[selinux-policy: 340/3172] a few missed renames, and start fixing up tunables

Daniel J Walsh dwalsh at fedoraproject.org
Thu Oct 7 19:34:17 UTC 2010 

commit 31908be07fdc0469ec0b9bf1ff8cf68f99c440a8
Author: Chris PeBenito <cpebenito at tresys.com>
Date:   Mon Jun 13 20:27:32 2005 +0000

    a few missed renames, and start fixing up tunables

 refpolicy/policy/global_tunables              |   10 ++++++++--
 refpolicy/policy/modules/admin/dmesg.te       |    2 +-
 refpolicy/policy/modules/services/cron.te     |   11 ++++-------
 refpolicy/policy/modules/services/sendmail.te |    2 +-
 refpolicy/policy/modules/system/authlogin.te  |    5 ++---
 refpolicy/policy/modules/system/clock.te      |    2 +-
 refpolicy/policy/modules/system/hostname.te   |    6 +++---
 refpolicy/policy/modules/system/hotplug.te    |    2 +-
 refpolicy/policy/modules/system/iptables.te   |    2 +-
 refpolicy/policy/modules/system/logging.te    |    4 ++--
 refpolicy/policy/modules/system/lvm.te        |    2 +-
 refpolicy/policy/modules/system/sysnetwork.te |    8 ++++----
 refpolicy/policy/support/loadable_module.spt  |    6 +++---
 13 files changed, 32 insertions(+), 30 deletions(-)
---
diff --git a/refpolicy/policy/global_tunables b/refpolicy/policy/global_tunables
index 69b4342..23b4e59 100644
--- a/refpolicy/policy/global_tunables
+++ b/refpolicy/policy/global_tunables
@@ -2,9 +2,15 @@
 ##	Enable extra rules in the cron domain
 ##	to support fcron.
 ## </tunable>
-tunable_def(fcron_crond,false)
+gen_tunable(fcron_crond,false)
 
 ## <tunable name="use_dns" dftval="false">
 ##	Allow the use of DNS for name resolution.
 ## </tunable>
-tunable_def(use_dns,false)
+gen_tunable(use_dns,false)
+
+## <tunable name="cron_can_relabel" dftval="false">
+##	Allow system cron jobs to relabel filesystem
+##	for restoring file contexts.
+## </tunable>
+gen_tunable(cron_can_relabel,false)
diff --git a/refpolicy/policy/modules/admin/dmesg.te b/refpolicy/policy/modules/admin/dmesg.te
index 735d869..074246d 100644
--- a/refpolicy/policy/modules/admin/dmesg.te
+++ b/refpolicy/policy/modules/admin/dmesg.te
@@ -51,7 +51,7 @@ userdom_dontaudit_use_unpriv_user_fd(dmesg_t)
 
 ifdef(`targeted_policy', `
 	term_dontaudit_use_unallocated_tty(dmesg_t)
-	terminal_ignore_use_general_pseudoterminal(dmesg_t)
+	term_dontaudit_use_generic_pty(dmesg_t)
 	files_dontaudit_read_root_file(dmesg_t)
 ')
 
diff --git a/refpolicy/policy/modules/services/cron.te b/refpolicy/policy/modules/services/cron.te
index 525fff2..7d25e80 100644
--- a/refpolicy/policy/modules/services/cron.te
+++ b/refpolicy/policy/modules/services/cron.te
@@ -6,9 +6,6 @@ policy_module(cron, 1.0)
 # Declarations
 #
 
-# Allow system cron jobs to relabel filesystem for restoring file contexts.
-bool cron_can_relabel false;
-
 type anacron_exec_t;
 files_file_type(anacron_exec_t)
 
@@ -126,7 +123,7 @@ tunable_policy(`fcron_crond', `
 
 ifdef(`targeted_policy', `
 	term_dontaudit_use_unallocated_tty(crond_t)
-	terminal_ignore_use_general_pseudoterminal(crond_t)
+	term_dontaudit_use_generic_pty(crond_t)
 	files_dontaudit_read_root_file(crond_t)
 ')
 
@@ -292,9 +289,9 @@ miscfiles_rw_man_cache(system_crond_t)
 
 selinux_read_config(system_crond_t)
 
-if (cron_can_relabel) {
+tunable_policy(`cron_can_relabel',`
 	selinux_domtrans_setfiles(system_crond_t)
-} else {
+',`
 	kernel_get_selinuxfs_mount_point(system_crond_t)
 	kernel_validate_context(system_crond_t)
 	kernel_compute_access_vector(system_crond_t)
@@ -302,7 +299,7 @@ if (cron_can_relabel) {
 	kernel_compute_relabel_context(system_crond_t)
 	kernel_compute_reachable_user_contexts(system_crond_t)
 	selinux_read_file_contexts(system_crond_t)
-}
+')
 
 ifdef(`TODO',`
 
diff --git a/refpolicy/policy/modules/services/sendmail.te b/refpolicy/policy/modules/services/sendmail.te
index 4fe5d0c..7bce7c0 100644
--- a/refpolicy/policy/modules/services/sendmail.te
+++ b/refpolicy/policy/modules/services/sendmail.te
@@ -90,7 +90,7 @@ sysnet_read_config(sendmail_t)
 
 ifdef(`targeted_policy', `
 	term_dontaudit_use_unallocated_tty(sendmail_t)
-	terminal_ignore_use_general_pseudoterminal(sendmail_t)
+	term_dontaudit_use_generic_pty(sendmail_t)
 	files_dontaudit_read_root_file(sendmail_t)
 ')
 
diff --git a/refpolicy/policy/modules/system/authlogin.te b/refpolicy/policy/modules/system/authlogin.te
index 9cc541d..ab39a7c 100644
--- a/refpolicy/policy/modules/system/authlogin.te
+++ b/refpolicy/policy/modules/system/authlogin.te
@@ -152,7 +152,6 @@ term_getattr_unallocated_ttys(pam_console_t)
 term_setattr_unallocated_ttys(pam_console_t)
 
 init_use_fd(pam_console_t)
-init_use_fd(pam_console_t)
 init_use_script_pty(pam_console_t)
 
 domain_use_wide_inherit_fd(pam_console_t)
@@ -176,7 +175,7 @@ ifdef(`direct_sysadm_daemon', `
 
 ifdef(`targeted_policy', `
 	term_dontaudit_use_unallocated_tty(pam_console_t)
-	terminal_ignore_use_general_pseudoterminal(pam_console_t)
+	term_dontaudit_use_generic_pty(pam_console_t)
 	files_dontaudit_read_root_file(pam_console_t)
 ')
 
@@ -186,7 +185,7 @@ optional_policy(`hotplug.te', `
 ')
 
 optional_policy(`selinux.te',`
-selinux_newrole_sigchld(pam_console_t)
+	selinux_newrole_sigchld(pam_console_t)
 ')
 
 optional_policy(`udev.te', `
diff --git a/refpolicy/policy/modules/system/clock.te b/refpolicy/policy/modules/system/clock.te
index 6cad75b..df0aa9e 100644
--- a/refpolicy/policy/modules/system/clock.te
+++ b/refpolicy/policy/modules/system/clock.te
@@ -59,7 +59,7 @@ miscfiles_read_localization(hwclock_t)
 
 ifdef(`targeted_policy', `
 	term_dontaudit_use_unallocated_tty(hwclock_t)
-	terminal_ignore_use_general_pseudoterminal(hwclock_t)
+	term_dontaudit_use_generic_pty(hwclock_t)
 	files_dontaudit_read_root_file(hwclock_t)
 ')
 
diff --git a/refpolicy/policy/modules/system/hostname.te b/refpolicy/policy/modules/system/hostname.te
index ae17162..34ec9a9 100644
--- a/refpolicy/policy/modules/system/hostname.te
+++ b/refpolicy/policy/modules/system/hostname.te
@@ -29,8 +29,6 @@ kernel_read_kernel_sysctl(hostname_t)
 kernel_read_hardware_state(hostname_t)
 kernel_dontaudit_use_fd(hostname_t)
 
-files_read_generic_etc_files(hostname_t)
-files_dontaudit_search_var(hostname_t)
 fs_getattr_xattr_fs(hostname_t)
 
 term_dontaudit_use_console(hostname_t)
@@ -42,6 +40,8 @@ init_use_script_pty(hostname_t)
 
 domain_use_wide_inherit_fd(hostname_t)
 
+files_read_generic_etc_files(hostname_t)
+files_dontaudit_search_var(hostname_t)
 # for when /usr is not mounted:
 files_dontaudit_search_isid_type_dir(hostname_t)
 
@@ -60,7 +60,7 @@ ifdef(`distro_redhat', `
 
 ifdef(`targeted_policy', `
 	term_dontaudit_use_unallocated_tty(hostname_t)
-	terminal_ignore_use_general_pseudoterminal(hostname_t)
+	term_dontaudit_use_generic_pty(hostname_t)
 	files_dontaudit_read_root_file(hostname_t)
 ')
 
diff --git a/refpolicy/policy/modules/system/hotplug.te b/refpolicy/policy/modules/system/hotplug.te
index 991c4fb..a35f1d0 100644
--- a/refpolicy/policy/modules/system/hotplug.te
+++ b/refpolicy/policy/modules/system/hotplug.te
@@ -119,7 +119,7 @@ ifdef(`distro_redhat', `
 
 ifdef(`targeted_policy', `
 	term_dontaudit_use_unallocated_tty(hotplug_t)
-	terminal_ignore_use_general_pseudoterminal(hotplug_t)
+	term_dontaudit_use_generic_pty(hotplug_t)
 	files_dontaudit_read_root_file(hotplug_t)
 ')
 
diff --git a/refpolicy/policy/modules/system/iptables.te b/refpolicy/policy/modules/system/iptables.te
index c2b04e8..8e6d477 100644
--- a/refpolicy/policy/modules/system/iptables.te
+++ b/refpolicy/policy/modules/system/iptables.te
@@ -98,7 +98,7 @@ optional_policy(`udev.te', `
 
 ifdef(`targeted_policy', `
 	term_dontaudit_use_unallocated_tty(iptables_t)
-	terminal_ignore_use_general_pseudoterminal(iptables_t)
+	term_dontaudit_use_generic_pty(iptables_t)
 
 	files_dontaudit_read_root_file(iptables_t)
 ')
diff --git a/refpolicy/policy/modules/system/logging.te b/refpolicy/policy/modules/system/logging.te
index f2fe8aa..3b6ba04 100644
--- a/refpolicy/policy/modules/system/logging.te
+++ b/refpolicy/policy/modules/system/logging.te
@@ -81,7 +81,7 @@ miscfiles_read_localization(auditd_t)
 
 ifdef(`targeted_policy', `
 	term_dontaudit_use_unallocated_tty(auditd_t)
-	terminal_ignore_use_general_pseudoterminal(auditd_t)
+	term_dontaudit_use_generic_pty(auditd_t)
 	files_dontaudit_read_root_file(auditd_t)
 ')
 
@@ -245,7 +245,7 @@ ifdef(`klogd.te', `', `
 
 ifdef(`targeted_policy', `
 	term_dontaudit_use_unallocated_tty(syslogd_t)
-	terminal_ignore_use_general_pseudoterminal(syslogd_t)
+	term_dontaudit_use_generic_pty(syslogd_t)
 	files_dontaudit_read_root_file(syslogd_t)
 ')
 
diff --git a/refpolicy/policy/modules/system/lvm.te b/refpolicy/policy/modules/system/lvm.te
index 82f9752..382379a 100644
--- a/refpolicy/policy/modules/system/lvm.te
+++ b/refpolicy/policy/modules/system/lvm.te
@@ -143,7 +143,7 @@ ifdef(`distro_redhat',`
 
 ifdef(`targeted_policy', `
 	term_dontaudit_use_unallocated_tty(lvm_t)
-	terminal_ignore_use_general_pseudoterminal(lvm_t)
+	term_dontaudit_use_generic_pty(lvm_t)
 
 	files_dontaudit_read_root_file(lvm_t)
 ')
diff --git a/refpolicy/policy/modules/system/sysnetwork.te b/refpolicy/policy/modules/system/sysnetwork.te
index 4b8e79d..efb45c8 100644
--- a/refpolicy/policy/modules/system/sysnetwork.te
+++ b/refpolicy/policy/modules/system/sysnetwork.te
@@ -139,7 +139,7 @@ ifdef(`distro_redhat', `
 
 ifdef(`targeted_policy', `
 	term_dontaudit_use_unallocated_tty(dhcpc_t)
-	terminal_ignore_use_general_pseudoterminal(dhcpc_t)
+	term_dontaudit_use_generic_pty(dhcpc_t)
 
 	files_dontaudit_read_root_file(dhcpc_t)
 ')
@@ -153,7 +153,7 @@ optional_policy(`hostname.te',`
 ')
 
 optional_policy(`nscd.te',`
-	nscd_transition(dhcpc_t)
+	nscd_domtrans(dhcpc_t)
 ')
 
 optional_policy(`selinux.te',`
@@ -173,10 +173,10 @@ optional_policy(`userdomain.te',`
 #
 init_exec_script(dhcpc_t)
 optional_policy(`ypbind.te',`
-	ypbind_transition(dhcpc_t)
+	ypbind_domtrans(dhcpc_t)
 ')
 optional_policy(`ntpd.te',`
-	ntpd_transition(dhcpc_t)
+	ntpd_domtrans(dhcpc_t)
 ')
 
 ifdef(`TODO',`
diff --git a/refpolicy/policy/support/loadable_module.spt b/refpolicy/policy/support/loadable_module.spt
index 36bb673..2ceba74 100644
--- a/refpolicy/policy/support/loadable_module.spt
+++ b/refpolicy/policy/support/loadable_module.spt
@@ -61,15 +61,15 @@ define(`optional_policy',`
 # tunable value as specified by the policy
 # or if the override value should be used
 #
-define(`deflt_or_overr',`ifdef(`$1',$1,$2)')
+define(`dflt_or_overr',`ifdef(`$1',$1,$2)')
 
 ##############################
 #
 # Tunable declaration
 #
-define(`tunable_def',`
+define(`gen_tunable',`
 	ifdef(`monolithic_policy',`
-		bool $1 deflt_or_overr(`$1'_conf,$2);
+		bool $1 dflt_or_overr(`$1'_conf,$2);
 	',`
 		# loadable module tunable
 		# declaration will go here

More information about the scm-commits mailing list