[selinux-policy: 759/3172] fix last loadable module problems
Daniel J Walsh
dwalsh at fedoraproject.org
Thu Oct 7 20:10:36 UTC 2010
commit 0efe52ae99a263046ca0398bf4e17303028cfff1
Author: Chris PeBenito <cpebenito at tresys.com>
Date: Wed Oct 19 14:36:04 2005 +0000
fix last loadable module problems
refpolicy/policy/modules/admin/su.if | 1 +
refpolicy/policy/modules/admin/sudo.if | 1 +
refpolicy/policy/modules/services/apache.if | 9 +++++----
refpolicy/policy/modules/services/cron.if | 8 ++++++--
refpolicy/policy/modules/services/dbus.if | 6 ++++++
refpolicy/policy/modules/services/mta.if | 5 +++++
refpolicy/policy/modules/services/portmap.if | 2 +-
refpolicy/policy/modules/services/ssh.if | 4 +++-
refpolicy/policy/modules/system/domain.if | 9 +++------
refpolicy/policy/modules/system/userdomain.te | 3 ++-
refpolicy/policy/support/loadable_module.spt | 5 ++++-
11 files changed, 37 insertions(+), 16 deletions(-)
---
diff --git a/refpolicy/policy/modules/admin/su.if b/refpolicy/policy/modules/admin/su.if
index 6b99dec..c36b187 100644
--- a/refpolicy/policy/modules/admin/su.if
+++ b/refpolicy/policy/modules/admin/su.if
@@ -30,6 +30,7 @@
template(`su_per_userdomain_template',`
gen_require(`
type su_exec_t;
+ bool secure_mode;
')
type $1_su_t;
diff --git a/refpolicy/policy/modules/admin/sudo.if b/refpolicy/policy/modules/admin/sudo.if
index f202e08..fda3c0a 100644
--- a/refpolicy/policy/modules/admin/sudo.if
+++ b/refpolicy/policy/modules/admin/sudo.if
@@ -31,6 +31,7 @@ template(`sudo_per_userdomain_template',`
gen_require(`
type sudo_exec_t;
+ bool secure_mode;
')
##############################
diff --git a/refpolicy/policy/modules/services/apache.if b/refpolicy/policy/modules/services/apache.if
index bc558ec..b66ba87 100644
--- a/refpolicy/policy/modules/services/apache.if
+++ b/refpolicy/policy/modules/services/apache.if
@@ -10,10 +10,6 @@
## </param>
#
template(`apache_content_template',`
- gen_require(`
- attribute httpdcontent, httpd_script_domains;
- ')
-
# allow write access to public file transfer
# services files.
gen_tunable(allow_httpd_$1_script_anon_write,false)
@@ -251,6 +247,11 @@ template(`apache_content_template',`
## </param>
#
template(`apache_per_userdomain_template', `
+ gen_require(`
+ attribute httpdcontent, httpd_script_domains;
+ attribute httpd_exec_scripts;
+ type httpd_t, httpd_suexec_t, httpd_log_t;
+ ')
apache_content_template($1)
diff --git a/refpolicy/policy/modules/services/cron.if b/refpolicy/policy/modules/services/cron.if
index 37edbc1..eade946 100644
--- a/refpolicy/policy/modules/services/cron.if
+++ b/refpolicy/policy/modules/services/cron.if
@@ -30,7 +30,7 @@
template(`cron_per_userdomain_template',`
gen_require(`
attribute cron_spool_type;
- type crontab_exec_t;
+ type crond_t, cron_spool_t, crontab_exec_t;
')
# Type of user crontabs once moved to cron spool.
@@ -198,7 +198,7 @@ template(`cron_per_userdomain_template',`
# create files in /var/spool/cron
allow $1_crontab_t $1_cron_spool_t:file create_file_perms;
allow $1_crontab_t cron_spool_t:dir rw_dir_perms;
- type_transition $1_crontab_t $1_cron_spool_t:file system_crond_tmp_t;
+ type_transition $1_crontab_t $1_cron_spool_t:file $1_cron_spool_t;
# crontab signals crond by updating the mtime on the spooldir
allow $1_crontab_t cron_spool_t:dir setattr;
@@ -270,6 +270,10 @@ template(`cron_per_userdomain_template',`
## </param>
#
template(`cron_admin_template',`
+ gen_require(`
+ attribute cron_spool_type;
+ ')
+
# Allow our crontab domain to unlink a user cron spool file.
allow $1_crontab_t cron_spool_type:file { getattr read unlink };
diff --git a/refpolicy/policy/modules/services/dbus.if b/refpolicy/policy/modules/services/dbus.if
index 8481397..cd712fe 100644
--- a/refpolicy/policy/modules/services/dbus.if
+++ b/refpolicy/policy/modules/services/dbus.if
@@ -27,6 +27,12 @@
## </param>
#
template(`dbus_per_userdomain_template',`
+ gen_require(`
+ type system_dbusd_t, dbusd_etc_t;
+ type system_dbusd_exec_t;
+ class dbus { send_msg acquire_svc };
+ ')
+
##############################
#
# Delcarations
diff --git a/refpolicy/policy/modules/services/mta.if b/refpolicy/policy/modules/services/mta.if
index 1cac664..4ac148d 100644
--- a/refpolicy/policy/modules/services/mta.if
+++ b/refpolicy/policy/modules/services/mta.if
@@ -42,6 +42,11 @@ interface(`mta_stub',`
## </param>
#
template(`mta_per_userdomain_template',`
+ gen_require(`
+ attribute mailserver_domain, mta_user_agent;
+ type sendmail_exec_t;
+ ')
+
type $1_mail_t;
domain_type($1_mail_t)
role $3 types $1_mail_t;
diff --git a/refpolicy/policy/modules/services/portmap.if b/refpolicy/policy/modules/services/portmap.if
index 943221c..c2934b9 100644
--- a/refpolicy/policy/modules/services/portmap.if
+++ b/refpolicy/policy/modules/services/portmap.if
@@ -43,7 +43,7 @@ interface(`portmap_domtrans_helper',`
#
interface(`portmap_run_helper',`
gen_require(`
- type portmap_helper_t;
+ type portmap_t, portmap_helper_t;
class chr_file { getattr read write ioctl };
')
diff --git a/refpolicy/policy/modules/services/ssh.if b/refpolicy/policy/modules/services/ssh.if
index ab35a65..12019d1 100644
--- a/refpolicy/policy/modules/services/ssh.if
+++ b/refpolicy/policy/modules/services/ssh.if
@@ -29,8 +29,10 @@
#
template(`ssh_per_userdomain_template',`
gen_require(`
+ attribute ssh_server;
type ssh_exec_t, ssh_agent_exec_t;
- type ssh_keysign_exec_t;
+ type sshd_key_t, ssh_keysign_exec_t;
+ type sshd_tmp_t, sshd_t;
')
##############################
diff --git a/refpolicy/policy/modules/system/domain.if b/refpolicy/policy/modules/system/domain.if
index be9077f..f8fe448 100644
--- a/refpolicy/policy/modules/system/domain.if
+++ b/refpolicy/policy/modules/system/domain.if
@@ -966,9 +966,11 @@ interface(`domain_unconfined',`
')
#
-# These next macros are not interfaces, but actually are
+# These next macros are not templates, but actually are
# support macros. Due to the domain_ prefix, they
# are placed in this module, to try to prevent confusion.
+# They are called templates since regular m4 defines
+# wont work here.
#
########################################
@@ -976,11 +978,6 @@ interface(`domain_unconfined',`
# domain_trans(source_domain,entrypoint_file,target_domain)
#
template(`domain_trans',`
- gen_require(`
- class file rx_file_perms;
- class process { transition noatsecure siginh rlimitinh };
- ')
-
allow $1 $2:file rx_file_perms;
allow $1 $3:process transition;
dontaudit $1 $3:process { noatsecure siginh rlimitinh };
diff --git a/refpolicy/policy/modules/system/userdomain.te b/refpolicy/policy/modules/system/userdomain.te
index 1aa37fb..dfe9c8b 100644
--- a/refpolicy/policy/modules/system/userdomain.te
+++ b/refpolicy/policy/modules/system/userdomain.te
@@ -240,7 +240,8 @@ ifdef(`targeted_policy',`
seutil_run_loadpol(sysadm_t,sysadm_r,admin_terminal)
seutil_run_restorecon(sysadm_t,sysadm_r,admin_terminal)
seutil_run_setfiles(sysadm_t,sysadm_r,admin_terminal)
- optional_policy(`targeted_policy',`',`
+
+ ifdef(`targeted_policy',`',`
seutil_run_runinit(sysadm_t,sysadm_r,admin_terminal)
')
')
diff --git a/refpolicy/policy/support/loadable_module.spt b/refpolicy/policy/support/loadable_module.spt
index d5e6194..de48b3b 100644
--- a/refpolicy/policy/support/loadable_module.spt
+++ b/refpolicy/policy/support/loadable_module.spt
@@ -12,7 +12,10 @@ define(`policy_module',`
ifdef(`self_contained_policy',`',`
module $1 $2;
- require { all_kernel_class_perms }
+ require {
+ role system_r;
+ all_kernel_class_perms
+ }
')
')
More information about the scm-commits
mailing list