[selinux-policy: 759/3172] fix last loadable module problems

Daniel J Walsh dwalsh at fedoraproject.org
Thu Oct 7 20:10:36 UTC 2010 

commit 0efe52ae99a263046ca0398bf4e17303028cfff1
Author: Chris PeBenito <cpebenito at tresys.com>
Date:   Wed Oct 19 14:36:04 2005 +0000

    fix last loadable module problems

 refpolicy/policy/modules/admin/su.if          |    1 +
 refpolicy/policy/modules/admin/sudo.if        |    1 +
 refpolicy/policy/modules/services/apache.if   |    9 +++++----
 refpolicy/policy/modules/services/cron.if     |    8 ++++++--
 refpolicy/policy/modules/services/dbus.if     |    6 ++++++
 refpolicy/policy/modules/services/mta.if      |    5 +++++
 refpolicy/policy/modules/services/portmap.if  |    2 +-
 refpolicy/policy/modules/services/ssh.if      |    4 +++-
 refpolicy/policy/modules/system/domain.if     |    9 +++------
 refpolicy/policy/modules/system/userdomain.te |    3 ++-
 refpolicy/policy/support/loadable_module.spt  |    5 ++++-
 11 files changed, 37 insertions(+), 16 deletions(-)
---
diff --git a/refpolicy/policy/modules/admin/su.if b/refpolicy/policy/modules/admin/su.if
index 6b99dec..c36b187 100644
--- a/refpolicy/policy/modules/admin/su.if
+++ b/refpolicy/policy/modules/admin/su.if
@@ -30,6 +30,7 @@
 template(`su_per_userdomain_template',`
 	gen_require(`
 		type su_exec_t;
+		bool secure_mode;
 	')
 
 	type $1_su_t;
diff --git a/refpolicy/policy/modules/admin/sudo.if b/refpolicy/policy/modules/admin/sudo.if
index f202e08..fda3c0a 100644
--- a/refpolicy/policy/modules/admin/sudo.if
+++ b/refpolicy/policy/modules/admin/sudo.if
@@ -31,6 +31,7 @@ template(`sudo_per_userdomain_template',`
 
 	gen_require(`
 		type sudo_exec_t;
+		bool secure_mode;
 	')
 
 	##############################
diff --git a/refpolicy/policy/modules/services/apache.if b/refpolicy/policy/modules/services/apache.if
index bc558ec..b66ba87 100644
--- a/refpolicy/policy/modules/services/apache.if
+++ b/refpolicy/policy/modules/services/apache.if
@@ -10,10 +10,6 @@
 ## </param>
 #
 template(`apache_content_template',`
-	gen_require(`
-		attribute httpdcontent, httpd_script_domains;
-	')
-
 	# allow write access to public file transfer
 	# services files.
 	gen_tunable(allow_httpd_$1_script_anon_write,false)
@@ -251,6 +247,11 @@ template(`apache_content_template',`
 ## </param>
 #
 template(`apache_per_userdomain_template', `
+	gen_require(`
+		attribute httpdcontent, httpd_script_domains;
+		attribute httpd_exec_scripts;
+		type httpd_t, httpd_suexec_t, httpd_log_t;
+	')
 
 	apache_content_template($1)
 
diff --git a/refpolicy/policy/modules/services/cron.if b/refpolicy/policy/modules/services/cron.if
index 37edbc1..eade946 100644
--- a/refpolicy/policy/modules/services/cron.if
+++ b/refpolicy/policy/modules/services/cron.if
@@ -30,7 +30,7 @@
 template(`cron_per_userdomain_template',`
 	gen_require(`
 		attribute cron_spool_type;
-		type crontab_exec_t;
+		type crond_t, cron_spool_t, crontab_exec_t;
 	')
 
 	# Type of user crontabs once moved to cron spool.
@@ -198,7 +198,7 @@ template(`cron_per_userdomain_template',`
 	# create files in /var/spool/cron
 	allow $1_crontab_t $1_cron_spool_t:file create_file_perms;
 	allow $1_crontab_t cron_spool_t:dir rw_dir_perms;
-	type_transition $1_crontab_t $1_cron_spool_t:file system_crond_tmp_t;
+	type_transition $1_crontab_t $1_cron_spool_t:file $1_cron_spool_t;
 
 	# crontab signals crond by updating the mtime on the spooldir
 	allow $1_crontab_t cron_spool_t:dir setattr;
@@ -270,6 +270,10 @@ template(`cron_per_userdomain_template',`
 ## </param>
 #
 template(`cron_admin_template',`
+	gen_require(`
+		attribute cron_spool_type;
+	')
+
 	# Allow our crontab domain to unlink a user cron spool file.
 	allow $1_crontab_t cron_spool_type:file { getattr read unlink };
 
diff --git a/refpolicy/policy/modules/services/dbus.if b/refpolicy/policy/modules/services/dbus.if
index 8481397..cd712fe 100644
--- a/refpolicy/policy/modules/services/dbus.if
+++ b/refpolicy/policy/modules/services/dbus.if
@@ -27,6 +27,12 @@
 ## </param>
 #
 template(`dbus_per_userdomain_template',`
+	gen_require(`
+		type system_dbusd_t, dbusd_etc_t;
+		type system_dbusd_exec_t;
+		class dbus { send_msg acquire_svc };
+	')
+
 	##############################
 	#
 	# Delcarations
diff --git a/refpolicy/policy/modules/services/mta.if b/refpolicy/policy/modules/services/mta.if
index 1cac664..4ac148d 100644
--- a/refpolicy/policy/modules/services/mta.if
+++ b/refpolicy/policy/modules/services/mta.if
@@ -42,6 +42,11 @@ interface(`mta_stub',`
 ## </param>
 #
 template(`mta_per_userdomain_template',`
+	gen_require(`
+		attribute mailserver_domain, mta_user_agent;
+		type sendmail_exec_t;
+	')
+
 	type $1_mail_t;
 	domain_type($1_mail_t)
 	role $3 types $1_mail_t;
diff --git a/refpolicy/policy/modules/services/portmap.if b/refpolicy/policy/modules/services/portmap.if
index 943221c..c2934b9 100644
--- a/refpolicy/policy/modules/services/portmap.if
+++ b/refpolicy/policy/modules/services/portmap.if
@@ -43,7 +43,7 @@ interface(`portmap_domtrans_helper',`
 #
 interface(`portmap_run_helper',`
 	gen_require(`
-		type portmap_helper_t;
+		type portmap_t, portmap_helper_t;
 		class chr_file { getattr read write ioctl };
 	')
 
diff --git a/refpolicy/policy/modules/services/ssh.if b/refpolicy/policy/modules/services/ssh.if
index ab35a65..12019d1 100644
--- a/refpolicy/policy/modules/services/ssh.if
+++ b/refpolicy/policy/modules/services/ssh.if
@@ -29,8 +29,10 @@
 #
 template(`ssh_per_userdomain_template',`
 	gen_require(`
+		attribute ssh_server;
 		type ssh_exec_t, ssh_agent_exec_t;
-		type ssh_keysign_exec_t;
+		type sshd_key_t, ssh_keysign_exec_t;
+		type sshd_tmp_t, sshd_t;
 	')
 
 	##############################
diff --git a/refpolicy/policy/modules/system/domain.if b/refpolicy/policy/modules/system/domain.if
index be9077f..f8fe448 100644
--- a/refpolicy/policy/modules/system/domain.if
+++ b/refpolicy/policy/modules/system/domain.if
@@ -966,9 +966,11 @@ interface(`domain_unconfined',`
 ')
 
 #
-# These next macros are not interfaces, but actually are 
+# These next macros are not templates, but actually are 
 # support macros.  Due to the domain_ prefix, they 
 # are placed in this module, to try to prevent confusion.
+# They are called templates since regular m4 defines
+# wont work here.
 #
 
 ########################################
@@ -976,11 +978,6 @@ interface(`domain_unconfined',`
 # domain_trans(source_domain,entrypoint_file,target_domain)
 #
 template(`domain_trans',`
-	gen_require(`
-		class file rx_file_perms;
-		class process { transition noatsecure siginh rlimitinh };
-	')
-
 	allow $1 $2:file rx_file_perms;
 	allow $1 $3:process transition;
 	dontaudit $1 $3:process { noatsecure siginh rlimitinh };
diff --git a/refpolicy/policy/modules/system/userdomain.te b/refpolicy/policy/modules/system/userdomain.te
index 1aa37fb..dfe9c8b 100644
--- a/refpolicy/policy/modules/system/userdomain.te
+++ b/refpolicy/policy/modules/system/userdomain.te
@@ -240,7 +240,8 @@ ifdef(`targeted_policy',`
 		seutil_run_loadpol(sysadm_t,sysadm_r,admin_terminal)
 		seutil_run_restorecon(sysadm_t,sysadm_r,admin_terminal)
 		seutil_run_setfiles(sysadm_t,sysadm_r,admin_terminal)
-		optional_policy(`targeted_policy',`',`
+
+		ifdef(`targeted_policy',`',`
 			seutil_run_runinit(sysadm_t,sysadm_r,admin_terminal)
 		')
 	')
diff --git a/refpolicy/policy/support/loadable_module.spt b/refpolicy/policy/support/loadable_module.spt
index d5e6194..de48b3b 100644
--- a/refpolicy/policy/support/loadable_module.spt
+++ b/refpolicy/policy/support/loadable_module.spt
@@ -12,7 +12,10 @@ define(`policy_module',`
 	ifdef(`self_contained_policy',`',`
 		module $1 $2;
 
-		require { all_kernel_class_perms }
+		require {
+			role system_r;
+			all_kernel_class_perms
+		}
 	')
 ')

More information about the scm-commits mailing list