[selinux-policy: 316/3172] reorder

Thu Oct 7 19:32:15 UTC 2010

commit a154cd45f356c186c1a686016e977cf758364e15
Author: Chris PeBenito <cpebenito at tresys.com>
Date:   Thu Jun 9 21:07:58 2005 +0000

    reorder

 refpolicy/policy/modules/kernel/kernel.te |   47 ++++++++++++----------------
 refpolicy/policy/modules/system/domain.te |    5 +++
 2 files changed, 25 insertions(+), 27 deletions(-)
---

diff --git a/refpolicy/policy/modules/kernel/kernel.te b/refpolicy/policy/modules/kernel/kernel.te
index 1ec4713..1aaf7d7 100644
--- a/refpolicy/policy/modules/kernel/kernel.te
+++ b/refpolicy/policy/modules/kernel/kernel.te
@@ -193,8 +193,25 @@ allow kernel_t security_t:file rw_file_perms;
 allow kernel_t security_t:security load_policy;
 auditallow kernel_t security_t:security load_policy;
 
+# Kernel-generated traffic e.g., ICMP replies:
+corenet_raw_sendrecv_all_if(kernel_t)
+corenet_raw_sendrecv_all_nodes(kernel_t)
+# Kernel-generated traffic e.g., TCP resets:
+corenet_raw_sendrecv_all_ifaces(kernel_t)
+corenet_raw_sendrecv_all_nodes(kernel_t)
+
+terminal_use_console(kernel_t)
+
+# Mount root file system.  Used when loading a policy
+# from initrd, then mounting the root filesystem
+fs_mount_all_fs(kernel_t)
+
 corecommands_execute_shell(kernel_t)
 corecommands_read_system_programs_directory(kernel_t)
+# /proc/sys/kernel/modprobe is set to /bin/true if not using modules.
+corecommands_execute_general_programs(kernel_t)
+
+domain_signal_all_domains(kernel_t)
 
 files_read_root_dir(kernel_t)
 files_list_home_directories(kernel_t)
@@ -205,39 +222,15 @@ init_sigchld(kernel_t)
 libraries_use_dynamic_loader(kernel_t)
 libraries_use_shared_libraries(kernel_t)
 
-selinux_read_config(kernel_t)
-selinux_read_binary_policy(kernel_t)
-
-terminal_use_console(kernel_t)
-domain_signal_all_domains(kernel_t)
-
-# Mount root file system.  Used when loading a policy
-# from initrd, then mounting the root filesystem
-fs_mount_all_fs(kernel_t)
-
-# /proc/sys/kernel/modprobe is set to /bin/true if not using modules.
-corecommands_execute_general_programs(kernel_t)
-
 logging_send_system_log_message(kernel_t)
 
-# Kernel-generated traffic, e.g. ICMP replies.
-corenetwork_sendrecv_raw_on_all_interfaces(kernel_t)
-corenetwork_sendrecv_raw_on_all_nodes(kernel_t)
-
-# Kernel-generated traffic, e.g. TCP resets.
-corenetwork_sendrecv_tcp_on_all_interfaces(kernel_t)
-corenetwork_sendrecv_tcp_on_all_nodes(kernel_t)
+selinux_read_config(kernel_t)
+selinux_read_binary_policy(kernel_t)
 
 neverallow ~can_load_policy security_t:security load_policy;
 neverallow ~can_setenforce security_t:security setenforce;
 neverallow ~can_setsecparam security_t:security setsecparam;
-
-# enabling dyntransition breaks process tranquility.  If you dont
-# know what this means or dont understand the implications of a
-# dynamic transition, you shouldnt be using it!!!
-neverallow * *:process { setcurrent dyntransition };
-
-neverallow ~can_load_kernmodule *:capability sys_module;
+neverallow ~can_load_kernmodule self:capability sys_module;
 
 ########################################
 #
diff --git a/refpolicy/policy/modules/system/domain.te b/refpolicy/policy/modules/system/domain.te
index 5865978..bc5e387 100644
--- a/refpolicy/policy/modules/system/domain.te
+++ b/refpolicy/policy/modules/system/domain.te
@@ -11,3 +11,8 @@ attribute entry_type;
 attribute privfd;
 
 neverallow domain ~domain:process { transition dyntransition };
+
+# enabling setcurrent breaks process tranquility.  If you do not
+# know what this means or do not understand the implications of a
+# dynamic transition, you should not be using it!!!
+neverallow * *:process setcurrent;
