[selinux-policy: 277/3172] add can_exec
Daniel J Walsh
dwalsh at fedoraproject.org
Thu Oct 7 19:28:50 UTC 2010
commit a7197232e8d45537452257700184bf6c935e2bca
Author: Chris PeBenito <cpebenito at tresys.com>
Date: Wed Jun 8 13:41:05 2005 +0000
add can_exec
refpolicy/policy/modules/system/clock.if | 11 ++++-------
refpolicy/policy/support/support_macros | 1 +
2 files changed, 5 insertions(+), 7 deletions(-)
---
diff --git a/refpolicy/policy/modules/system/clock.if b/refpolicy/policy/modules/system/clock.if
index fa75c75..aab599d 100644
--- a/refpolicy/policy/modules/system/clock.if
+++ b/refpolicy/policy/modules/system/clock.if
@@ -15,10 +15,7 @@
define(`clock_transition',`
requires_block_template(`$0'_depend)
- allow $1 hwclock_exec_t:file { getattr read execute };
- allow $1 hwclock_t:process transition;
- type_transition $1 hwclock_exec_t:process hwclock_t;
- dontaudit $1 hwclock_t:process { noatsecure siginh rlimitinh };
+ domain_auto_trans($1,hwclock_exec_t,hwclock_t)
allow $1 hwclock_t:fd use;
allow hwclock_t $1:fd use;
@@ -81,7 +78,7 @@ define(`clock_transition_add_role_use_terminal_depend',`
define(`clock_execute',`
requires_block_template(`$0'_depend)
- allow $1 hwclock_exec_t:file { getattr read execute execute_no_trans };
+ can_exec($1,hwclock_exec_t)
')
define(`clock_execute_depend',`
@@ -104,14 +101,14 @@ define(`clock_execute_depend',`
define(`clock_modify_drift_records',`
requires_block_template(`$0'_depend)
- allow $1 adjtime_t:file { getattr read write ioctl lock append };
+ allow $1 adjtime_t:file rw_file_perms;
files_read_general_system_config_directory($1)
')
define(`clock_modify_drift_records_depend',`
type adjtime_t;
- class file { getattr read write ioctl lock append };
+ class file rw_file_perms;
')
## </module>
diff --git a/refpolicy/policy/support/support_macros b/refpolicy/policy/support/support_macros
index 48b5ba0..1f2ea80 100644
--- a/refpolicy/policy/support/support_macros
+++ b/refpolicy/policy/support/support_macros
@@ -25,3 +25,4 @@ define(`context_template',`ifdef(`enable_mls',`$1:$2',`$1')') dnl
#
define(`user_mls',`ifdef(`enable_mls',`level $1 range $2')') dnl
+define(`can_exec',`allow $1 $2:file { getattr read execute execute_no_trans };')
More information about the scm-commits
mailing list