[selinux-policy: 385/3172] add a couple more nfs and cifs interfaces, to cover most of the use_(nfs|cifs)_home_dirs tunable
Daniel J Walsh
dwalsh at fedoraproject.org
Thu Oct 7 19:38:06 UTC 2010
commit d35c621eb0d40723ba9505f5a9a6ce8b21b18aa5
Author: Chris PeBenito <cpebenito at tresys.com>
Date: Thu Jun 16 20:33:51 2005 +0000
add a couple more nfs and cifs interfaces, to cover most of the
use_(nfs|cifs)_home_dirs tunable
refpolicy/policy/modules/admin/rpm.te | 2 +-
refpolicy/policy/modules/apps/gpg.if | 72 +++---
refpolicy/policy/modules/kernel/filesystem.if | 190 +++++++++++++---
refpolicy/policy/modules/kernel/storage.if | 277 +++++++++-------------
refpolicy/policy/modules/services/remotelogin.te | 18 +-
refpolicy/policy/modules/system/authlogin.te | 9 +-
refpolicy/policy/modules/system/clock.te | 6 +-
refpolicy/policy/modules/system/hostname.te | 3 +-
refpolicy/policy/modules/system/hotplug.te | 6 +-
refpolicy/policy/modules/system/init.te | 6 +-
refpolicy/policy/modules/system/iptables.te | 3 +-
refpolicy/policy/modules/system/libraries.te | 1 -
refpolicy/policy/modules/system/locallogin.te | 43 ++--
refpolicy/policy/modules/system/logging.te | 3 +-
refpolicy/policy/modules/system/lvm.te | 18 +-
refpolicy/policy/modules/system/modutils.te | 6 +-
refpolicy/policy/modules/system/selinuxutil.te | 31 ++-
refpolicy/policy/modules/system/sysnetwork.te | 4 +-
refpolicy/policy/modules/system/udev.te | 9 +-
19 files changed, 400 insertions(+), 307 deletions(-)
---
diff --git a/refpolicy/policy/modules/admin/rpm.te b/refpolicy/policy/modules/admin/rpm.te
index e33466b..b3f6bad 100644
--- a/refpolicy/policy/modules/admin/rpm.te
+++ b/refpolicy/policy/modules/admin/rpm.te
@@ -118,6 +118,7 @@ dev_read_urand(rpm_t)
#fs_manage_nfs_dir(rpm_t)
#fs_manage_nfs_files(rpm_t)
+fs_manage_nfs_symlinks(rpm_t)
fs_getattr_all_fs(rpm_t)
storage_raw_write_fixed_disk(rpm_t)
@@ -176,7 +177,6 @@ allow rpm_t ttyfile:chr_file unlink;
allow rpm_t fs_type:dir { setattr rw_dir_perms };
allow rpm_t mount_t:tcp_socket write;
-allow rpm_t nfs_t:lnk_file create_file_perms;
allow rpm_t sysfs_t:dir r_dir_perms;
allow rpm_t usbdevfs_t:dir r_dir_perms;
diff --git a/refpolicy/policy/modules/apps/gpg.if b/refpolicy/policy/modules/apps/gpg.if
index 4e3a53a..903524b 100644
--- a/refpolicy/policy/modules/apps/gpg.if
+++ b/refpolicy/policy/modules/apps/gpg.if
@@ -43,10 +43,7 @@ define(`gpg_per_userdomain_template',`
#
# transition from the userdomain to the derived domain
- allow $1_t $1_gpg_t:process transition;
- allow $1_t gpg_exec_t:file rx_file_perms;
- type_transition $1_t gpg_exec_t:process $1_gpg_t;
- dontaudit $1_t $1_gpg_t:process { noatsecure siginh rlimitinh };
+ domain_auto_trans($1_t,gpg_exec_t,$1_gpg_t)
allow $1_t $1_gpg_t:fd use;
allow $1_gpg_t $1_t:fd use;
@@ -103,6 +100,18 @@ define(`gpg_per_userdomain_template',`
allow $1_gpg_t gpg_exec_t:file execmod;
')
+ tunable_policy(`use_nfs_home_dirs',`
+ fs_manage_nfs_dirs($1_gpg_t)
+ fs_manage_nfs_files($1_gpg_t)
+ fs_manage_nfs_symlinks($1_gpg_t)
+ ')
+
+ tunable_policy(`use_samba_home_dirs',`
+ fs_manage_cifs_dirs($1_gpg_t)
+ fs_manage_cifs_files($1_gpg_t)
+ fs_manage_cifs_symlinks($1_gpg_t)
+ ')
+
ifdef(`TODO',`
can_ypbind($1_gpg_t)
@@ -134,13 +143,6 @@ define(`gpg_per_userdomain_template',`
# allow the usual access to /tmp
file_type_auto_trans($1_gpg_t, tmp_t, $1_tmp_t)
- tunable_policy(`use_nfs_home_dirs',`
- create_dir_file($1_gpg_t, nfs_t)
- ')
- tunable_policy(`use_samba_home_dirs',`
- create_dir_file($1_gpg_t, cifs_t)
- ')
-
rw_dir_create_file($1_gpg_t, $1_file_type)
allow $1_t $1_gpg_secret_t:dir rw_dir_perms;
@@ -157,11 +159,12 @@ define(`gpg_per_userdomain_template',`
# Note: this is only tested with the hkp interface. If you use eg the
# mail interface you will likely need additional permissions.
+ # communicate with the user
+ allow $1_gpg_helper_t $1_t:fd use;
+ allow $1_gpg_helper_t $1_t:fifo_file write;
+
# transition from the gpg domain to the helper domain
- allow $1_gpg_t $1_gpg_helper_t:process transition;
- allow $1_gpg_t gpg_helper_exec_t:file rx_file_perms;
- type_transition $1_gpg_t gpg_helper_exec_t:process $1_gpg_helper_t;
- dontaudit $1_gpg_helper_t $1_gpg_t:process { noatsecure siginh rlimitinh };
+ domain_auto_trans($1_gpg_t,gpg_helper_exec_t,$1_gpg_helper_t)
allow $1_gpg_t $1_gpg_helper_t:fd use;
allow $1_gpg_helper_t $1_gpg_t:fd use;
@@ -197,18 +200,15 @@ define(`gpg_per_userdomain_template',`
sysnet_read_config($1_gpg_helper_t)
- ifdef(`TODO',`
-
tunable_policy(`use_nfs_home_dirs',`
- dontaudit $1_gpg_helper_t nfs_t:file { read write };
+ fs_dontaudit_rw_nfs_files($1_gpg_helper_t)
')
+
tunable_policy(`use_samba_home_dirs',`
- dontaudit $1_gpg_helper_t cifs_t:file { read write };
+ fs_dontaudit_rw_cifs_files($1_gpg_helper_t)
')
- # communicate with the user
- allow $1_gpg_helper_t $1_t:fd use;
- allow $1_gpg_helper_t $1_t:fifo_file write;
+ ifdef(`TODO',`
ifdef(`xdm.te', `
dontaudit $1_gpg_t xdm_t:fd use;
@@ -232,6 +232,9 @@ define(`gpg_per_userdomain_template',`
allow $1_t $1_gpg_agent_tmp_t:sock_file create_file_perms;
files_create_tmp_files($1_gpg_agent_t, $1_gpg_agent_tmp_t, { file sock_file dir })
+ # Transition from the user domain to the derived domain.
+ domain_auto_trans($1_t, gpg_agent_exec_t, $1_gpg_agent_t)
+
domain_use_wide_inherit_fd($1_gpg_agent_t)
libs_use_ld_so($1_gpg_agent_t)
@@ -239,9 +242,19 @@ define(`gpg_per_userdomain_template',`
miscfiles_read_localization($1_gpg_agent_t)
+ tunable_policy(`use_nfs_home_dirs',`
+ fs_manage_nfs_dirs($1_gpg_agent_t)
+ fs_manage_nfs_files($1_gpg_agent_t)
+ fs_manage_nfs_symlinks($1_gpg_agent_t)
+ ')
+
+ tunable_policy(`use_samba_home_dirs',`
+ fs_manage_cifs_dirs($1_gpg_agent_t)
+ fs_manage_cifs_files($1_gpg_agent_t)
+ fs_manage_cifs_symlinks($1_gpg_agent_t)
+ ')
+
ifdef(`TODO',`
- # Transition from the user domain to the derived domain.
- domain_auto_trans($1_t, gpg_agent_exec_t, $1_gpg_agent_t)
allow $1_gpg_agent_t xdm_t:fd use;
@@ -261,12 +274,6 @@ define(`gpg_per_userdomain_template',`
# read and write ~/.gnupg (gpg-agent stores secret keys in ~/.gnupg/private-keys-v1.d )
allow $1_gpg_agent_t { home_root_t $1_home_dir_t }:dir search;
create_dir_file($1_gpg_agent_t, $1_gpg_secret_t)
- tunable_policy(`use_nfs_home_dirs',`
- create_dir_file($1_gpg_agent_t, nfs_t)
- ')
- tunable_policy(`use_samba_home_dirs',`
- create_dir_file($1_gpg_agent_t, cifs_t)
- ')
# gpg connect
allow $1_gpg_t $1_gpg_agent_tmp_t:dir search;
@@ -281,10 +288,7 @@ define(`gpg_per_userdomain_template',`
# we need to allow gpg-agent to call pinentry so it can get the passphrase
# from the user.
- allow $1_gpg_agent_t $1_gpg_pinentry_t:process transition;
- allow $1_gpg_agent_t pinentry_exec_t:file rx_file_perms;
- type_transition $1_gpg_agent_t pinentry_exec_t:process $1_gpg_pinentry_t;
- dontaudit $1_gpg_agent_t $1_gpg_pinentry_t:process { noatsecure siginh rlimitinh };
+ domain_auto_trans($1_gpg_agent_t,pinentry_exec_t,$1_gpg_pinentry_t)
allow $1_gpg_pinentry_t $1_gpg_agent_t:fd use;
allow $1_gpg_agent_t $1_gpg_pinentry_t:fd use;
diff --git a/refpolicy/policy/modules/kernel/filesystem.if b/refpolicy/policy/modules/kernel/filesystem.if
index 2c03327..6d7b9f6 100644
--- a/refpolicy/policy/modules/kernel/filesystem.if
+++ b/refpolicy/policy/modules/kernel/filesystem.if
@@ -399,17 +399,14 @@ define(`fs_mount_cifs_depend',`
## </interface>
#
define(`fs_remount_cifs',`
- gen_require(`$0'_depend)
+ gen_require(`
+ type cifs_t;
+ class filesystem remount;
+ ')
allow $1 cifs_t:filesystem remount;
')
-define(`fs_remount_cifs_depend',`
- type cifs_t;
-
- class filesystem remount;
-')
-
########################################
## <interface name="fs_unmount_cifs">
## <description>
@@ -421,17 +418,14 @@ define(`fs_remount_cifs_depend',`
## </interface>
#
define(`fs_unmount_cifs',`
- gen_require(`$0'_depend)
+ gen_require(`
+ type cifs_t;
+ class filesystem unmount;
+ ')
allow $1 cifs_t:filesystem mount;
')
-define(`fs_unmount_cifs_depend',`
- type cifs_t;
-
- class filesystem unmount;
-')
-
########################################
## <interface name="fs_getattr_cifs">
## <description>
@@ -445,15 +439,74 @@ define(`fs_unmount_cifs_depend',`
## </interface>
#
define(`fs_getattr_cifs',`
- gen_require(`$0'_depend)
+ gen_require(`
+ type cifs_t;
+ class filesystem getattr;
+ ')
allow $1 cifs_t:filesystem getattr;
')
-define(`fs_getattr_cifs_depend',`
- type cifs_t;
+########################################
+## <interface name="fs_read_cifs_files">
+## <description>
+## Read files on a CIFS or SMB filesystem.
+## </description>
+## <parameter name="domain">
+## The type of the domain reading the files.
+## </parameter>
+## </interface>
+#
+define(`fs_read_cifs_files',`
+ gen_require(`
+ type cifs_t;
+ class dir r_dir_perms;
+ class file r_file_perms;
+ ')
- class filesystem getattr;
+ allow $1 cifs_t:dir r_dir_perms;
+ allow $1 cifs_t:file r_file_perms;
+')
+
+########################################
+## <interface name="fs_dontaudit_rw_cifs_files">
+## <description>
+## Do not audit attempts to read or
+## write files on a CIFS or SMB filesystem.
+## </description>
+## <parameter name="domain">
+## The type of the domain to not audit.
+## </parameter>
+## </interface>
+#
+define(`fs_dontaudit_rw_cifs_files',`
+ gen_require(`
+ type cifs_t;
+ class file { read write };
+ ')
+
+ dontaudit $1 cifs_t:file { read write };
+')
+
+########################################
+## <interface name="fs_read_cifs_symlinks">
+## <description>
+## Read symbolic links on a CIFS or SMB filesystem.
+## </description>
+## <parameter name="domain">
+## The type of the domain reading the symbolic links.
+## </parameter>
+## </interface>
+#
+define(`fs_read_cifs_symlinks',`
+ gen_require(`
+ type cifs_t;
+ class dir r_dir_perms;
+ class lnk_file r_file_perms;
+ ')
+
+ allow $1 cifs_t:dir r_dir_perms;
+ allow $1 cifs_t:lnk_file r_file_perms;
')
########################################
@@ -483,6 +536,26 @@ define(`fs_execute_cifs_files_depend',`
')
########################################
+## <interface name="fs_dontaudit_rw_cifs_files">
+## <description>
+## Do not audit attempts to read or
+## write files on a CIFS or SMB filesystems.
+## </description>
+## <parameter name="domain">
+## The type of the domain to not audit.
+## </parameter>
+## </interface>
+#
+define(`fs_read_cifs_files',`
+ gen_require(`
+ type cifs_t;
+ class file { read write };
+ ')
+
+ dontaudit $1 cifs_t:file { read write };
+')
+
+########################################
## <interface name="fs_manage_cifs_dirs">
## <description>
## Create, read, write, and delete directories
@@ -907,6 +980,27 @@ define(`fs_getattr_nfs_depend',`
')
########################################
+## <interface name="fs_read_nfs_files">
+## <description>
+## Read files on a NFS filesystem.
+## </description>
+## <parameter name="domain">
+## The type of the domain reading the files.
+## </parameter>
+## </interface>
+#
+define(`fs_read_nfs_files',`
+ gen_require(`
+ type nfs_t;
+ class dir r_dir_perms;
+ class file r_file_perms;
+ ')
+
+ allow $1 nfs_t:dir r_dir_perms;
+ allow $1 nfs_t:file r_file_perms;
+')
+
+########################################
## <interface name="fs_execute_nfs_files">
## <description>
## Execute files on a NFS filesystem.
@@ -917,17 +1011,54 @@ define(`fs_getattr_nfs_depend',`
## </interface>
#
define(`fs_execute_nfs_files',`
- gen_require(`$0'_depend)
+ gen_require(`
+ type nfs_t;
+ class dir r_dir_perms;
+ ')
allow $1 nfs_t:dir r_dir_perms;
can_exec($1, nfs_t)
')
-define(`fs_execute_nfs_files_depend',`
- type nfs_t;
+########################################
+## <interface name="fs_dontaudit_rw_nfs_files">
+## <description>
+## Do not audit attempts to read or
+## write files on a NFS filesystem.
+## </description>
+## <parameter name="domain">
+## The type of the domain to not audit.
+## </parameter>
+## </interface>
+#
+define(`fs_dontaudit_rw_nfs_files',`
+ gen_require(`
+ type nfs_t;
+ class file { read write };
+ ')
- class dir r_dir_perms;
- class file { getattr read execute execute_no_trans };
+ dontaudit $1 nfs_t:file { read write };
+')
+
+########################################
+## <interface name="fs_read_nfs_symlinks">
+## <description>
+## Read symbolic links on a NFS filesystem.
+## </description>
+## <parameter name="domain">
+## The type of the domain reading the symbolic links.
+## </parameter>
+## </interface>
+#
+define(`fs_read_nfs_symlinks',`
+ gen_require(`
+ type nfs_t;
+ class dir r_dir_perms;
+ class lnk_file r_file_perms;
+ ')
+
+ allow $1 nfs_t:dir r_dir_perms;
+ allow $1 nfs_t:lnk_file r_file_perms;
')
########################################
@@ -990,19 +1121,16 @@ define(`fs_manage_nfs_files_depend',`
## </interface>
#
define(`fs_manage_nfs_symlinks',`
- gen_require(`$0'_depend)
+ gen_require(`
+ type nfs_t;
+ class dir r_dir_perms;
+ class lnk_file create_lnk_perms;
+ ')
allow $1 nfs_t:dir rw_dir_perms;
allow $1 nfs_t:lnk_file create_lnk_perms;
')
-define(`fs_manage_nfs_symlinks_depend',`
- type nfs_t;
-
- class dir r_dir_perms;
- class lnk_file create_lnk_perms;
-')
-
#########################################
## <interface name="fs_manage_nfs_named_pipes">
## <description>
diff --git a/refpolicy/policy/modules/kernel/storage.if b/refpolicy/policy/modules/kernel/storage.if
index f081d53..7a340cf 100644
--- a/refpolicy/policy/modules/kernel/storage.if
+++ b/refpolicy/policy/modules/kernel/storage.if
@@ -13,18 +13,15 @@
## </interface>
#
define(`storage_getattr_fixed_disk',`
- gen_require(`$0'_depend)
+ gen_require(`
+ type fixed_disk_device_t;
+ class blk_file getattr;
+ ')
dev_list_all_dev_nodes($1)
allow $1 fixed_disk_device_t:blk_file getattr;
')
-define(`storage_getattr_fixed_disk_depend',`
- type fixed_disk_device_t;
-
- class blk_file getattr;
-')
-
########################################
## <interface name="storage_dontaudit_getattr_fixed_disk">
## <description>
@@ -37,17 +34,14 @@ define(`storage_getattr_fixed_disk_depend',`
## </interface>
#
define(`storage_dontaudit_getattr_fixed_disk',`
- gen_require(`$0'_depend)
+ gen_require(`
+ type fixed_disk_device_t;
+ class blk_file getattr;
+ ')
dontaudit $1 fixed_disk_device_t:blk_file getattr;
')
-define(`storage_dontaudit_getattr_fixed_disk_depend',`
- type fixed_disk_device_t;
-
- class blk_file getattr;
-')
-
########################################
## <interface name="storage_setattr_fixed_disk">
## <description>
@@ -60,16 +54,33 @@ define(`storage_dontaudit_getattr_fixed_disk_depend',`
## </interface>
#
define(`storage_setattr_fixed_disk',`
- gen_require(`$0'_depend)
+ gen_require(`
+ type fixed_disk_device_t;
+ class blk_file setattr;
+ ')
dev_list_all_dev_nodes($1)
allow $1 fixed_disk_device_t:blk_file setattr;
')
-define(`storage_setattr_fixed_disk_depend',`
- type fixed_disk_device_t;
+########################################
+## <interface name="storage_dontaudit_setattr_fixed_disk">
+## <description>
+## Do not audit attempts made by the caller to set
+## the attributes of fixed disk device nodes.
+## </description>
+## <parameter name="domain">
+## The type of the process to not audit.
+## </parameter>
+## </interface>
+#
+define(`storage_dontaudit_setattr_fixed_disk',`
+ gen_require(`
+ type fixed_disk_device_t;
+ class blk_file getattr;
+ ')
- class blk_file setattr;
+ dontaudit $1 fixed_disk_device_t:blk_file getattr;
')
########################################
@@ -86,21 +97,17 @@ define(`storage_setattr_fixed_disk_depend',`
## </interface>
#
define(`storage_raw_read_fixed_disk',`
- gen_require(`$0'_depend)
+ gen_require(`
+ attribute fixed_disk_raw_read;
+ type fixed_disk_device_t;
+ class blk_file r_file_perms;
+ ')
dev_list_all_dev_nodes($1)
allow $1 fixed_disk_device_t:blk_file r_file_perms;
typeattribute $1 fixed_disk_raw_read;
')
-define(`storage_raw_read_fixed_disk_depend',`
- attribute fixed_disk_raw_read;
-
- type fixed_disk_device_t;
-
- class blk_file r_file_perms;
-')
-
########################################
## <interface name="storage_raw_write_fixed_disk">
## <description>
@@ -115,21 +122,17 @@ define(`storage_raw_read_fixed_disk_depend',`
## </interface>
#
define(`storage_raw_write_fixed_disk',`
- gen_require(`$0'_depend)
+ gen_require(`
+ attribute fixed_disk_raw_write;
+ type fixed_disk_device_t;
+ class blk_file { getattr write ioctl };
+ ')
dev_list_all_dev_nodes($1)
allow $1 fixed_disk_device_t:blk_file { getattr write ioctl };
typeattribute $1 fixed_disk_raw_write;
')
-define(`storage_raw_write_fixed_disk_depend',`
- attribute fixed_disk_raw_write;
-
- type fixed_disk_device_t;
-
- class blk_file { getattr write ioctl };
-')
-
########################################
## <interface name="storage_create_fixed_disk">
## <description>
@@ -141,19 +144,17 @@ define(`storage_raw_write_fixed_disk_depend',`
## </interface>
#
define(`storage_create_fixed_disk_dev_entry',`
- gen_require(`$0'_depend)
+ gen_require(`
+ attribute fixed_disk_raw_read, fixed_disk_raw_write;
+ type fixed_disk_device_t;
+ class blk_file create_file_perms;
+ ')
allow $1 fixed_disk_device_t:blk_file create_file_perms;
dev_create_dev_node($1,fixed_disk_device_t,blk_file)
typeattribute $1 fixed_disk_raw_read, fixed_disk_raw_write;
')
-define(`storage_create_fixed_disk_dev_entry_depend',`
- type fixed_disk_device_t;
-
- class blk_file create_file_perms;
-')
-
########################################
## <interface name="storage_manage_fixed_disk">
## <description>
@@ -165,21 +166,17 @@ define(`storage_create_fixed_disk_dev_entry_depend',`
## </interface>
#
define(`storage_manage_fixed_disk',`
- gen_require(`$0'_depend)
+ gen_require(`
+ attribute fixed_disk_raw_read, fixed_disk_raw_write;
+ type fixed_disk_device_t;
+ class blk_file create_file_perms;
+ ')
dev_list_all_dev_nodes($1)
allow $1 fixed_disk_device_t:blk_file create_file_perms;
typeattribute $1 fixed_disk_raw_read, fixed_disk_raw_write;
')
-define(`storage_manage_fixed_disk_depend',`
- attribute fixed_disk_raw_read, fixed_disk_raw_write;
-
- type fixed_disk_device_t;
-
- class blk_file create_file_perms;
-')
-
########################################
## <interface name="storage_raw_read_lvm_volume">
## <description>
@@ -194,21 +191,17 @@ define(`storage_manage_fixed_disk_depend',`
## </interface>
#
define(`storage_raw_read_lvm_volume',`
- gen_require(`$0'_depend)
+ gen_require(`
+ attribute fixed_disk_raw_read;
+ type lvm_vg_t;
+ class blk_file r_file_perms;
+ ')
dev_list_all_dev_nodes($1)
allow $1 lvm_vg_t:blk_file r_file_perms;
typeattribute $1 fixed_disk_raw_read;
')
-define(`storage_raw_read_lvm_volume_depend',`
- attribute fixed_disk_raw_read;
-
- type lvm_vg_t;
-
- class blk_file r_file_perms;
-')
-
########################################
## <interface name="storage_raw_write_lvm_volume">
## <description>
@@ -223,21 +216,17 @@ define(`storage_raw_read_lvm_volume_depend',`
## </interface>
#
define(`storage_raw_write_lvm_volume',`
- gen_require(`$0'_depend)
+ gen_require(`
+ attribute fixed_disk_raw_write;
+ type lvm_vg_t;
+ class blk_file { getattr write ioctl };
+ ')
dev_list_all_dev_nodes($1)
allow $1 lvm_vg_t:blk_file { getattr write ioctl };
typeattribute $1 fixed_disk_raw_write;
')
-define(`storage_raw_write_lvm_volume_depend',`
- attribute fixed_disk_raw_write;
-
- type lvm_vg_t;
-
- class blk_file { getattr write ioctl };
-')
-
########################################
## <interface name="storage_read_scsi_generic">
## <description>
@@ -253,21 +242,17 @@ define(`storage_raw_write_lvm_volume_depend',`
## </interface>
#
define(`storage_read_scsi_generic',`
- gen_require(`$0'_depend)
+ gen_require(`
+ attribute scsi_generic_read;
+ type scsi_generic_device_t;
+ class blk_file r_file_perms;
+ ')
dev_list_all_dev_nodes($1)
allow $1 scsi_generic_device_t:blk_file r_file_perms;
typeattribute $1 scsi_generic_read;
')
-define(`storage_read_scsi_generic_depend',`
- attribute scsi_generic_read;
-
- type scsi_generic_device_t;
-
- class blk_file r_file_perms;
-')
-
########################################
## <interface name="storage_write_scsi_generic">
## <description>
@@ -283,21 +268,17 @@ define(`storage_read_scsi_generic_depend',`
## </interface>
#
define(`storage_write_scsi_generic',`
- gen_require(`$0'_depend)
+ gen_require(`
+ attribute scsi_generic_write;
+ type scsi_generic_device_t;
+ class blk_file { getattr write ioctl };
+ ')
dev_list_all_dev_nodes($1)
allow $1 scsi_generic_device_t:blk_file { getattr write ioctl };
typeattribute $1 scsi_generic_write;
')
-define(`storage_write_scsi_generic_depend',`
- attribute scsi_generic_write;
-
- type scsi_generic_device_t;
-
- class blk_file { getattr write ioctl };
-')
-
########################################
## <interface name="storage_getattr_scsi_generic">
## <description>
@@ -310,18 +291,15 @@ define(`storage_write_scsi_generic_depend',`
## </interface>
#
define(`storage_getattr_scsi_generic',`
- gen_require(`$0'_depend)
+ gen_require(`
+ type scsi_generic_device_t;
+ class blk_file getattr;
+ ')
dev_list_all_dev_nodes($1)
allow $1 scsi_generic_device_t:blk_file getattr;
')
-define(`storage_getattr_scsi_generic_depend',`
- type scsi_generic_device_t;
-
- class blk_file getattr;
-')
-
########################################
## <interface name="storage_setattr_scsi_generic">
## <description>
@@ -334,18 +312,15 @@ define(`storage_getattr_scsi_generic_depend',`
## </interface>
#
define(`storage_set_scsi_generic_attributes',`
- gen_require(`$0'_depend)
+ gen_require(`
+ type scsi_generic_device_t;
+ class blk_file setattr;
+ ')
dev_list_all_dev_nodes($1)
allow $1 scsi_generic_device_t:blk_file setattr;
')
-define(`storage_set_scsi_generic_attributes_depend',`
- type scsi_generic_device_t;
-
- class blk_file setattr;
-')
-
########################################
## <interface name="storage_getattr_removable_device">
## <description>
@@ -358,18 +333,15 @@ define(`storage_set_scsi_generic_attributes_depend',`
## </interface>
#
define(`storage_getattr_removable_device',`
- gen_require(`$0'_depend)
+ gen_require(`
+ type removable_device_t;
+ class blk_file getattr;
+ ')
dev_list_all_dev_nodes($1)
allow $1 removable_device_t:blk_file getattr;
')
-define(`storage_getattr_removable_device_depend',`
- type removable_device_t;
-
- class blk_file getattr;
-')
-
########################################
## <interface name="storage_dontaudit_getattr_removable_device">
## <description>
@@ -382,17 +354,14 @@ define(`storage_getattr_removable_device_depend',`
## </interface>
#
define(`storage_dontaudit_getattr_removable_device',`
- gen_require(`$0'_depend)
+ gen_require(`
+ type removable_device_t;
+ class blk_file getattr;
+ ')
dontaudit $1 removable_device_t:blk_file getattr;
')
-define(`storage_dontaudit_getattr_removable_device_depend',`
- type removable_device_t;
-
- class blk_file getattr;
-')
-
########################################
## <interface name="storage_setattr_removable_device">
## <description>
@@ -405,18 +374,15 @@ define(`storage_dontaudit_getattr_removable_device_depend',`
## </interface>
#
define(`storage_setattr_removable_device',`
- gen_require(`$0'_depend)
+ gen_require(`
+ type removable_device_t;
+ class blk_file setattr;
+ ')
dev_list_all_dev_nodes($1)
allow $1 removable_device_t:blk_file setattr;
')
-define(`storage_setattr_removable_device_depend',`
- type removable_device_t;
-
- class blk_file setattr;
-')
-
########################################
## <interface name="storage_raw_read_removable_device">
## <description>
@@ -432,18 +398,15 @@ define(`storage_setattr_removable_device_depend',`
## </interface>
#
define(`storage_raw_read_removable_device',`
- gen_require(`$0'_depend)
+ gen_require(`
+ type removable_device_t;
+ class blk_file r_file_perms;
+ ')
dev_list_all_dev_nodes($1)
allow $1 removable_device_t:blk_file r_file_perms;
')
-define(`storage_raw_read_removable_device_depend',`
- type removable_device_t;
-
- class blk_file r_file_perms;
-')
-
########################################
## <interface name="storage_raw_write_removable_device">
## <description>
@@ -459,18 +422,15 @@ define(`storage_raw_read_removable_device_depend',`
## </interface>
#
define(`storage_raw_write_removable_device',`
- gen_require(`$0'_depend)
+ gen_require(`
+ type removable_device_t;
+ class blk_file { getattr write ioctl };
+ ')
dev_list_all_dev_nodes($1)
allow $1 removable_device_t:blk_file { getattr write ioctl };
')
-define(`storage_raw_write_removable_device_depend',`
- type removable_device_t;
-
- class blk_file { getattr write ioctl };
-')
-
########################################
## <interface name="storage_read_tape_device">
## <description>
@@ -483,18 +443,15 @@ define(`storage_raw_write_removable_device_depend',`
## </interface>
#
define(`storage_read_tape_device',`
- gen_require(`$0'_depend)
+ gen_require(`
+ type tape_device_t;
+ class blk_file r_file_perms;
+ ')
dev_list_all_dev_nodes($1)
allow $1 tape_device_t:blk_file r_file_perms;
')
-define(`storage_read_tape_device_depend',`
- type tape_device_t;
-
- class blk_file r_file_perms;
-')
-
########################################
## <interface name="storage_write_tape_device">
## <description>
@@ -507,18 +464,15 @@ define(`storage_read_tape_device_depend',`
## </interface>
#
define(`storage_write_tape_device',`
- gen_require(`$0'_depend)
+ gen_require(`
+ type tape_device_t;
+ class blk_file { getattr write ioctl };
+ ')
dev_list_all_dev_nodes($1)
allow $1 tape_device_t:blk_file { getattr write ioctl };
')
-define(`storage_write_tape_device_depend',`
- type tape_device_t;
-
- class blk_file { getattr write ioctl };
-')
-
########################################
## <interface name="storage_getattr_tape_device">
## <description>
@@ -531,18 +485,15 @@ define(`storage_write_tape_device_depend',`
## </interface>
#
define(`storage_getattr_tape_device',`
- gen_require(`$0'_depend)
+ gen_require(`
+ type tape_device_t;
+ class blk_file getattr;
+ ')
dev_list_all_dev_nodes($1)
allow $1 tape_device_t:blk_file getattr;
')
-define(`storage_getattr_tape_device_depend',`
- type tape_device_t;
-
- class blk_file getattr;
-')
-
########################################
## <interface name="storage_setattr_tape_device">
## <description>
@@ -555,15 +506,13 @@ define(`storage_getattr_tape_device_depend',`
## </interface>
#
define(`storage_setattr_tape_device',`
- gen_require(`$0'_depend)
+ gen_require(`
+ type tape_device_t;
+ class blk_file setattr;
+ ')
dev_list_all_dev_nodes($1)
allow $1 tape_device_t:blk_file setattr;
')
-define(`storage_setattr_tape_device_depend',`
- type tape_device_t;
- class blk_file setattr;
-')
-
## </module>
diff --git a/refpolicy/policy/modules/services/remotelogin.te b/refpolicy/policy/modules/services/remotelogin.te
index 0119ff7..0fd4a22 100644
--- a/refpolicy/policy/modules/services/remotelogin.te
+++ b/refpolicy/policy/modules/services/remotelogin.te
@@ -81,6 +81,16 @@ auth_manage_pam_console_data(remote_login_t)
miscfiles_read_localization(remote_login_t)
+tunable_policy(`use_nfs_home_dirs',`
+ fs_read_nfs_files(remote_login_t)
+ fs_read_nfs_symlinks(remote_login_t)
+')
+
+tunable_policy(`use_samba_home_dirs',`
+ fs_read_cifs_files(remote_login_t)
+ fs_read_cifs_symlinks(remote_login_t)
+')
+
ifdef(`TODO',`
allow remote_login_t unpriv_userdomain:fd use;
can_ypbind(remote_login_t)
@@ -116,14 +126,6 @@ dontaudit remote_login_t sysfs_t:dir search;
allow remote_login_t autofs_t:dir r_dir_perms;
allow remote_login_t mnt_t:dir r_dir_perms;
-tunable_policy(`use_nfs_home_dirs',`
- r_dir_file(remote_login_t, nfs_t)
-')
-
-tunable_policy(`use_samba_home_dirs',`
- r_dir_file(remote_login_t, cifs_t)
-')
-
# FIXME: what is this for?
ifdef(`xdm.te', `
allow xdm_t remote_login_t:process signull;
diff --git a/refpolicy/policy/modules/system/authlogin.te b/refpolicy/policy/modules/system/authlogin.te
index b63ea5b..fdd84a1 100644
--- a/refpolicy/policy/modules/system/authlogin.te
+++ b/refpolicy/policy/modules/system/authlogin.te
@@ -138,9 +138,10 @@ allow pam_console_t pam_var_console_t:lnk_file r_file_perms;
kernel_read_kernel_sysctl(pam_console_t)
kernel_read_system_state(pam_console_t)
-dev_read_sysfs(pam_console_t)
kernel_use_fd(pam_console_t)
+dev_read_sysfs(pam_console_t)
+
# Allow to set attributes on /dev entries
storage_getattr_fixed_disk(pam_console_t)
storage_setattr_fixed_disk(pam_console_t)
@@ -151,15 +152,15 @@ term_use_console(pam_console_t)
term_getattr_unallocated_ttys(pam_console_t)
term_setattr_unallocated_ttys(pam_console_t)
-init_use_fd(pam_console_t)
-init_use_script_pty(pam_console_t)
-
domain_use_wide_inherit_fd(pam_console_t)
files_read_generic_etc_files(pam_console_t)
files_search_pids(pam_console_t)
files_list_mnt(pam_console_t)
+init_use_fd(pam_console_t)
+init_use_script_pty(pam_console_t)
+
libs_use_ld_so(pam_console_t)
libs_use_shared_libs(pam_console_t)
diff --git a/refpolicy/policy/modules/system/clock.te b/refpolicy/policy/modules/system/clock.te
index fb8eb66..50c4cfe 100644
--- a/refpolicy/policy/modules/system/clock.te
+++ b/refpolicy/policy/modules/system/clock.te
@@ -30,8 +30,8 @@ dontaudit hwclock_t self:capability sys_tty_config;
allow hwclock_t adjtime_t:file { setattr ioctl read getattr lock write append };
kernel_read_kernel_sysctl(hwclock_t)
-dev_read_sysfs(hwclock_t)
+dev_read_sysfs(hwclock_t)
dev_rw_realtime_clock(hwclock_t)
fs_getattr_xattr_fs(hwclock_t)
@@ -41,11 +41,11 @@ term_use_unallocated_tty(hwclock_t)
term_use_all_user_ttys(hwclock_t)
term_use_all_user_ptys(hwclock_t)
+domain_use_wide_inherit_fd(hwclock_t)
+
init_use_fd(hwclock_t)
init_use_script_pty(hwclock_t)
-domain_use_wide_inherit_fd(hwclock_t)
-
files_read_generic_etc_files_directory(hwclock_t)
# for when /usr is not mounted:
files_dontaudit_search_isid_type_dir(hwclock_t)
diff --git a/refpolicy/policy/modules/system/hostname.te b/refpolicy/policy/modules/system/hostname.te
index 000fd82..8a0404d 100644
--- a/refpolicy/policy/modules/system/hostname.te
+++ b/refpolicy/policy/modules/system/hostname.te
@@ -26,9 +26,10 @@ dontaudit hostname_t self:capability sys_tty_config;
sysnet_read_config(hostname_t)
kernel_read_kernel_sysctl(hostname_t)
-dev_read_sysfs(hostname_t)
kernel_dontaudit_use_fd(hostname_t)
+dev_read_sysfs(hostname_t)
+
fs_getattr_xattr_fs(hostname_t)
term_dontaudit_use_console(hostname_t)
diff --git a/refpolicy/policy/modules/system/hotplug.te b/refpolicy/policy/modules/system/hotplug.te
index 9775a8d..52259dd 100644
--- a/refpolicy/policy/modules/system/hotplug.te
+++ b/refpolicy/policy/modules/system/hotplug.te
@@ -45,9 +45,7 @@ files_create_pid(hotplug_t,hotplug_var_run_t)
kernel_read_system_state(hotplug_t)
kernel_read_kernel_sysctl(hotplug_t)
-dev_read_sysfs(hotplug_t)
kernel_read_net_sysctl(hotplug_t)
-dev_read_usbfs(hotplug_t)
bootloader_read_kernel_modules(hotplug_t)
@@ -58,7 +56,9 @@ corenet_raw_sendrecv_all_nodes(hotplug_t)
corenet_tcp_sendrecv_all_ports(hotplug_t)
corenet_tcp_bind_all_nodes(hotplug_t)
-# for SSP
+dev_read_sysfs(hotplug_t)
+dev_read_usbfs(hotplug_t)
+# for SSP:
dev_read_urand(hotplug_t)
fs_getattr_all_fs(hotplug_t)
diff --git a/refpolicy/policy/modules/system/init.te b/refpolicy/policy/modules/system/init.te
index f6217ed..1ee33b6 100644
--- a/refpolicy/policy/modules/system/init.te
+++ b/refpolicy/policy/modules/system/init.te
@@ -88,11 +88,13 @@ allow init_t initrc_var_run_t:file { rw_file_perms setattr };
# Run init scripts.
domain_auto_trans(init_t,initrc_exec_t,initrc_t)
-selinux_set_boolean(init_t)
kernel_read_system_state(init_t)
-dev_read_sysfs(init_t)
kernel_share_state(init_t)
+dev_read_sysfs(init_t)
+
+selinux_set_boolean(init_t)
+
term_use_all_terms(init_t)
corecmd_chroot_exec_chroot(init_t)
diff --git a/refpolicy/policy/modules/system/iptables.te b/refpolicy/policy/modules/system/iptables.te
index dd2edc7..01f62e8 100644
--- a/refpolicy/policy/modules/system/iptables.te
+++ b/refpolicy/policy/modules/system/iptables.te
@@ -39,11 +39,12 @@ allow iptables_t self:rawip_socket create_socket_perms;
kernel_read_system_state(iptables_t)
kernel_read_network_state(iptables_t)
-dev_read_sysfs(iptables_t)
kernel_read_kernel_sysctl(iptables_t)
kernel_read_modprobe_sysctl(iptables_t)
kernel_use_fd(iptables_t)
+dev_read_sysfs(iptables_t)
+
fs_getattr_xattr_fs(iptables_t)
term_dontaudit_use_console(iptables_t)
diff --git a/refpolicy/policy/modules/system/libraries.te b/refpolicy/policy/modules/system/libraries.te
index 4b34dae..29b289a 100644
--- a/refpolicy/policy/modules/system/libraries.te
+++ b/refpolicy/policy/modules/system/libraries.te
@@ -74,7 +74,6 @@ logging_send_syslog_msg(ldconfig_t)
userdom_use_all_user_fd(ldconfig_t)
-
ifdef(`TODO',`
allow ldconfig_t tmp_t:dir search;
diff --git a/refpolicy/policy/modules/system/locallogin.te b/refpolicy/policy/modules/system/locallogin.te
index fb6ae0a..b590167 100644
--- a/refpolicy/policy/modules/system/locallogin.te
+++ b/refpolicy/policy/modules/system/locallogin.te
@@ -7,11 +7,11 @@ policy_module(locallogin,1.0)
#
type local_login_t; #, nscd_client_domain;
+auth_login_entry_type(local_login_t)
+domain_type(local_login_t)
domain_obj_id_change_exempt(local_login_t)
domain_subj_id_change_exempt(local_login_t)
domain_role_change_exempt(local_login_t)
-auth_login_entry_type(local_login_t)
-domain_type(local_login_t)
domain_wide_inherit_fd(local_login_t)
role system_r types local_login_t;
@@ -53,6 +53,10 @@ files_create_tmp_files(local_login_t, local_login_tmp_t, { file dir })
kernel_read_system_state(local_login_t)
kernel_read_kernel_sysctl(local_login_t)
+
+# for SSP/ProPolice
+dev_read_urand(local_login_t)
+
selinux_get_fs_mount(local_login_t)
selinux_validate_context(local_login_t)
selinux_compute_access_vector(local_login_t)
@@ -60,8 +64,8 @@ selinux_compute_create_context(local_login_t)
selinux_compute_relabel_context(local_login_t)
selinux_compute_user_contexts(local_login_t)
-# for SSP/ProPolice
-dev_read_urand(local_login_t)
+storage_dontaudit_getattr_fixed_disk(local_login_t)
+storage_dontaudit_setattr_fixed_disk(local_login_t)
term_use_all_user_ttys(local_login_t)
term_use_unallocated_tty(local_login_t)
@@ -106,6 +110,16 @@ userdom_use_unpriv_users_fd(local_login_t)
# Search for mail spool file.
mta_getattr_spool(local_login_t)
+tunable_policy(`use_nfs_home_dirs',`
+ fs_read_nfs_files(local_login_t)
+ fs_read_nfs_symlinks(local_login_t)
+')
+
+tunable_policy(`use_samba_home_dirs',`
+ fs_read_cifs_files(local_login_t)
+ fs_read_cifs_symlinks(local_login_t)
+')
+
# Red Hat systems seem to have a stray
# fd open from the initrd
optional_policy(`distro_redhat',`
@@ -152,15 +166,16 @@ ifdef(`crack.te', `
allow local_login_t crack_db_t:file r_file_perms;
')
-allow local_login_t mouse_device_t:chr_file { getattr setattr };
-
ifdef(`targeted_policy',`
unconfined_domain(local_login_t)
domain_auto_trans(local_login_t, shell_exec_t, unconfined_t)
')
+allow local_login_t mouse_device_t:chr_file { getattr setattr };
+allow local_login_t sound_device_t:chr_file { getattr setattr };
+allow local_login_t power_device_t:chr_file { getattr setattr };
+
# Do not audit denied attempts to access devices.
-dontaudit local_login_t fixed_disk_device_t:blk_file { getattr setattr };
dontaudit local_login_t removable_device_t:blk_file { getattr setattr };
dontaudit local_login_t device_t:{ chr_file blk_file lnk_file } { getattr setattr };
dontaudit local_login_t misc_device_t:{ chr_file blk_file } { getattr setattr };
@@ -177,20 +192,6 @@ optional_policy(`gpm.te',`
allow local_login_t gpmctl_t:sock_file { getattr setattr };
')
-# Allow setting of attributes on sound devices.
-allow local_login_t sound_device_t:chr_file { getattr setattr };
-
-# Allow setting of attributes on power management devices.
-allow local_login_t power_device_t:chr_file { getattr setattr };
-
-tunable_policy(`use_nfs_home_dirs',`
- r_dir_file(local_login_t, nfs_t)
-')
-
-tunable_policy(`use_samba_home_dirs',`
- r_dir_file(local_login_t, cifs_t)
-')
-
') dnl endif TODO
#################################
diff --git a/refpolicy/policy/modules/system/logging.te b/refpolicy/policy/modules/system/logging.te
index b608f9d..feaf158 100644
--- a/refpolicy/policy/modules/system/logging.te
+++ b/refpolicy/policy/modules/system/logging.te
@@ -59,6 +59,7 @@ allow auditd_t auditd_var_run_t:file create_file_perms;
files_create_pid(auditd_t,auditd_var_run_t)
kernel_read_kernel_sysctl(auditd_t)
+
dev_read_sysfs(auditd_t)
fs_getattr_all_fs(auditd_t)
@@ -186,10 +187,10 @@ allow syslogd_t devlog_t:unix_dgram_socket name_bind;
allow syslogd_t syslogd_var_run_t:file create_file_perms;
files_create_pid(syslogd_t,syslogd_var_run_t)
-dev_read_sysfs(syslogd_t)
kernel_read_kernel_sysctl(syslogd_t)
dev_create_dev_node(syslogd_t,devlog_t,sock_file)
+dev_read_sysfs(syslogd_t)
term_dontaudit_use_console(syslogd_t)
# Allow syslog to a terminal
diff --git a/refpolicy/policy/modules/system/lvm.te b/refpolicy/policy/modules/system/lvm.te
index b3517cb..8656956 100644
--- a/refpolicy/policy/modules/system/lvm.te
+++ b/refpolicy/policy/modules/system/lvm.te
@@ -69,20 +69,18 @@ type_transition lvm_t lvm_etc_t:file lvm_metadata_t;
files_create_etc_config(lvm_t,lvm_metadata_t,file)
kernel_read_system_state(lvm_t)
+kernel_read_kernel_sysctl(lvm_t)
+# Read system variables in /proc/sys
+kernel_read_kernel_sysctl(lvm_t)
+# it has no reason to need this
+kernel_dontaudit_getattr_core(lvm_t)
+
selinux_get_fs_mount(lvm_t)
selinux_validate_context(lvm_t)
selinux_compute_access_vector(lvm_t)
selinux_compute_create_context(lvm_t)
selinux_compute_relabel_context(lvm_t)
selinux_compute_user_contexts(lvm_t)
-kernel_read_kernel_sysctl(lvm_t)
-dev_read_sysfs(lvm_t)
-# Read /sys/block. Device mapper metadata is kept there.
-dev_read_sysfs(sysfs_t)
-# Read system variables in /proc/sys
-kernel_read_kernel_sysctl(lvm_t)
-# it has no reason to need this
-kernel_dontaudit_getattr_core(lvm_t)
dev_create_generic_chr_file(lvm_t)
dev_read_rand(lvm_t)
@@ -91,7 +89,9 @@ dev_rw_lvm_control(lvm_t)
dev_manage_generic_symlinks(lvm_t)
dev_relabel_dev_dirs(lvm_t)
dev_manage_generic_blk_file(lvm_t)
-
+dev_read_sysfs(lvm_t)
+# Read /sys/block. Device mapper metadata is kept there.
+dev_read_sysfs(sysfs_t)
# LVM (vgscan) scans for devices by stating every file in /dev and applying a regex...
dev_dontaudit_getattr_all_chr_files(lvm_t)
dev_dontaudit_getattr_all_blk_files(lvm_t)
diff --git a/refpolicy/policy/modules/system/modutils.te b/refpolicy/policy/modules/system/modutils.te
index c8f80f0..86583af 100644
--- a/refpolicy/policy/modules/system/modutils.te
+++ b/refpolicy/policy/modules/system/modutils.te
@@ -131,13 +131,13 @@ bootloader_create_private_module_dir_entry(depmod_t,modules_dep_t)
kernel_read_system_state(depmod_t)
+bootloader_read_kernel_symbol_table(depmod_t)
+bootloader_read_kernel_modules(depmod_t)
+
fs_getattr_xattr_fs(depmod_t)
term_use_console(depmod_t)
-bootloader_read_kernel_symbol_table(depmod_t)
-bootloader_read_kernel_modules(depmod_t)
-
init_use_fd(depmod_t)
init_use_script_fd(depmod_t)
init_use_script_pty(depmod_t)
diff --git a/refpolicy/policy/modules/system/selinuxutil.te b/refpolicy/policy/modules/system/selinuxutil.te
index 28a6751..a178716 100644
--- a/refpolicy/policy/modules/system/selinuxutil.te
+++ b/refpolicy/policy/modules/system/selinuxutil.te
@@ -149,12 +149,12 @@ allow load_policy_t selinux_config_t:dir r_dir_perms;
allow load_policy_t selinux_config_t:file r_file_perms;
allow load_policy_t selinux_config_t:lnk_file r_file_perms;
+fs_getattr_xattr_fs(load_policy_t)
+
selinux_get_fs_mount(load_policy_t)
selinux_load_policy(load_policy_t)
selinux_set_boolean(load_policy_t)
-fs_getattr_xattr_fs(load_policy_t)
-
term_use_console(load_policy_t)
term_list_ptys(load_policy_t)
@@ -196,6 +196,11 @@ allow newrole_t { selinux_config_t default_context_t }:lnk_file r_file_perms;
kernel_read_system_state(newrole_t)
kernel_read_kernel_sysctl(newrole_t)
+
+dev_read_urand(newrole_t)
+
+fs_getattr_xattr_fs(newrole_t)
+
selinux_get_fs_mount(newrole_t)
selinux_validate_context(newrole_t)
selinux_compute_access_vector(newrole_t)
@@ -203,10 +208,6 @@ selinux_compute_create_context(newrole_t)
selinux_compute_relabel_context(newrole_t)
selinux_compute_user_contexts(newrole_t)
-dev_read_urand(newrole_t)
-
-fs_getattr_xattr_fs(newrole_t)
-
term_use_all_user_ttys(newrole_t)
term_use_all_user_ptys(newrole_t)
@@ -280,6 +281,9 @@ allow restorecon_t { policy_src_t policy_config_t file_context_t selinux_config_
kernel_use_fd(restorecon_t)
kernel_read_system_state(restorecon_t)
+
+fs_getattr_xattr_fs(restorecon_t)
+
selinux_get_fs_mount(restorecon_t)
selinux_validate_context(restorecon_t)
selinux_compute_access_vector(restorecon_t)
@@ -287,8 +291,6 @@ selinux_compute_create_context(restorecon_t)
selinux_compute_relabel_context(restorecon_t)
selinux_compute_user_contexts(restorecon_t)
-fs_getattr_xattr_fs(restorecon_t)
-
term_use_unallocated_tty(restorecon_t)
init_use_fd(restorecon_t)
@@ -320,10 +322,10 @@ files_list_all_dirs(restorecon_t)
auth_relabelto_shadow(restorecon_t)
ifdef(`distro_redhat', `
-fs_use_tmpfs_character_devices(restorecon_t)
-fs_use_tmpfs_block_devices(restorecon_t)
-fs_relabel_tmpfs_block_devices(restorecon_t)
-fs_relabel_tmpfs_character_devices(restorecon_t)
+ fs_use_tmpfs_character_devices(restorecon_t)
+ fs_use_tmpfs_block_devices(restorecon_t)
+ fs_relabel_tmpfs_block_devices(restorecon_t)
+ fs_relabel_tmpfs_character_devices(restorecon_t)
')
ifdef(`TODO',`
@@ -414,6 +416,9 @@ allow setfiles_t { policy_src_t policy_config_t file_context_t selinux_config_t
allow setfiles_t { policy_src_t policy_config_t file_context_t selinux_config_t default_context_t }:lnk_file r_file_perms;
kernel_read_system_state(setfiles_t)
+
+fs_getattr_xattr_fs(setfiles_t)
+
selinux_get_fs_mount(setfiles_t)
selinux_validate_context(setfiles_t)
selinux_compute_access_vector(setfiles_t)
@@ -421,8 +426,6 @@ selinux_compute_create_context(setfiles_t)
selinux_compute_relabel_context(setfiles_t)
selinux_compute_user_contexts(setfiles_t)
-fs_getattr_xattr_fs(setfiles_t)
-
term_use_all_user_ttys(setfiles_t)
term_use_all_user_ptys(setfiles_t)
term_use_unallocated_tty(setfiles_t)
diff --git a/refpolicy/policy/modules/system/sysnetwork.te b/refpolicy/policy/modules/system/sysnetwork.te
index 0faca2c..e4e1bd1 100644
--- a/refpolicy/policy/modules/system/sysnetwork.te
+++ b/refpolicy/policy/modules/system/sysnetwork.te
@@ -86,7 +86,6 @@ allow ifconfig_t dhcpc_t:process sigchld;
kernel_read_system_state(dhcpc_t)
kernel_read_network_state(dhcpc_t)
kernel_read_kernel_sysctl(dhcpc_t)
-dev_read_sysfs(dhcpc_t)
kernel_use_fd(dhcpc_t)
corenet_tcp_sendrecv_all_if(dhcpc_t)
@@ -101,7 +100,8 @@ corenet_tcp_bind_all_nodes(dhcpc_t)
corenet_udp_bind_all_nodes(dhcpc_t)
corenet_udp_bind_dhcpc_port(dhcpc_t)
-# for SSP
+dev_read_sysfs(dhcpc_t)
+# for SSP:
dev_read_urand(dhcpc_t)
fs_getattr_all_fs(dhcpc_t)
diff --git a/refpolicy/policy/modules/system/udev.te b/refpolicy/policy/modules/system/udev.te
index c4cc2d9..711cab7 100644
--- a/refpolicy/policy/modules/system/udev.te
+++ b/refpolicy/policy/modules/system/udev.te
@@ -70,7 +70,12 @@ kernel_read_device_sysctl(udev_t)
kernel_read_hotplug_sysctl(udev_t)
kernel_read_modprobe_sysctl(udev_t)
kernel_read_kernel_sysctl(udev_t)
+
dev_read_sysfs(udev_t)
+dev_manage_dev_nodes(udev_t)
+
+fs_getattr_all_fs(udev_t)
+
selinux_get_fs_mount(udev_t)
selinux_validate_context(udev_t)
selinux_compute_access_vector(udev_t)
@@ -78,10 +83,6 @@ selinux_compute_create_context(udev_t)
selinux_compute_relabel_context(udev_t)
selinux_compute_user_contexts(udev_t)
-dev_manage_dev_nodes(udev_t)
-
-fs_getattr_all_fs(udev_t)
-
corecmd_exec_bin(udev_t)
corecmd_exec_sbin(udev_t)
corecmd_exec_shell(udev_t)
More information about the scm-commits
mailing list