[selinux-policy: 277/3172] add can_exec

Daniel J Walsh dwalsh at fedoraproject.org
Thu Oct 7 19:28:50 UTC 2010 

commit a7197232e8d45537452257700184bf6c935e2bca
Author: Chris PeBenito <cpebenito at tresys.com>
Date:   Wed Jun 8 13:41:05 2005 +0000

    add can_exec

 refpolicy/policy/modules/system/clock.if |   11 ++++-------
 refpolicy/policy/support/support_macros  |    1 +
 2 files changed, 5 insertions(+), 7 deletions(-)
---
diff --git a/refpolicy/policy/modules/system/clock.if b/refpolicy/policy/modules/system/clock.if
index fa75c75..aab599d 100644
--- a/refpolicy/policy/modules/system/clock.if
+++ b/refpolicy/policy/modules/system/clock.if
@@ -15,10 +15,7 @@
 define(`clock_transition',`
 	requires_block_template(`$0'_depend)
 
-	allow $1 hwclock_exec_t:file { getattr read execute };
-	allow $1 hwclock_t:process transition;
-	type_transition $1 hwclock_exec_t:process hwclock_t;
-	dontaudit $1 hwclock_t:process { noatsecure siginh rlimitinh };
+	domain_auto_trans($1,hwclock_exec_t,hwclock_t)
 
 	allow $1 hwclock_t:fd use;
 	allow hwclock_t $1:fd use;
@@ -81,7 +78,7 @@ define(`clock_transition_add_role_use_terminal_depend',`
 define(`clock_execute',`
 	requires_block_template(`$0'_depend)
 
-	allow $1 hwclock_exec_t:file { getattr read execute execute_no_trans };
+	can_exec($1,hwclock_exec_t)
 ')
 
 define(`clock_execute_depend',`
@@ -104,14 +101,14 @@ define(`clock_execute_depend',`
 define(`clock_modify_drift_records',`
 	requires_block_template(`$0'_depend)
 
-	allow $1 adjtime_t:file { getattr read write ioctl lock append };
+	allow $1 adjtime_t:file rw_file_perms;
 	files_read_general_system_config_directory($1)
 ')
 
 define(`clock_modify_drift_records_depend',`
 	type adjtime_t;
 
-	class file { getattr read write ioctl lock append };
+	class file rw_file_perms;
 ')
 
 ## </module>
diff --git a/refpolicy/policy/support/support_macros b/refpolicy/policy/support/support_macros
index 48b5ba0..1f2ea80 100644
--- a/refpolicy/policy/support/support_macros
+++ b/refpolicy/policy/support/support_macros
@@ -25,3 +25,4 @@ define(`context_template',`ifdef(`enable_mls',`$1:$2',`$1')') dnl
 #
 define(`user_mls',`ifdef(`enable_mls',`level $1 range $2')') dnl
 
+define(`can_exec',`allow $1 $2:file { getattr read execute execute_no_trans };')

More information about the scm-commits mailing list