checkpolicy_t selinux_config_t:dir search;
filesystem_get_persistent_filesystem_attributes(checkpolicy_t)
terminal_use_console(checkpolicy_t)
-terminal_use_controlling_terminal(checkpolicy_t)
init_use_file_descriptors(checkpolicy_t)
init_script_use_pseudoterminal(checkpolicy_t)
@@ -161,7 +160,6 @@ kernel_set_selinux_boolean(load_policy_t)
filesystem_get_persistent_filesystem_attributes(load_policy_t)
terminal_use_console(load_policy_t)
-terminal_use_controlling_terminal(load_policy_t)
terminal_list_pseudoterminals(load_policy_t)
init_script_use_file_descriptors(load_policy_t)
@@ -223,7 +221,6 @@ filesystem_get_persistent_filesystem_attributes(newrole_t)
terminal_use_all_users_physical_terminals(newrole_t)
terminal_use_all_users_pseudoterminals(newrole_t)
-terminal_use_controlling_terminal(newrole_t)
# Write to utmp.
init_script_modify_runtime_data(newrole_t)
@@ -253,7 +250,7 @@ allow newrole_t autofs_t:dir { search getattr };
# for when the user types "exec newrole" at the command line
allow newrole_t privfd:process sigchld;
-
+
# Execute /sbin/pwdb_chkpwd to check the password.
allow newrole_t sbin_t:dir r_dir_perms;
@@ -377,7 +374,6 @@ kernel_compute_reachable_user_contexts(setfiles_t)
filesystem_get_persistent_filesystem_attributes(setfiles_t)
-terminal_use_controlling_terminal(setfiles_t)
terminal_use_all_users_physical_terminals(setfiles_t)
terminal_use_all_users_pseudoterminals(setfiles_t)
terminal_use_general_physical_terminal(setfiles_t)
diff --git a/refpolicy/policy/modules/system/selinuxutil.te b/refpolicy/policy/modules/system/selinuxutil.te
index 6a0a865..7f03aab 100644
--- a/refpolicy/policy/modules/system/selinuxutil.te
+++ b/refpolicy/policy/modules/system/selinuxutil.te
@@ -108,7 +108,6 @@ allow checkpolicy_t selinux_config_t:dir search;
filesystem_get_persistent_filesystem_attributes(checkpolicy_t)
terminal_use_console(checkpolicy_t)
-terminal_use_controlling_terminal(checkpolicy_t)
init_use_file_descriptors(checkpolicy_t)
init_script_use_pseudoterminal(checkpolicy_t)
@@ -161,7 +160,6 @@ kernel_set_selinux_boolean(load_policy_t)
filesystem_get_persistent_filesystem_attributes(load_policy_t)
terminal_use_console(load_policy_t)
-terminal_use_controlling_terminal(load_policy_t)
terminal_list_pseudoterminals(load_policy_t)
init_script_use_file_descriptors(load_policy_t)
@@ -223,7 +221,6 @@ filesystem_get_persistent_filesystem_attributes(newrole_t)
terminal_use_all_users_physical_terminals(newrole_t)
terminal_use_all_users_pseudoterminals(newrole_t)
-terminal_use_controlling_terminal(newrole_t)
# Write to utmp.
init_script_modify_runtime_data(newrole_t)
@@ -253,7 +250,7 @@ allow newrole_t autofs_t:dir { search getattr };
# for when the user types "exec newrole" at the command line
allow newrole_t privfd:process sigchld;
-
+
# Execute /sbin/pwdb_chkpwd to check the password.
allow newrole_t sbin_t:dir r_dir_perms;
@@ -377,7 +374,6 @@ kernel_compute_reachable_user_contexts(setfiles_t)
filesystem_get_persistent_filesystem_attributes(setfiles_t)
-terminal_use_controlling_terminal(setfiles_t)
terminal_use_all_users_physical_terminals(setfiles_t)
terminal_use_all_users_pseudoterminals(setfiles_t)
terminal_use_general_physical_terminal(setfiles_t)
diff --git a/refpolicy/policy/modules/system/sysnetwork.te b/refpolicy/policy/modules/system/sysnetwork.te
index 26e7817..97c9722 100644
--- a/refpolicy/policy/modules/system/sysnetwork.te
+++ b/refpolicy/policy/modules/system/sysnetwork.te
@@ -84,13 +84,11 @@ corenetwork_bind_tcp_on_all_nodes(dhcpc_t)
corenetwork_bind_udp_on_all_nodes(dhcpc_t)
corenetwork_bind_udp_on_dhcpc_port(dhcpc_t)
-devices_discard_data_stream(dhcpc_t)
# for SSP
devices_get_pseudorandom_data(dhcpc_t)
filesystem_get_all_filesystems_attributes(dhcpc_t)
-terminal_use_controlling_terminal(dhcpc_t)
terminal_ignore_use_console(dhcpc_t)
terminal_ignore_use_all_users_physical_terminals(dhcpc_t)
terminal_ignore_use_all_users_pseudoterminals(dhcpc_t)
@@ -156,7 +154,6 @@ ntpd_transition(dhcpc_t)
')
ifdef(`TODO',`
-allow dhcpc_t null_device_t:chr_file r_file_perms;
allow dhcpc_t autofs_t:dir { search getattr };
dontaudit dhcpc_t sysadm_home_dir_t:dir search;
More information about the scm-commits
mailing list