[selinux-policy: 796/3172] fixes from sediff

Daniel J Walsh dwalsh at fedoraproject.org
Thu Oct 7 20:13:49 UTC 2010 

commit 2db2c7d099d5023123e0e9cc61cf642dfb112d74
Author: Chris PeBenito <cpebenito at tresys.com>
Date:   Mon Oct 24 00:54:39 2005 +0000

    fixes from sediff

 refpolicy/policy/modules/admin/amanda.te          |    2 +-
 refpolicy/policy/modules/kernel/corenetwork.if.in |    2 +-
 refpolicy/policy/modules/kernel/devices.if        |    2 +-
 refpolicy/policy/modules/kernel/kernel.te         |    6 ++----
 refpolicy/policy/modules/services/comsat.te       |    2 ++
 refpolicy/policy/modules/services/cron.te         |    6 +++++-
 refpolicy/policy/modules/services/inetd.te        |    3 ++-
 refpolicy/policy/modules/services/inn.te          |    4 ++--
 refpolicy/policy/modules/services/pegasus.te      |    5 +++--
 refpolicy/policy/modules/system/domain.if         |   10 +++++++++-
 refpolicy/policy/modules/system/files.te          |    4 ++++
 refpolicy/policy/modules/system/init.if           |   10 +++++-----
 refpolicy/policy/modules/system/logging.te        |    7 ++++++-
 13 files changed, 43 insertions(+), 20 deletions(-)
---
diff --git a/refpolicy/policy/modules/admin/amanda.te b/refpolicy/policy/modules/admin/amanda.te
index 7c18402..0e7427f 100644
--- a/refpolicy/policy/modules/admin/amanda.te
+++ b/refpolicy/policy/modules/admin/amanda.te
@@ -128,7 +128,7 @@ corenet_tcp_sendrecv_all_ports(amanda_t)
 corenet_udp_sendrecv_all_ports(amanda_t)
 
 dev_getattr_all_blk_files(amanda_t)
-dev_getattr_all_blk_files(amanda_t)
+dev_getattr_all_chr_files(amanda_t)
 
 fs_getattr_xattr_fs(amanda_t)
 fs_list_all(amanda_t)
diff --git a/refpolicy/policy/modules/kernel/corenetwork.if.in b/refpolicy/policy/modules/kernel/corenetwork.if.in
index 38c90f9..126957c 100644
--- a/refpolicy/policy/modules/kernel/corenetwork.if.in
+++ b/refpolicy/policy/modules/kernel/corenetwork.if.in
@@ -1043,6 +1043,6 @@ interface(`corenet_unconfined',`
 
 	# Bind to any network address.
 	# cjp: rawip_socket doesnt make any sense
-	allow $1 port_type:{ tcp_socket udp_socket } name_bind;
+	allow $1 port_type:{ tcp_socket udp_socket rawip_socket } name_bind;
 	allow $1 node_type:{ tcp_socket udp_socket rawip_socket } node_bind;
 ')
diff --git a/refpolicy/policy/modules/kernel/devices.if b/refpolicy/policy/modules/kernel/devices.if
index 60fe250..c988ce0 100644
--- a/refpolicy/policy/modules/kernel/devices.if
+++ b/refpolicy/policy/modules/kernel/devices.if
@@ -544,7 +544,7 @@ interface(`dev_dontaudit_getattr_all_blk_files',`
 		attribute device_node;
 	')
 
-	allow $1 device_node:blk_file getattr;
+	dontaudit $1 device_node:blk_file getattr;
 ')
 
 ########################################
diff --git a/refpolicy/policy/modules/kernel/kernel.te b/refpolicy/policy/modules/kernel/kernel.te
index 76417fb..39b9e4e 100644
--- a/refpolicy/policy/modules/kernel/kernel.te
+++ b/refpolicy/policy/modules/kernel/kernel.te
@@ -217,11 +217,9 @@ files_read_usr_files(kernel_t)
 mls_process_read_up(kernel_t)
 mls_process_write_down(kernel_t)
 
-ifdef(`TODO',`
-ifdef(`targeted_policy', `
-unconfined_domain(kernel_t)
+ifdef(`targeted_policy',`
+	unconfined_domain_template(kernel_t)
 ')
-') dnl end TODO
 
 ########################################
 #
diff --git a/refpolicy/policy/modules/services/comsat.te b/refpolicy/policy/modules/services/comsat.te
index cfdc353..58e53b8 100644
--- a/refpolicy/policy/modules/services/comsat.te
+++ b/refpolicy/policy/modules/services/comsat.te
@@ -48,7 +48,9 @@ corenet_tcp_sendrecv_all_nodes(comsat_t)
 corenet_udp_sendrecv_all_nodes(comsat_t)
 corenet_raw_sendrecv_all_nodes(comsat_t)
 corenet_tcp_sendrecv_all_ports(comsat_t)
+corenet_udp_sendrecv_all_ports(comsat_t)
 corenet_tcp_bind_all_nodes(comsat_t)
+corenet_udp_bind_all_nodes(comsat_t)
 
 dev_read_urand(comsat_t)
 
diff --git a/refpolicy/policy/modules/services/cron.te b/refpolicy/policy/modules/services/cron.te
index 10d17a8..37feaf2 100644
--- a/refpolicy/policy/modules/services/cron.te
+++ b/refpolicy/policy/modules/services/cron.te
@@ -35,7 +35,11 @@ files_type(crontab_exec_t)
 type system_cron_spool_t, cron_spool_type;
 files_type(system_cron_spool_t)
 
-type system_crond_t;
+ifdef(`targeted_policy',`
+	typealias crond_t alias system_crond_t;
+',`
+	type system_crond_t;
+')
 init_daemon_domain(system_crond_t,anacron_exec_t)
 corecmd_shell_entry_type(system_crond_t)
 role system_r types system_crond_t;
diff --git a/refpolicy/policy/modules/services/inetd.te b/refpolicy/policy/modules/services/inetd.te
index f7245dd..f8169bd 100644
--- a/refpolicy/policy/modules/services/inetd.te
+++ b/refpolicy/policy/modules/services/inetd.te
@@ -194,8 +194,9 @@ corenet_raw_sendrecv_all_if(inetd_child_t)
 corenet_tcp_sendrecv_all_nodes(inetd_child_t)
 corenet_udp_sendrecv_all_nodes(inetd_child_t)
 corenet_raw_sendrecv_all_nodes(inetd_child_t)
-corenet_tcp_bind_all_nodes(inetd_child_t)
 corenet_tcp_sendrecv_all_ports(inetd_child_t)
+corenet_udp_sendrecv_all_ports(inetd_child_t)
+corenet_tcp_bind_all_nodes(inetd_child_t)
 
 dev_read_urand(inetd_child_t)
 
diff --git a/refpolicy/policy/modules/services/inn.te b/refpolicy/policy/modules/services/inn.te
index 36c4d1c..6c6eb3f 100644
--- a/refpolicy/policy/modules/services/inn.te
+++ b/refpolicy/policy/modules/services/inn.te
@@ -34,7 +34,7 @@ allow innd_t self:process { setsched signal_perms };
 allow innd_t self:fifo_file rw_file_perms;
 allow innd_t self:tcp_socket create_stream_socket_perms;
 allow innd_t self:udp_socket create_socket_perms;
-allow innd_t self:unix_dgram_socket create_socket_perms;
+allow innd_t self:unix_dgram_socket { sendto create_socket_perms };
 allow innd_t self:unix_stream_socket { connectto create_stream_socket_perms };
 
 allow innd_t innd_etc_t:file r_file_perms;
@@ -43,7 +43,7 @@ allow innd_t innd_etc_t:lnk_file { getattr read };
 
 can_exec(innd_t, innd_exec_t)
 
-allow innd_t innd_log_t:file  { create ra_file_perms };
+allow innd_t innd_log_t:file manage_file_perms;
 allow innd_t innd_log_t:dir { setattr ra_dir_perms };
 logging_create_log(innd_t,innd_log_t)
 
diff --git a/refpolicy/policy/modules/services/pegasus.te b/refpolicy/policy/modules/services/pegasus.te
index 4cfa05f..09981a8 100644
--- a/refpolicy/policy/modules/services/pegasus.te
+++ b/refpolicy/policy/modules/services/pegasus.te
@@ -126,10 +126,11 @@ ifdef(`TODO',`
 optional_policy(`rhgb.te',`
 	rhgb_domain(pegasus_t)
 ')
+') dnl end TODO
 
-#type pegasus_conf_exec_t, exec_type;
+# bad rules
+type pegasus_conf_exec_t, entry_type;
 files_type(pegasus_conf_exec_t)
 allow pegasus_conf_exec_t pegasus_conf_t:dir rw_dir_perms;
 allow pegasus_conf_exec_t pegasus_conf_t:file create_file_perms;
 allow pegasus_conf_exec_t pegasus_conf_t:lnk_file create_lnk_perms;
-') dnl end TODO
diff --git a/refpolicy/policy/modules/system/domain.if b/refpolicy/policy/modules/system/domain.if
index 2a16859..ccc472a 100644
--- a/refpolicy/policy/modules/system/domain.if
+++ b/refpolicy/policy/modules/system/domain.if
@@ -80,11 +80,19 @@ interface(`domain_type',`
 		ldap_use($1)
 	')
 
-	# this seems highly questionable:
+	# these 3 seem highly questionable:
 	optional_policy(`rpm.te',`
 		rpm_use_fd($1)
 		rpm_read_pipe($1)
 	')
+
+	optional_policy(`selinux.te',`
+		selinux_dontaudit_search_fs($1)
+	')
+
+	optional_policy(`selinuxutil.te',`
+		seutil_dontaudit_read_config($1)
+	')
 ')
 
 ########################################
diff --git a/refpolicy/policy/modules/system/files.te b/refpolicy/policy/modules/system/files.te
index a003f2d..f6b418f 100644
--- a/refpolicy/policy/modules/system/files.te
+++ b/refpolicy/policy/modules/system/files.te
@@ -7,6 +7,10 @@ policy_module(files,1.0)
 #
 
 attribute file_type;
+
+# cjp: should handle this different
+allow file_type self:filesystem associate;
+
 attribute lockfile;
 attribute mountpoint;
 attribute pidfile;
diff --git a/refpolicy/policy/modules/system/init.if b/refpolicy/policy/modules/system/init.if
index 9bf1058..8623dd5 100644
--- a/refpolicy/policy/modules/system/init.if
+++ b/refpolicy/policy/modules/system/init.if
@@ -89,16 +89,16 @@ interface(`init_daemon_domain',`
 		# _t at the end of the domain type.  If there is no _t
 		# at the end of the type, it returns empty!
 		bool regexp($1, `\(\w+\)_t', `\1_disable_trans') false;
-		if(! regexp($1, `\(\w+\)_t', `\1_disable_trans') ) {
+		if(regexp($1, `\(\w+\)_t', `\1_disable_trans') ) {
+			can_exec(initrc_t,$2)
+			can_exec(direct_run_init,$2)
+		} else {
 			domain_auto_trans(initrc_t,$2,$1)
 			allow initrc_t $1:fd use;
 			allow $1 initrc_t:fd use;
 			allow $1 initrc_t:fifo_file rw_file_perms;
 			allow $1 initrc_t:process sigchld;
-			dontaudit initrc_t $1:process { noatsecure siginh rlimitinh };
-		} else {
-			can_exec(initrc_t,$2)
-			can_exec(direct_run_init,$2)
+			allow initrc_t $1:process { noatsecure siginh rlimitinh };
 		}
 	',`
 		domain_auto_trans(initrc_t,$2,$1)
diff --git a/refpolicy/policy/modules/system/logging.te b/refpolicy/policy/modules/system/logging.te
index 77a1e1a..f1d1a39 100644
--- a/refpolicy/policy/modules/system/logging.te
+++ b/refpolicy/policy/modules/system/logging.te
@@ -78,6 +78,8 @@ init_dontaudit_use_fd(auditctl_t)
 
 locallogin_dontaudit_use_fd(auditctl_t)
 
+logging_send_syslog_msg(auditctl_t)
+
 ifdef(`TODO',`
 role secadm_r types auditctl_t;
 role sysadm_r types auditctl_t;
@@ -110,6 +112,7 @@ allow auditd_t auditd_log_t:file create_file_perms;
 allow auditd_t var_log_t:dir search;
 
 allow auditd_t auditd_var_run_t:file create_file_perms;
+allow auditd_t auditd_var_run_t:dir rw_dir_perms;
 files_create_pid(auditd_t,auditd_var_run_t)
 
 kernel_read_kernel_sysctl(auditd_t)
@@ -143,7 +146,9 @@ libs_use_shared_libs(auditd_t)
 
 miscfiles_read_localization(auditd_t)
 
-mls_file_read_up(klogd_t)
+mls_file_read_up(auditd_t)
+
+seutil_dontaudit_read_config(auditd_t)
 
 userdom_dontaudit_use_unpriv_user_fd(auditd_t)
 userdom_dontaudit_search_sysadm_home_dir(auditd_t)

More information about the scm-commits mailing list