[selinux-policy: 651/3172] fixes for module compiling
Daniel J Walsh
dwalsh at fedoraproject.org
Thu Oct 7 20:01:10 UTC 2010
commit 71fe0fa4c5aff4b168a5b25f58369012d494f915
Author: Chris PeBenito <cpebenito at tresys.com>
Date: Wed Sep 14 00:30:10 2005 +0000
fixes for module compiling
refpolicy/Rules.modular | 7 +++++++
refpolicy/policy/modules/admin/logrotate.if | 2 +-
refpolicy/policy/modules/admin/su.if | 4 ++++
refpolicy/policy/modules/admin/sudo.if | 4 ++++
refpolicy/policy/modules/kernel/bootloader.te | 4 ++--
refpolicy/policy/modules/kernel/storage.if | 2 ++
refpolicy/policy/modules/services/mysql.if | 2 +-
refpolicy/policy/modules/services/ntp.te | 4 ++--
refpolicy/policy/modules/system/files.if | 6 +++---
refpolicy/policy/modules/system/modutils.if | 2 +-
refpolicy/policy/modules/system/modutils.te | 6 +++---
refpolicy/policy/modules/system/selinuxutil.if | 2 +-
refpolicy/policy/modules/system/udev.te | 6 +++---
13 files changed, 34 insertions(+), 17 deletions(-)
---
diff --git a/refpolicy/Rules.modular b/refpolicy/Rules.modular
index 6c70f1f..067ee01 100644
--- a/refpolicy/Rules.modular
+++ b/refpolicy/Rules.modular
@@ -76,6 +76,13 @@ tmp/generated_definitions.conf: $(ALL_LAYERS) $(BASE_TE_FILES)
@test -d tmp || mkdir -p tmp
# define all available object classes
$(QUIET) $(GENPERM) $(AVS) $(SECCLASS) > $@
+# per-userdomain templates
+ $(QUIET) echo "define(\`per_userdomain_templates',\`" >> $@
+ $(QUIET) for i in $(patsubst %.te,%,$(notdir $(ALL_MODULES))); do \
+ echo "ifdef(\`""$$i""_per_userdomain_template',\`""$$i""_per_userdomain_template("'$$*'")')" \
+ >> $@ ;\
+ done
+ $(QUIET) echo "')" >> $@
# define foo.te
$(QUIET) for i in $(notdir $(BASE_TE_FILES)); do \
echo "define(\`$$i')" >> $@ ;\
diff --git a/refpolicy/policy/modules/admin/logrotate.if b/refpolicy/policy/modules/admin/logrotate.if
index cff68d4..57aa956 100644
--- a/refpolicy/policy/modules/admin/logrotate.if
+++ b/refpolicy/policy/modules/admin/logrotate.if
@@ -77,7 +77,7 @@ interface(`logrotate_exec',`
interface(`logrotate_dontaudit_use_fd',`
gen_require(`
type logrotate_t;
- class fd;
+ class fd use;
')
dontaudit $1 logrotate_t:fd use;
diff --git a/refpolicy/policy/modules/admin/su.if b/refpolicy/policy/modules/admin/su.if
index 3cdd2d3..1fb0855 100644
--- a/refpolicy/policy/modules/admin/su.if
+++ b/refpolicy/policy/modules/admin/su.if
@@ -29,6 +29,10 @@
#
template(`su_per_userdomain_template',`
+ gen_require(`
+ type su_exec_t;
+ ')
+
type $1_su_t;
domain_entry_file($1_su_t,su_exec_t)
domain_type($1_su_t)
diff --git a/refpolicy/policy/modules/admin/sudo.if b/refpolicy/policy/modules/admin/sudo.if
index 5a83ccd..e61e8d5 100644
--- a/refpolicy/policy/modules/admin/sudo.if
+++ b/refpolicy/policy/modules/admin/sudo.if
@@ -29,6 +29,10 @@
#
template(`sudo_per_userdomain_template',`
+ gen_require(`
+ type sudo_exec_t;
+ ')
+
##############################
#
# Declarations
diff --git a/refpolicy/policy/modules/kernel/bootloader.te b/refpolicy/policy/modules/kernel/bootloader.te
index 5b96691..dfc6cde 100644
--- a/refpolicy/policy/modules/kernel/bootloader.te
+++ b/refpolicy/policy/modules/kernel/bootloader.te
@@ -186,8 +186,8 @@ ifdef(`distro_redhat',`
mount_domtrans(bootloader_t)
')
-optional_policy(`filesystemtools.te',`
- filesystemtools_execute(bootloader_t)
+optional_policy(`fstools.te',`
+ fstools_exec(bootloader_t)
')
optional_policy(`lvm.te',`
diff --git a/refpolicy/policy/modules/kernel/storage.if b/refpolicy/policy/modules/kernel/storage.if
index 4a80395..def3a2f 100644
--- a/refpolicy/policy/modules/kernel/storage.if
+++ b/refpolicy/policy/modules/kernel/storage.if
@@ -593,6 +593,8 @@ interface(`storage_unconfined',`
gen_require(`
type fixed_disk_device_t, removable_device_t;
type lvm_vg_t, scsi_generic_device_t, tape_device_t;
+ attribute fixed_disk_raw_read, fixed_disk_raw_write;
+ attribute scsi_generic_read, scsi_generic_write;
')
allow $1 { fixed_disk_device_t removable_device_t }:blk_file *;
diff --git a/refpolicy/policy/modules/services/mysql.if b/refpolicy/policy/modules/services/mysql.if
index 98b2251..fd6e75d 100644
--- a/refpolicy/policy/modules/services/mysql.if
+++ b/refpolicy/policy/modules/services/mysql.if
@@ -27,7 +27,7 @@ interface(`mysql_signal',`
#
interface(`mysql_stream_connect',`
gen_require(`
- type mysqld_t;
+ type mysqld_t, mysqld_var_run_t;
class unix_stream_socket connectto;
class dir search;
class sock_file write;
diff --git a/refpolicy/policy/modules/services/ntp.te b/refpolicy/policy/modules/services/ntp.te
index 0460f88..7ff072a 100644
--- a/refpolicy/policy/modules/services/ntp.te
+++ b/refpolicy/policy/modules/services/ntp.te
@@ -118,10 +118,10 @@ ifdef(`targeted_policy', `
files_dontaudit_read_root_file(ntpd_t)
')
-optional_policy(`crond.te',`
+optional_policy(`cron.te',`
# for cron jobs
# system_crond_t is not right, cron is not doing what it should
- cron_system_entry(ntpdate_t,ntpd_exec_t)
+ cron_system_entry(ntpd_t,ntpd_exec_t)
')
optional_policy(`firstboot.te',`
diff --git a/refpolicy/policy/modules/system/files.if b/refpolicy/policy/modules/system/files.if
index 2aa0a18..13d3883 100644
--- a/refpolicy/policy/modules/system/files.if
+++ b/refpolicy/policy/modules/system/files.if
@@ -463,7 +463,7 @@ interface(`files_dontaudit_search_all_dirs',`
interface(`files_relabelto_all_file_type_fs',`
gen_require(`
attribute file_type;
- filesystem relabelto;
+ class filesystem relabelto;
')
allow $1 file_type:filesystem relabelto;
@@ -476,7 +476,7 @@ interface(`files_relabelto_all_file_type_fs',`
interface(`files_mount_all_file_type_fs',`
gen_require(`
attribute file_type;
- filesystem mount;
+ class filesystem mount;
')
allow $1 file_type:filesystem mount;
@@ -489,7 +489,7 @@ interface(`files_mount_all_file_type_fs',`
interface(`files_unmount_all_file_type_fs',`
gen_require(`
attribute file_type;
- filesystem unmount;
+ class filesystem unmount;
')
allow $1 file_type:filesystem unmount;
diff --git a/refpolicy/policy/modules/system/modutils.if b/refpolicy/policy/modules/system/modutils.if
index fbe4514..999312c 100644
--- a/refpolicy/policy/modules/system/modutils.if
+++ b/refpolicy/policy/modules/system/modutils.if
@@ -100,7 +100,7 @@ interface(`modutils_run_insmod',`
#
interface(`modutils_exec_insmod',`
gen_require(`
- type insmod_t;
+ type insmod_exec_t;
')
corecmd_search_sbin($1)
diff --git a/refpolicy/policy/modules/system/modutils.te b/refpolicy/policy/modules/system/modutils.te
index 1196611..731cb7d 100644
--- a/refpolicy/policy/modules/system/modutils.te
+++ b/refpolicy/policy/modules/system/modutils.te
@@ -119,9 +119,9 @@ optional_policy(`rpm.te',`
rpm_rw_pipe(insmod_t)
')
-optional_policy(`xserver.te',`
- xserver_getattr_log(insmod_t)
-')
+#optional_policy(`xserver.te',`
+# xserver_getattr_log(insmod_t)
+#')
########################################
#
diff --git a/refpolicy/policy/modules/system/selinuxutil.if b/refpolicy/policy/modules/system/selinuxutil.if
index 3039425..280bf4f 100644
--- a/refpolicy/policy/modules/system/selinuxutil.if
+++ b/refpolicy/policy/modules/system/selinuxutil.if
@@ -140,7 +140,7 @@ interface(`seutil_exec_loadpol',`
interface(`seutil_read_loadpol',`
gen_require(`
type load_policy_exec_t;
- class file r_file_perms
+ class file r_file_perms;
')
corecmd_search_sbin($1)
diff --git a/refpolicy/policy/modules/system/udev.te b/refpolicy/policy/modules/system/udev.te
index a11919c..81071aa 100644
--- a/refpolicy/policy/modules/system/udev.te
+++ b/refpolicy/policy/modules/system/udev.te
@@ -165,9 +165,9 @@ optional_policy(`sysnetwork.te',`
sysnet_domtrans_dhcpc(udev_t)
')
-optional_policy(`xserver.te',`
- xserver_read_xdm_pid(udev_t)
-')
+#optional_policy(`xserver.te',`
+# xserver_read_xdm_pid(udev_t)
+#')
ifdef(`TODO',`
dontaudit udev_t ttyfile:chr_file unlink;
More information about the scm-commits
mailing list