[selinux-policy: 778/3172] more sediff fixes

Daniel J Walsh dwalsh at fedoraproject.org
Thu Oct 7 20:12:18 UTC 2010 

commit 1f8a8bbbbd7eb0d86fa46aaf4a41f96c867997ec
Author: Chris PeBenito <cpebenito at tresys.com>
Date:   Fri Oct 21 22:56:41 2005 +0000

    more sediff fixes

 refpolicy/policy/modules/kernel/kernel.te   |    2 +-
 refpolicy/policy/modules/kernel/terminal.if |    4 ++--
 refpolicy/policy/modules/services/dhcp.te   |    2 +-
 refpolicy/policy/modules/services/inn.te    |    2 +-
 refpolicy/policy/modules/system/files.if    |   19 +++++++++++++++++++
 refpolicy/policy/modules/system/init.if     |    4 ++--
 refpolicy/policy/modules/system/init.te     |    1 +
 7 files changed, 27 insertions(+), 7 deletions(-)
---
diff --git a/refpolicy/policy/modules/kernel/kernel.te b/refpolicy/policy/modules/kernel/kernel.te
index 0d0f6c7..76417fb 100644
--- a/refpolicy/policy/modules/kernel/kernel.te
+++ b/refpolicy/policy/modules/kernel/kernel.te
@@ -29,7 +29,7 @@ type kernel_t, can_load_kernmodule;
 domain_base_type(kernel_t)
 mls_rangetrans_source(kernel_t)
 role system_r types kernel_t;
-sid kernel gen_context(system_u:system_r:kernel_t,s0 - s9:c0.c127, c0.c127)
+sid kernel gen_context(system_u:system_r:kernel_t,s0 - s9:c0.c127)
 
 #
 # DebugFS
diff --git a/refpolicy/policy/modules/kernel/terminal.if b/refpolicy/policy/modules/kernel/terminal.if
index b9f496d..aae3f7e 100644
--- a/refpolicy/policy/modules/kernel/terminal.if
+++ b/refpolicy/policy/modules/kernel/terminal.if
@@ -17,6 +17,7 @@ interface(`term_pty',`
 		type devpts_t;
 	')
 
+	files_type($1)
 	allow $1 devpts_t:filesystem associate;
 	typeattribute $1 ptynode;
 ')
@@ -514,10 +515,9 @@ interface(`term_use_all_user_ptys',`
 interface(`term_dontaudit_use_all_user_ptys',`
 	gen_require(`
 		attribute ptynode;
-		class chr_file { read write };
 	')
 
-	dontaudit $1 ptynode:chr_file { read write };
+	dontaudit $1 ptynode:chr_file { rw_term_perms lock append };
 ')
 
 ########################################
diff --git a/refpolicy/policy/modules/services/dhcp.te b/refpolicy/policy/modules/services/dhcp.te
index 6673f76..0d1cec9 100644
--- a/refpolicy/policy/modules/services/dhcp.te
+++ b/refpolicy/policy/modules/services/dhcp.te
@@ -24,7 +24,7 @@ files_pid_file(dhcpd_var_run_t)
 # Local policy
 #
 
-dontaudit dhcpd_t self:capability { net_admin sys_tty_config };
+dontaudit dhcpd_t self:capability { net_raw net_admin sys_tty_config };
 allow dhcpd_t self:process signal_perms;
 allow dhcpd_t self:fifo_file { read write getattr };
 allow dhcpd_t self:unix_dgram_socket create_socket_perms;
diff --git a/refpolicy/policy/modules/services/inn.te b/refpolicy/policy/modules/services/inn.te
index 0ef9c9a..36c4d1c 100644
--- a/refpolicy/policy/modules/services/inn.te
+++ b/refpolicy/policy/modules/services/inn.te
@@ -30,7 +30,7 @@ files_type(news_spool_t)
 #
 allow innd_t self:capability { dac_override kill setgid setuid };
 dontaudit innd_t self:capability sys_tty_config;
-allow innd_t self:process setsched;
+allow innd_t self:process { setsched signal_perms };
 allow innd_t self:fifo_file rw_file_perms;
 allow innd_t self:tcp_socket create_stream_socket_perms;
 allow innd_t self:udp_socket create_socket_perms;
diff --git a/refpolicy/policy/modules/system/files.if b/refpolicy/policy/modules/system/files.if
index 5098412..90d5c0d 100644
--- a/refpolicy/policy/modules/system/files.if
+++ b/refpolicy/policy/modules/system/files.if
@@ -327,6 +327,25 @@ interface(`files_getattr_all_files',`
 
 ########################################
 ## <summary>
+##	Get the attributes of all sockets
+##	with the type of a file.
+## </summary>
+## <param name="domain">
+##	Domain allowed access.
+## </param>
+#
+# cjp: added for initrc_t/distro_redhat.  I
+# do not think it has any effect.
+interface(`files_getattr_all_file_type_sockets',`
+	gen_require(`
+		attribute file_type;
+	')
+
+	allow $1 file_type:socket_class_set getattr;
+')
+
+########################################
+## <summary>
 ##	Do not audit attempts to get the attributes
 ##	of all files.
 ## </summary>
diff --git a/refpolicy/policy/modules/system/init.if b/refpolicy/policy/modules/system/init.if
index 9c27dae..f9e5723 100644
--- a/refpolicy/policy/modules/system/init.if
+++ b/refpolicy/policy/modules/system/init.if
@@ -92,10 +92,10 @@ interface(`init_daemon_domain',`
 		if(! regexp($1, `\(\w+\)_t', `\1_disable_trans') ) {
 			domain_auto_trans(initrc_t,$2,$1)
 			allow initrc_t $1:fd use;
-			allow initrc_t $1:process { noatsecure siginh rlimitinh };
 			allow $1 initrc_t:fd use;
 			allow $1 initrc_t:fifo_file rw_file_perms;
 			allow $1 initrc_t:process sigchld;
+			dontaudit initrc_t $1:process { noatsecure siginh rlimitinh };
 		} else {
 			can_exec(initrc_t,$2)
 			can_exec(direct_run_init,$2)
@@ -103,10 +103,10 @@ interface(`init_daemon_domain',`
 	',`
 		domain_auto_trans(initrc_t,$2,$1)
 		allow initrc_t $1:fd use;
-		allow initrc_t $1:process { noatsecure siginh rlimitinh };
 		allow $1 initrc_t:fd use;
 		allow $1 initrc_t:fifo_file rw_file_perms;
 		allow $1 initrc_t:process sigchld;
+		dontaudit initrc_t $1:process { noatsecure siginh rlimitinh };
 	')
 
 	optional_policy(`nscd.te',`
diff --git a/refpolicy/policy/modules/system/init.te b/refpolicy/policy/modules/system/init.te
index a435178..92351e3 100644
--- a/refpolicy/policy/modules/system/init.te
+++ b/refpolicy/policy/modules/system/init.te
@@ -418,6 +418,7 @@ ifdef(`distro_redhat',`
 	fs_use_tmpfs_chr_dev(initrc_t)
 
 	files_create_boot_flag(initrc_t)
+	files_getattr_all_file_type_sockets(initrc_t)
 
 	# readahead asks for these
 	mta_read_aliases(initrc_t)

More information about the scm-commits mailing list