[selinux-policy: 497/3172] fix assertions for framework
Daniel J Walsh
dwalsh at fedoraproject.org
Thu Oct 7 19:47:36 UTC 2010
commit 391edeb57719ca4ba5031f52ff95255a70971a3d
Author: Chris PeBenito <cpebenito at tresys.com>
Date: Mon Jul 18 20:17:21 2005 +0000
fix assertions for framework
refpolicy/policy/modules/system/domain.if | 8 ++++++++
refpolicy/policy/modules/system/domain.te | 7 ++++---
2 files changed, 12 insertions(+), 3 deletions(-)
---
diff --git a/refpolicy/policy/modules/system/domain.if b/refpolicy/policy/modules/system/domain.if
index 80135b7..4106bdd 100644
--- a/refpolicy/policy/modules/system/domain.if
+++ b/refpolicy/policy/modules/system/domain.if
@@ -26,6 +26,14 @@ interface(`domain_base_domain_type',`
# allow $1 to create child processes in this domain
allow $1 self:process { fork sigchld };
+
+ # Files with domain types are currently only proc files
+ # self is excepted since domains and files can have
+ # the same type in SEFramework
+ # cjp: perhaps this should be a conditional exception,
+ # so it is excepted only on SEFramework policies
+ neverallow $1 { domain -$1 }:dir ~r_dir_perms;
+ neverallow $1 { domain -$1 }:file_class_set ~rw_file_perms;
')
########################################
diff --git a/refpolicy/policy/modules/system/domain.te b/refpolicy/policy/modules/system/domain.te
index cd9b41e..2878652 100644
--- a/refpolicy/policy/modules/system/domain.te
+++ b/refpolicy/policy/modules/system/domain.te
@@ -32,6 +32,7 @@ neverallow domain ~domain:process { transition dyntransition };
# dynamic transition, you should not be using it!!!
neverallow { domain -set_curr_context } self:process setcurrent;
-# Files with domain types are currently only proc files
-neverallow * domain:dir ~r_dir_perms;
-neverallow * domain:file_class_set ~rw_file_perms;
+# TODO:
+# cjp: also need to except correctly for SEFramework
+#neverallow { domain unlabeled_t } file_type:process *;
+#neverallow ~{ domain unlabeled_t } *:process *;
More information about the scm-commits
mailing list