[selinux-policy: 391/3172] services interfaces review
Daniel J Walsh
dwalsh at fedoraproject.org
Thu Oct 7 19:38:36 UTC 2010
commit 5e6f9e5aacf7cd88687f438ecbbc190e7fbc9ebf
Author: Chris PeBenito <cpebenito at tresys.com>
Date: Fri Jun 17 18:41:07 2005 +0000
services interfaces review
refpolicy/policy/modules/services/cron.if | 12 +-
refpolicy/policy/modules/services/mta.if | 131 ++++++++--------------
refpolicy/policy/modules/services/remotelogin.if | 8 +-
refpolicy/policy/modules/services/sendmail.if | 17 ++--
4 files changed, 65 insertions(+), 103 deletions(-)
---
diff --git a/refpolicy/policy/modules/services/cron.if b/refpolicy/policy/modules/services/cron.if
index 381ef6c..52b4980 100644
--- a/refpolicy/policy/modules/services/cron.if
+++ b/refpolicy/policy/modules/services/cron.if
@@ -244,13 +244,11 @@ define(`cron_admin_template',`
# cron_rw_log(domain)
#
define(`cron_rw_log',`
- gen_require(`$0'_depend)
+ gen_require(`
+ type crond_log_t;
+ class file rw_file_perms;
+ ')
+ logging_search_logs($1)
allow $1 crond_log_t:file rw_file_perms;
')
-
-define(`cron_rw_log_depend',`
- type crond_log_t;
-
- class file rw_file_perms;
-')
diff --git a/refpolicy/policy/modules/services/mta.if b/refpolicy/policy/modules/services/mta.if
index 6aaf240..c28b2a7 100644
--- a/refpolicy/policy/modules/services/mta.if
+++ b/refpolicy/policy/modules/services/mta.if
@@ -8,8 +8,6 @@
# mta_per_userdomain_template(userdomain_prefix)
#
define(`mta_per_userdomain_template',`
- gen_require(`$0'_depend)
-
type $1_mail_t; # , user_mail_domain, nscd_client_domain;
domain_type($1_mail_t)
role $1_r types $1_mail_t;
@@ -136,45 +134,43 @@ define(`mta_per_userdomain_template',`
') dnl end TODO
')
-define(`mta_per_userdomain_template_depend',`
-
-')
-
#######################################
#
# mta_mailserver(domain,entrypointtype)
#
define(`mta_mailserver',`
- gen_require(`$0'_depend)
+ gen_require(`
+ attribute mailserver_domain;
+ ')
init_daemon_domain($1,$2)
typeattribute $1 mailserver_domain;
')
-define(`mta_mailserver_depend',`
- attribute mailserver_domain;
-')
-
#######################################
#
# mta_sendmail_mailserver(domain,entrypointtype)
#
define(`mta_sendmail_mailserver',`
- gen_require(`$0'_depend)
+ gen_require(`
+ type sendmail_exec_t;
+ ')
mta_mailserver($1,sendmail_exec_t)
')
-define(`mta_sendmail_mailserver_depend',`
- type sendmail_exec_t;
-')
-
#######################################
#
# mta_send_mail(domain)
#
define(`mta_send_mail',`
- gen_require(`$0'_depend)
+ gen_require(`
+ type system_mail_t, sendmail_exec_t;
+ class lnk_file r_file_perms;
+ class process sigchld;
+ class fd use;
+ class fifo_file rw_file_perms;
+ ')
allow $1 sendmail_exec_t:lnk_file r_file_perms;
domain_auto_trans($1, sendmail_exec_t, system_mail_t)
@@ -185,32 +181,18 @@ define(`mta_send_mail',`
allow system_mail_t $1:process sigchld;
')
-define(`mta_send_mail_depend',`
- type system_mail_t, sendmail_exec_t;
-
- class file { getattr read execute };
- class lnk_file r_file_perms;
- class process { transition noatsecure siginh rlimitinh sigchld };
- class fd use;
- class fifo_file rw_file_perms;
-')
-
#######################################
#
# mta_exec(domain)
#
define(`mta_exec',`
- gen_require(`$0'_depend)
+ gen_require(`
+ type sendmail_exec_t;
+ ')
can_exec($1, sendmail_exec_t)
')
-define(`mta_exec_depend',`
- type sendmail_exec_t;
-
- class file { getattr read execute execute_no_trans };
-')
-
########################################
## <interface name="mta_read_aliases">
## <description>
@@ -222,39 +204,40 @@ define(`mta_exec_depend',`
## </interface>
#
define(`mta_read_aliases',`
- gen_require(`$0'_depend)
+ gen_require(`
+ type etc_aliases_t;
+ class file r_file_perms;
+ ')
+ files_search_etc($1)
allow $1 etc_aliases_t:file r_file_perms;
')
-define(`mta_read_aliases_depend',`
- type etc_aliases_t;
-
- class file r_file_perms;
-')
-
#######################################
#
# mta_rw_aliases(domain)
#
define(`mta_rw_aliases',`
- gen_require(`$0'_depend)
+ gen_require(`
+ type etc_aliases_t;
+ class file { rw_file_perms setattr };
+ ')
+ files_search_etc($1)
allow sendmail_t etc_aliases_t:file { rw_file_perms setattr };
')
-define(`mta_rw_aliases_depend',`
- type etc_aliases_t;
-
- class file { rw_file_perms setattr };
-')
-
#######################################
#
# mta_getattr_spool(domain)
#
define(`mta_getattr_spool',`
- gen_require(`$0'_depend)
+ gen_require(`
+ type mail_spool_t;
+ class dir r_dir_perms;
+ class file getattr;
+ class lnk_file read;
+ ')
files_search_spool($1)
allow $1 mail_spool_t:dir r_dir_perms;
@@ -262,68 +245,52 @@ define(`mta_getattr_spool',`
allow $1 mail_spool_t:file getattr;
')
-define(`mta_getattr_spool_depend',`
- type mail_spool_t;
-
- class dir r_dir_perms;
- class file getattr;
- class lnk_file read;
-')
-
#######################################
#
# mta_rw_spool(domain)
#
define(`mta_rw_spool',`
- gen_require(`$0'_depend)
+ gen_require(`
+ type mail_spool_t;
+ class dir r_dir_perms;
+ class file { rw_file_perms setattr };
+ ')
files_search_spool($1)
- allow $1 mail_spool_t:dir rw_dir_perms;
+ allow $1 mail_spool_t:dir r_dir_perms;
allow $1 mail_spool_t:file { rw_file_perms setattr };
')
-define(`mta_rw_spool_depend',`
- type mail_spool_t;
-
- class dir rw_dir_perms;
- class file { rw_file_perms setattr };
-')
-
#######################################
#
# mta_manage_spool(domain)
#
define(`mta_manage_spool',`
- gen_require(`$0'_depend)
+ gen_require(`
+ type mail_spool_t;
+ class dir rw_dir_perms;
+ class file create_file_perms;
+ ')
files_search_spool($1)
allow $1 mail_spool_t:dir rw_dir_perms;
allow $1 mail_spool_t:file create_file_perms;
')
-define(`mta_manage_spool_depend',`
- type mail_spool_t;
-
- class dir rw_dir_perms;
- class file create_file_perms;
-')
-
#######################################
#
# mta_manage_queue(domain)
#
define(`mta_manage_queue',`
- gen_require(`$0'_depend)
+ gen_require(`
+ type mqueue_spool_t;
+ class dir rw_dir_perms;
+ class file create_file_perms;
+ ')
+ # FIXME: search /var/spool dir
allow $1 mqueue_spool_t:dir rw_dir_perms;
allow $1 mqueue_spool_t:file create_file_perms;
')
-define(`mta_manage_queue_depend',`
- type mqueue_spool_t;
-
- class dir rw_dir_perms;
- class file create_file_perms;
-')
-
## </module>
diff --git a/refpolicy/policy/modules/services/remotelogin.if b/refpolicy/policy/modules/services/remotelogin.if
index 0564c5a..e4e26d5 100644
--- a/refpolicy/policy/modules/services/remotelogin.if
+++ b/refpolicy/policy/modules/services/remotelogin.if
@@ -12,13 +12,11 @@
## </interface>
#
define(`remotelogin_domtrans',`
- gen_require(`$0'_depend)
+ gen_require(`
+ type remote_login_t;
+ ')
auth_domtrans_login_program($1,remote_login_t)
')
-define(`remotelogin_domtrans_depend',`
- type remote_login_t;
-')
-
## </module>
diff --git a/refpolicy/policy/modules/services/sendmail.if b/refpolicy/policy/modules/services/sendmail.if
index e4270b3..cc202c5 100644
--- a/refpolicy/policy/modules/services/sendmail.if
+++ b/refpolicy/policy/modules/services/sendmail.if
@@ -12,8 +12,15 @@
## </interface>
#
define(`sendmail_domtrans',`
- gen_require(`$0'_depend)
+ gen_require(`
+ type sendmail_exec_t, sendmail_t;
+ class process sigchld;
+ class fd use;
+ class fifo_file rw_file_perms;
+ ')
+ files_search_usr($1)
+ corecmd_search_sbin($1)
domain_auto_trans($1,sendmail_exec_t,sendmail_t)
allow $1 sendmail_t:fd use;
@@ -22,12 +29,4 @@ define(`sendmail_domtrans',`
allow sendmail_t $1:process sigchld;
')
-define(`sendmail_domtrans_depend',`
- type sendmail_exec_t, sendmail_t;
-
- class process sigchld;
- class fd use;
- class fifo_file rw_file_perms;
-')
-
## </module>
More information about the scm-commits
mailing list