[selinux-policy: 816/3172] more fix
Daniel J Walsh
dwalsh at fedoraproject.org
Thu Oct 7 20:15:38 UTC 2010
commit 9bbc757a76805e80b1f587929d731e23c98ae1ac
Author: Chris PeBenito <cpebenito at tresys.com>
Date: Mon Oct 24 18:40:24 2005 +0000
more fix
refpolicy/policy/modules/admin/amanda.te | 2 +-
refpolicy/policy/modules/admin/firstboot.te | 4 +-
refpolicy/policy/modules/admin/usermanage.te | 4 +-
refpolicy/policy/modules/apps/webalizer.te | 4 +-
refpolicy/policy/modules/kernel/filesystem.te | 2 +-
refpolicy/policy/modules/services/bluetooth.te | 9 ++++-
refpolicy/policy/modules/services/canna.te | 2 +-
refpolicy/policy/modules/services/cron.te | 16 +++++---
refpolicy/policy/modules/services/cups.te | 41 +++++++++++------------
refpolicy/policy/modules/services/dictd.te | 4 +-
refpolicy/policy/modules/services/dovecot.te | 4 +-
refpolicy/policy/modules/services/finger.te | 4 +-
refpolicy/policy/modules/services/ftp.te | 2 +-
refpolicy/policy/modules/services/inn.te | 4 +-
refpolicy/policy/modules/services/ldap.te | 4 +-
refpolicy/policy/modules/services/mta.if | 9 ++---
refpolicy/policy/modules/services/mta.te | 2 +-
refpolicy/policy/modules/services/mysql.te | 2 +-
refpolicy/policy/modules/services/nis.if | 22 ++++++++++++
refpolicy/policy/modules/services/postgresql.te | 4 +-
refpolicy/policy/modules/services/ppp.te | 4 +-
refpolicy/policy/modules/services/radius.te | 4 +-
refpolicy/policy/modules/services/radvd.te | 4 +-
refpolicy/policy/modules/services/rpc.te | 6 ++--
refpolicy/policy/modules/services/samba.te | 8 ++--
refpolicy/policy/modules/services/snmp.te | 4 +-
refpolicy/policy/modules/system/files.if | 25 ++++++++++++--
refpolicy/policy/modules/system/files.te | 3 ++
refpolicy/policy/modules/system/getty.te | 2 +-
refpolicy/policy/modules/system/hotplug.te | 4 +-
refpolicy/policy/modules/system/miscfiles.te | 2 +-
refpolicy/policy/modules/system/modutils.te | 3 +-
refpolicy/policy/modules/system/pcmcia.te | 10 +++--
refpolicy/policy/modules/system/sysnetwork.te | 6 ++--
refpolicy/policy/modules/system/udev.te | 2 +-
35 files changed, 143 insertions(+), 89 deletions(-)
---
diff --git a/refpolicy/policy/modules/admin/amanda.te b/refpolicy/policy/modules/admin/amanda.te
index 0e7427f..157ab14 100644
--- a/refpolicy/policy/modules/admin/amanda.te
+++ b/refpolicy/policy/modules/admin/amanda.te
@@ -105,7 +105,7 @@ allow amanda_t amanda_gnutarlists_t:file manage_file_perms;
allow amanda_t amanda_gnutarlists_t:lnk_file manage_file_perms;
allow amanda_t amanda_log_t:file create_file_perms;
-allow amanda_t amanda_log_t:dir rw_dir_perms;
+allow amanda_t amanda_log_t:dir { rw_dir_perms setattr };
logging_create_log(amanda_t,amanda_log_t,{ file dir })
allow amanda_t amanda_tmp_t:dir create_dir_perms;
diff --git a/refpolicy/policy/modules/admin/firstboot.te b/refpolicy/policy/modules/admin/firstboot.te
index 7ad75c4..3b952d9 100644
--- a/refpolicy/policy/modules/admin/firstboot.te
+++ b/refpolicy/policy/modules/admin/firstboot.te
@@ -17,8 +17,8 @@ domain_obj_id_change_exempt(firstboot_t)
domain_subj_id_change_exempt(firstboot_t)
role system_r types firstboot_t;
-type firstboot_etc_t; #, usercanread;
-files_type(firstboot_etc_t)
+type firstboot_etc_t;
+files_config_file(firstboot_etc_t)
type firstboot_rw_t;
files_type(firstboot_rw_t)
diff --git a/refpolicy/policy/modules/admin/usermanage.te b/refpolicy/policy/modules/admin/usermanage.te
index 612b4c5..920f280 100644
--- a/refpolicy/policy/modules/admin/usermanage.te
+++ b/refpolicy/policy/modules/admin/usermanage.te
@@ -24,8 +24,8 @@ role system_r types crack_t;
type crack_exec_t;
domain_entry_file(crack_t,crack_exec_t)
-type crack_db_t; #, usercanread;
-files_type(crack_db_t)
+type crack_db_t;
+files_config_file(crack_db_t)
type crack_tmp_t;
files_tmp_file(crack_tmp_t)
diff --git a/refpolicy/policy/modules/apps/webalizer.te b/refpolicy/policy/modules/apps/webalizer.te
index 2225882..529fa63 100644
--- a/refpolicy/policy/modules/apps/webalizer.te
+++ b/refpolicy/policy/modules/apps/webalizer.te
@@ -11,8 +11,8 @@ domain_type(webalizer_t)
domain_entry_file(webalizer_t,webalizer_exec_t)
role system_r types webalizer_t;
-type webalizer_etc_t; #, usercanread;
-files_type(webalizer_etc_t)
+type webalizer_etc_t;
+files_config_file(webalizer_etc_t)
type webalizer_usage_t;
files_type(webalizer_usage_t)
diff --git a/refpolicy/policy/modules/kernel/filesystem.te b/refpolicy/policy/modules/kernel/filesystem.te
index 206b873..622d555 100644
--- a/refpolicy/policy/modules/kernel/filesystem.te
+++ b/refpolicy/policy/modules/kernel/filesystem.te
@@ -148,7 +148,7 @@ genfscon udf / gen_context(system_u:object_r:iso9660_t,s0)
#
type removable_t, filesystem_type, noxattrfs;
allow removable_t noxattrfs:filesystem associate;
-files_type(removable_t)
+files_config_file(removable_t)
#
# nfs_t is the default type for NFS file systems
diff --git a/refpolicy/policy/modules/services/bluetooth.te b/refpolicy/policy/modules/services/bluetooth.te
index 24ef269..7601de6 100644
--- a/refpolicy/policy/modules/services/bluetooth.te
+++ b/refpolicy/policy/modules/services/bluetooth.te
@@ -62,6 +62,12 @@ allow bluetooth_t bluetooth_conf_rw_t:sock_file create_file_perms;
allow bluetooth_t bluetooth_conf_rw_t:fifo_file create_file_perms;
type_transition bluetooth_t bluetooth_conf_t:{ file lnk_file sock_file fifo_file } bluetooth_conf_rw_t;
+domain_auto_trans(bluetooth_t, bluetooth_helper_exec_t, bluetooth_helper_t)
+allow bluetooth_t bluetooth_helper_t:fd use;
+allow bluetooth_helper_t bluetooth_t:fd use;
+allow bluetooth_helper_t bluetooth_t:fifo_file rw_file_perms;
+allow bluetooth_helper_t bluetooth_t:process sigchld;
+
allow bluetooth_t bluetooth_lock_t:file create_file_perms;
files_create_lock(bluetooth_t,bluetooth_lock_t)
@@ -195,6 +201,8 @@ files_dontaudit_list_default(bluetooth_helper_t)
libs_use_ld_so(bluetooth_helper_t)
libs_use_shared_libs(bluetooth_helper_t)
+logging_send_syslog_msg(bluetooth_helper_t)
+
miscfiles_read_localization(bluetooth_helper_t)
miscfiles_read_fonts(bluetooth_helper_t)
@@ -203,7 +211,6 @@ optional_policy(`nscd.te',`
')
ifdef(`TODO',`
-domain_auto_trans(bluetooth_t, bluetooth_helper_exec_t, bluetooth_helper_t)
# a "run" interface needs to be
# added, and have sysadm_t use it
diff --git a/refpolicy/policy/modules/services/canna.te b/refpolicy/policy/modules/services/canna.te
index f6e399e..317b261 100644
--- a/refpolicy/policy/modules/services/canna.te
+++ b/refpolicy/policy/modules/services/canna.te
@@ -25,7 +25,7 @@ files_pid_file(canna_var_run_t)
# Local policy
#
-allow canna_t self:capability { setgid setuid };
+allow canna_t self:capability { setgid setuid net_bind_service };
dontaudit canna_t self:capability sys_tty_config;
allow canna_t self:process signal_perms;
allow canna_t self:unix_stream_socket { connectto create_stream_socket_perms};
diff --git a/refpolicy/policy/modules/services/cron.te b/refpolicy/policy/modules/services/cron.te
index 615bba7..d806c5a 100644
--- a/refpolicy/policy/modules/services/cron.te
+++ b/refpolicy/policy/modules/services/cron.te
@@ -209,7 +209,16 @@ allow crond_t user_home_dir_type:dir r_dir_perms;
#
# System cron process domain
#
-ifdef(`targeted_policy',`',`
+
+optional_policy(`squid.te',`
+ # cjp: why?
+ squid_domtrans(system_crond_t)
+')
+
+ifdef(`targeted_policy',`
+ # cjp: fix:
+ allow crond_t unconfined_t:process transition;
+',`
allow system_crond_t self:capability { dac_override dac_read_search chown setgid setuid fowner net_bind_service fsetid };
allow system_crond_t self:process { signal_perms setsched };
allow system_crond_t self:fifo_file rw_file_perms;
@@ -370,11 +379,6 @@ ifdef(`targeted_policy',`',`
#samba_read_secrets(system_crond_t)
')
- optional_policy(`squid.te',`
- # cjp: why?
- squid_domtrans(system_crond_t)
- ')
-
ifdef(`TODO',`
dontaudit userdomain system_crond_t:fd use;
diff --git a/refpolicy/policy/modules/services/cups.te b/refpolicy/policy/modules/services/cups.te
index 9867a94..4513ef3 100644
--- a/refpolicy/policy/modules/services/cups.te
+++ b/refpolicy/policy/modules/services/cups.te
@@ -21,11 +21,11 @@ gen_require(`
')
init_daemon_domain(cupsd_t,cupsd_exec_t)
-type cupsd_etc_t; #, usercanread;
-files_type(cupsd_etc_t)
+type cupsd_etc_t;
+files_config_file(cupsd_etc_t)
-type cupsd_rw_etc_t; #, usercanread;
-files_type(cupsd_rw_etc_t)
+type cupsd_rw_etc_t;
+files_config_file(cupsd_rw_etc_t)
type cupsd_log_t;
logging_log_file(cupsd_log_t)
@@ -51,8 +51,8 @@ type hplip_t;
type hplip_exec_t;
init_daemon_domain(hplip_t,hplip_exec_t)
-type hplip_etc_t; #, usercanread;
-files_type(hplip_etc_t)
+type hplip_etc_t;
+files_config_file(hplip_etc_t)
type hplip_var_run_t;
files_pid_file(hplip_var_run_t)
@@ -61,8 +61,8 @@ type ptal_t;
type ptal_exec_t;
init_daemon_domain(ptal_t,ptal_exec_t)
-type ptal_etc_t; #, usercanread;
-files_type(ptal_etc_t)
+type ptal_etc_t;
+files_config_file(ptal_etc_t)
type ptal_var_run_t;
files_pid_file(ptal_var_run_t)
@@ -74,8 +74,8 @@ files_pid_file(ptal_var_run_t)
# /usr/lib/cups/backend/serial needs sys_admin(?!)
allow cupsd_t self:capability { sys_admin dac_read_search kill setgid setuid fsetid net_bind_service fowner chown dac_override sys_tty_config audit_write };
-dontaudit cupsd_t self:capability net_admin;
-allow cupsd_t self:process setsched;
+dontaudit cupsd_t self:capability { sys_tty_config net_admin };
+allow cupsd_t self:process { setsched signal_perms };
allow cupsd_t self:fifo_file rw_file_perms;
allow cupsd_t self:unix_stream_socket create_socket_perms;
allow cupsd_t self:unix_dgram_socket create_socket_perms;
@@ -85,7 +85,7 @@ allow cupsd_t self:tcp_socket { create_stream_socket_perms connectto acceptfrom
allow cupsd_t self:udp_socket create_socket_perms;
allow cupsd_t cupsd_etc_t:file { r_file_perms setattr };
-allow cupsd_t cupsd_etc_t:dir { r_dir_perms setattr };
+allow cupsd_t cupsd_etc_t:dir { rw_dir_perms setattr };
allow cupsd_t cupsd_etc_t:lnk_file { getattr read };
files_search_etc(cupsd_t)
@@ -100,7 +100,7 @@ allow cupsd_t cupsd_exec_t:dir search;
allow cupsd_t cupsd_exec_t:lnk_file read;
allow cupsd_t cupsd_log_t:file create_file_perms;
-allow cupsd_t cupsd_log_t:dir rw_dir_perms;
+allow cupsd_t cupsd_log_t:dir { setattr rw_dir_perms };
logging_create_log(cupsd_t,cupsd_log_t,{ file dir })
allow cupsd_t cupsd_tmp_t:dir create_dir_perms;
@@ -232,13 +232,11 @@ allow web_client_domain cupsd_t:tcp_socket { connectto recvfrom };
allow cupsd_t web_client_domain:tcp_socket { acceptfrom recvfrom };
allow cupsd_t kernel_t:tcp_socket recvfrom;
allow web_client_domain kernel_t:tcp_socket recvfrom;
-
-allow cupsd_t usercanread:dir { getattr read search };
-allow cupsd_t usercanread:file { read getattr };
-allow cupsd_t usercanread:lnk_file { getattr read };
') dnl end TODO
-
+allow cupsd_t usercanread:dir r_dir_perms;
+allow cupsd_t usercanread:file r_file_perms;
+allow cupsd_t usercanread:lnk_file { getattr read };
allow cupsd_t devpts_t:dir search;
@@ -279,7 +277,7 @@ allow cupsd_t portmap_t:udp_socket recvfrom;
#
allow initrc_t cupsd_log_t:file { getattr read };
allow cupsd_t var_t:dir { getattr read search };
-allow cupsd_t var_t:file { read getattr };
+allow cupsd_t var_t:file r_file_perms;
allow cupsd_t var_t:lnk_file { getattr read };
optional_policy(`samba.te', `
@@ -506,6 +504,7 @@ allow hplip_t devpts_t:chr_file { getattr ioctl };
#
allow cupsd_config_t self:capability { chown sys_tty_config };
+allow cupsd_config_t self:process signal_perms;
allow cupsd_config_t self:fifo_file rw_file_perms;
allow cupsd_config_t self:unix_stream_socket create_socket_perms;
allow cupsd_config_t self:unix_dgram_socket create_socket_perms;
@@ -699,8 +698,8 @@ optional_policy(`kerberos.te',`
')
#end for identd
-allow cupsd_lpd_t cupsd_etc_t:dir { getattr read search };
-allow cupsd_lpd_t cupsd_etc_t:file { read getattr };
+allow cupsd_lpd_t cupsd_etc_t:dir list_dir_perms;
+allow cupsd_lpd_t cupsd_etc_t:file r_file_perms;
allow cupsd_lpd_t cupsd_etc_t:lnk_file { getattr read };
allow cupsd_lpd_t cupsd_lpd_tmp_t:dir create_dir_perms;
@@ -711,7 +710,7 @@ allow cupsd_lpd_t cupsd_lpd_var_run_t:file create_file_perms;
allow cupsd_lpd_t cupsd_lpd_var_run_t:dir rw_dir_perms;
files_create_pid(cupsd_lpd_t,cupsd_lpd_var_run_t)
-allow cupsd_lpd_t cupsd_rw_etc_t:dir { getattr read search };
+allow cupsd_lpd_t cupsd_rw_etc_t:dir list_dir_perms;
allow cupsd_lpd_t cupsd_rw_etc_t:file { read getattr };
allow cupsd_lpd_t cupsd_rw_etc_t:lnk_file { getattr read };
diff --git a/refpolicy/policy/modules/services/dictd.te b/refpolicy/policy/modules/services/dictd.te
index a1f9e73..ba4f132 100644
--- a/refpolicy/policy/modules/services/dictd.te
+++ b/refpolicy/policy/modules/services/dictd.te
@@ -10,8 +10,8 @@ type dictd_t;
type dictd_exec_t;
init_daemon_domain(dictd_t,dictd_exec_t)
-type dictd_etc_t; #, usercanread;
-files_type(dictd_etc_t)
+type dictd_etc_t;
+files_config_file(dictd_etc_t)
type dictd_var_lib_t alias var_lib_dictd_t;
files_type(dictd_var_lib_t)
diff --git a/refpolicy/policy/modules/services/dovecot.te b/refpolicy/policy/modules/services/dovecot.te
index d0c236f..d3adfd9 100644
--- a/refpolicy/policy/modules/services/dovecot.te
+++ b/refpolicy/policy/modules/services/dovecot.te
@@ -12,8 +12,8 @@ init_daemon_domain(dovecot_t,dovecot_exec_t)
type dovecot_cert_t;
files_type(dovecot_cert_t)
-type dovecot_etc_t; #, usercanread;
-files_type(dovecot_etc_t)
+type dovecot_etc_t;
+files_config_file(dovecot_etc_t)
type dovecot_passwd_t;
files_type(dovecot_passwd_t)
diff --git a/refpolicy/policy/modules/services/finger.te b/refpolicy/policy/modules/services/finger.te
index 94e85c2..64c4d5d 100644
--- a/refpolicy/policy/modules/services/finger.te
+++ b/refpolicy/policy/modules/services/finger.te
@@ -10,8 +10,8 @@ type fingerd_exec_t;
init_daemon_domain(fingerd_t,fingerd_exec_t)
inetd_tcp_service_domain(fingerd_t,fingerd_exec_t)
-type fingerd_etc_t; #, usercanread;
-files_type(fingerd_etc_t)
+type fingerd_etc_t;
+files_config_file(fingerd_etc_t)
type fingerd_log_t;
logging_log_file(fingerd_log_t)
diff --git a/refpolicy/policy/modules/services/ftp.te b/refpolicy/policy/modules/services/ftp.te
index bd0e210..bce55f0 100644
--- a/refpolicy/policy/modules/services/ftp.te
+++ b/refpolicy/policy/modules/services/ftp.te
@@ -11,7 +11,7 @@ type ftpd_exec_t;
init_daemon_domain(ftpd_t,ftpd_exec_t)
type ftpd_etc_t;
-files_type(ftpd_etc_t)
+files_config_file(ftpd_etc_t)
# ftpd_lock_t is only needed when ftpd_is_daemon is true, but we cannot define types conditionally
type ftpd_lock_t;
diff --git a/refpolicy/policy/modules/services/inn.te b/refpolicy/policy/modules/services/inn.te
index 6c6eb3f..11b1b03 100644
--- a/refpolicy/policy/modules/services/inn.te
+++ b/refpolicy/policy/modules/services/inn.te
@@ -9,8 +9,8 @@ type innd_t;
type innd_exec_t;
init_daemon_domain(innd_t,innd_exec_t)
-type innd_etc_t; #, usercanread;
-files_type(innd_etc_t)
+type innd_etc_t;
+files_config_file(innd_etc_t)
type innd_log_t;
logging_log_file(innd_log_t)
diff --git a/refpolicy/policy/modules/services/ldap.te b/refpolicy/policy/modules/services/ldap.te
index 18ec509..796cf67 100644
--- a/refpolicy/policy/modules/services/ldap.te
+++ b/refpolicy/policy/modules/services/ldap.te
@@ -13,8 +13,8 @@ init_daemon_domain(slapd_t,slapd_exec_t)
type slapd_db_t;
files_type(slapd_db_t)
-type slapd_etc_t; #, usercanread;
-files_type(slapd_etc_t)
+type slapd_etc_t;
+files_config_file(slapd_etc_t)
type slapd_replog_t;
files_type(slapd_replog_t)
diff --git a/refpolicy/policy/modules/services/mta.if b/refpolicy/policy/modules/services/mta.if
index 14f0d27..08dcb93 100644
--- a/refpolicy/policy/modules/services/mta.if
+++ b/refpolicy/policy/modules/services/mta.if
@@ -521,15 +521,12 @@ interface(`mta_delete_spool',`
interface(`mta_manage_spool',`
gen_require(`
type mail_spool_t;
- class dir rw_dir_perms;
- class lnk_file { getattr read };
- class file create_file_perms;
')
files_search_spool($1)
- allow $1 mail_spool_t:dir rw_dir_perms;
- allow $1 mail_spool_t:lnk_file { getattr read };
- allow $1 mail_spool_t:file create_file_perms;
+ allow $1 mail_spool_t:dir manage_dir_perms;
+ allow $1 mail_spool_t:lnk_file create_lnk_perms;
+ allow $1 mail_spool_t:file manage_file_perms;
')
#######################################
diff --git a/refpolicy/policy/modules/services/mta.te b/refpolicy/policy/modules/services/mta.te
index a1c9513..271ac25 100644
--- a/refpolicy/policy/modules/services/mta.te
+++ b/refpolicy/policy/modules/services/mta.te
@@ -17,7 +17,7 @@ type etc_aliases_t;
files_type(etc_aliases_t)
type etc_mail_t;
-files_type(etc_mail_t)
+files_config_file(etc_mail_t)
type mqueue_spool_t;
files_type(mqueue_spool_t)
diff --git a/refpolicy/policy/modules/services/mysql.te b/refpolicy/policy/modules/services/mysql.te
index caf53fc..e0dadf0 100644
--- a/refpolicy/policy/modules/services/mysql.te
+++ b/refpolicy/policy/modules/services/mysql.te
@@ -17,7 +17,7 @@ type mysqld_db_t;
files_type(mysqld_db_t)
type mysqld_etc_t alias etc_mysqld_t;
-files_type(mysqld_etc_t)
+files_config_file(mysqld_etc_t)
type mysqld_log_t;
logging_log_file(mysqld_log_t)
diff --git a/refpolicy/policy/modules/services/nis.if b/refpolicy/policy/modules/services/nis.if
index 7646adb..2451eb2 100644
--- a/refpolicy/policy/modules/services/nis.if
+++ b/refpolicy/policy/modules/services/nis.if
@@ -117,6 +117,28 @@ interface(`nis_use_ypbind',`
########################################
## <summary>
+## Execute ypbind in the ypbind domain.
+## </summary>
+## <param name="domain">
+## Domain allowed access.
+## </param>
+#
+interface(`nis_domtrans_ypbind',`
+ gen_require(`
+ type ypbind_t, ypbind_exec_t;
+ ')
+
+ corecmd_search_bin($1)
+ domain_auto_trans($1,ypbind_exec_t,ypbind_t)
+
+ allow $1 ypbind_t:fd use;
+ allow ypbind_t $1:fd use;
+ allow ypbind_t $1:fifo_file rw_file_perms;
+ allow ypbind_t $1:process sigchld;
+')
+
+########################################
+## <summary>
## Send generic signals to ypbind.
## </summary>
## <param name="domain">
diff --git a/refpolicy/policy/modules/services/postgresql.te b/refpolicy/policy/modules/services/postgresql.te
index 0123946..5c19d7f 100644
--- a/refpolicy/policy/modules/services/postgresql.te
+++ b/refpolicy/policy/modules/services/postgresql.te
@@ -12,8 +12,8 @@ init_daemon_domain(postgresql_t,postgresql_exec_t)
type postgresql_db_t;
files_type(postgresql_db_t)
-type postgresql_etc_t; #, usercanread;
-files_type(postgresql_etc_t)
+type postgresql_etc_t;
+files_config_file(postgresql_etc_t)
type postgresql_lock_t;
files_lock_file(postgresql_lock_t)
diff --git a/refpolicy/policy/modules/services/ppp.te b/refpolicy/policy/modules/services/ppp.te
index c7a80b8..5054eab 100644
--- a/refpolicy/policy/modules/services/ppp.te
+++ b/refpolicy/policy/modules/services/ppp.te
@@ -16,8 +16,8 @@ type pppd_devpts_t;
term_pty(pppd_devpts_t)
# Define a separate type for /etc/ppp
-type pppd_etc_t; #, usercanread;
-files_type(pppd_etc_t)
+type pppd_etc_t;
+files_config_file(pppd_etc_t)
# Define a separate type for writable files under /etc/ppp
type pppd_etc_rw_t;
diff --git a/refpolicy/policy/modules/services/radius.te b/refpolicy/policy/modules/services/radius.te
index 4e165b6..3f62838 100644
--- a/refpolicy/policy/modules/services/radius.te
+++ b/refpolicy/policy/modules/services/radius.te
@@ -10,8 +10,8 @@ type radiusd_t;
type radiusd_exec_t;
init_daemon_domain(radiusd_t,radiusd_exec_t)
-type radiusd_etc_t; #, usercanread;
-files_type(radiusd_etc_t)
+type radiusd_etc_t;
+files_config_file(radiusd_etc_t)
type radiusd_log_t;
logging_log_file(radiusd_log_t)
diff --git a/refpolicy/policy/modules/services/radvd.te b/refpolicy/policy/modules/services/radvd.te
index d2569ea..d874fb3 100644
--- a/refpolicy/policy/modules/services/radvd.te
+++ b/refpolicy/policy/modules/services/radvd.te
@@ -12,8 +12,8 @@ init_daemon_domain(radvd_t,radvd_exec_t)
type radvd_var_run_t;
files_pid_file(radvd_var_run_t)
-type radvd_etc_t; #, usercanread;
-files_type(radvd_etc_t)
+type radvd_etc_t;
+files_config_file(radvd_etc_t)
########################################
#
diff --git a/refpolicy/policy/modules/services/rpc.te b/refpolicy/policy/modules/services/rpc.te
index 6b20ad5..91303af 100644
--- a/refpolicy/policy/modules/services/rpc.te
+++ b/refpolicy/policy/modules/services/rpc.te
@@ -24,13 +24,13 @@ rpc_domain_template(rpcd)
rpc_domain_template(nfsd)
type nfsd_rw_t;
-files_type(nfsd_rw_t)
+files_config_file(nfsd_rw_t)
type nfsd_ro_t;
-files_type(nfsd_ro_t)
+files_config_file(nfsd_ro_t)
type var_lib_nfs_t;
-files_type(var_lib_nfs_t)
+files_config_file(var_lib_nfs_t)
########################################
#
diff --git a/refpolicy/policy/modules/services/samba.te b/refpolicy/policy/modules/services/samba.te
index 853c334..44119dc 100644
--- a/refpolicy/policy/modules/services/samba.te
+++ b/refpolicy/policy/modules/services/samba.te
@@ -13,8 +13,8 @@ init_daemon_domain(nmbd_t,nmbd_exec_t)
type nmbd_var_run_t;
files_pid_file(nmbd_var_run_t)
-type samba_etc_t; #, usercanread;
-files_type(samba_etc_t)
+type samba_etc_t;
+files_config_file(samba_etc_t)
type samba_log_t;
logging_log_file(samba_log_t)
@@ -32,8 +32,8 @@ files_tmp_file(samba_net_tmp_t)
type samba_secrets_t;
files_type(samba_secrets_t)
-type samba_share_t; #, customizable;
-files_type(samba_share_t)
+type samba_share_t;
+files_config_file(samba_share_t)
type samba_var_t;
files_type(samba_var_t)
diff --git a/refpolicy/policy/modules/services/snmp.te b/refpolicy/policy/modules/services/snmp.te
index 3149ccc..e453757 100644
--- a/refpolicy/policy/modules/services/snmp.te
+++ b/refpolicy/policy/modules/services/snmp.te
@@ -9,8 +9,8 @@ type snmpd_t;
type snmpd_exec_t;
init_daemon_domain(snmpd_t,snmpd_exec_t)
-type snmpd_etc_t; #, usercanread;
-files_type(snmpd_etc_t)
+type snmpd_etc_t;
+files_config_file(snmpd_etc_t)
type snmpd_log_t;
logging_log_file(snmpd_log_t)
diff --git a/refpolicy/policy/modules/system/files.if b/refpolicy/policy/modules/system/files.if
index 59d562a..fd793e9 100644
--- a/refpolicy/policy/modules/system/files.if
+++ b/refpolicy/policy/modules/system/files.if
@@ -80,6 +80,26 @@ interface(`files_pid_file',`
########################################
## <summary>
## Make the specified type a
+## configuration file.
+## </summary>
+## <param name="file_type">
+## Type to be used as a configuration file.
+## </param>
+#
+interface(`files_config_file',`
+ gen_require(`
+ attribute usercanread;
+ ')
+
+ files_type($1)
+
+ # this is a hack and should be removed.
+ typeattribute $1 usercanread;
+')
+
+########################################
+## <summary>
+## Make the specified type a
## polyinstantiated directory.
## </summary>
## <param name="file_type">
@@ -2947,11 +2967,10 @@ interface(`files_delete_all_pid_dirs',`
interface(`files_search_spool',`
gen_require(`
type var_t, var_spool_t;
- class dir search;
')
- allow $1 var_t:dir search;
- allow $1 var_spool_t:dir search;
+ allow $1 var_t:dir search_dir_perms;
+ allow $1 var_spool_t:dir search_dir_perms;
')
########################################
diff --git a/refpolicy/policy/modules/system/files.te b/refpolicy/policy/modules/system/files.te
index f6b418f..acd0117 100644
--- a/refpolicy/policy/modules/system/files.te
+++ b/refpolicy/policy/modules/system/files.te
@@ -18,6 +18,9 @@ attribute pidfile;
# For labeling types that are to be polyinstantiated
attribute polydir;
+# this is a hack and should be changed
+attribute usercanread;
+
# And for labeling the parent directories of those polyinstantiated directories
# This is necessary for remounting the original in the parent to give
# security aware apps access
diff --git a/refpolicy/policy/modules/system/getty.te b/refpolicy/policy/modules/system/getty.te
index 8b8e950..ee7cda2 100644
--- a/refpolicy/policy/modules/system/getty.te
+++ b/refpolicy/policy/modules/system/getty.te
@@ -17,7 +17,7 @@ domain_wide_inherit_fd(getty_t)
type getty_etc_t;
typealias getty_etc_t alias etc_getty_t;
-files_type(getty_etc_t)
+files_config_file(getty_etc_t)
type getty_lock_t;
files_lock_file(getty_lock_t)
diff --git a/refpolicy/policy/modules/system/hotplug.te b/refpolicy/policy/modules/system/hotplug.te
index 9309e8a..8b05c41 100644
--- a/refpolicy/policy/modules/system/hotplug.te
+++ b/refpolicy/policy/modules/system/hotplug.te
@@ -11,8 +11,8 @@ type hotplug_exec_t;
kernel_userland_entry(hotplug_t,hotplug_exec_t)
init_daemon_domain(hotplug_t,hotplug_exec_t)
-type hotplug_etc_t; #, usercanread;
-files_type(hotplug_etc_t)
+type hotplug_etc_t;
+files_config_file(hotplug_etc_t)
kernel_search_from(hotplug_etc_t)
domain_entry_file(hotplug_t,hotplug_etc_t)
diff --git a/refpolicy/policy/modules/system/miscfiles.te b/refpolicy/policy/modules/system/miscfiles.te
index ba7d43e..3cbca5a 100644
--- a/refpolicy/policy/modules/system/miscfiles.te
+++ b/refpolicy/policy/modules/system/miscfiles.te
@@ -17,7 +17,7 @@ files_type(cert_t)
# files in /usr
#
type fonts_t;
-files_type(fonts_t)
+files_config_file(fonts_t)
#
# type for /usr/share/hwdata
diff --git a/refpolicy/policy/modules/system/modutils.te b/refpolicy/policy/modules/system/modutils.te
index 9959852..3467a7a 100644
--- a/refpolicy/policy/modules/system/modutils.te
+++ b/refpolicy/policy/modules/system/modutils.te
@@ -191,10 +191,11 @@ optional_policy(`rpm.te',`
')
ifdef(`TODO',`
-allow depmod_t modules_object_t:file unlink;
ifdef(`gnome-pty-helper.te', `allow depmod_t sysadm_gph_t:fd use;')
') dnl end ifdef TODO
+allow depmod_t modules_object_t:file unlink;
+
#################################
#
# update-modules local policy
diff --git a/refpolicy/policy/modules/system/pcmcia.te b/refpolicy/policy/modules/system/pcmcia.te
index f724db3..8951f70 100644
--- a/refpolicy/policy/modules/system/pcmcia.te
+++ b/refpolicy/policy/modules/system/pcmcia.te
@@ -144,11 +144,13 @@ optional_policy(`udev.te', `
')
ifdef(`TODO',`
-# Create device files in /tmp.
-# cjp: why is this created all over the place?
-file_type_auto_trans(cardmgr_t, { var_run_t cardmgr_var_run_t device_t tmp_t }, cardmgr_dev_t, { blk_file chr_file })
-
optional_policy(`rhgb.te',`
rhgb_domain(cardmgr_t)
')
') dnl end TODO
+
+# Create device files in /tmp.
+# cjp: why is this created all over the place?
+allow cardmgr_t cardmgr_dev_t:{ chr_file blk_file } manage_file_perms;
+allow cardmgr_t { var_run_t cardmgr_var_run_t device_t tmp_t }:dir rw_dir_perms;
+type_transition cardmgr_t { var_run_t cardmgr_var_run_t device_t tmp_t }:{ chr_file blk_file } cardmgr_dev_t;
diff --git a/refpolicy/policy/modules/system/sysnetwork.te b/refpolicy/policy/modules/system/sysnetwork.te
index 9a44ac6..d181cf9 100644
--- a/refpolicy/policy/modules/system/sysnetwork.te
+++ b/refpolicy/policy/modules/system/sysnetwork.te
@@ -7,9 +7,9 @@ policy_module(sysnetwork,1.0)
#
# this is shared between dhcpc and dhcpd:
-type dhcp_etc_t; #, usercanread;
+type dhcp_etc_t;
typealias dhcp_etc_t alias { etc_dhcp_t etc_dhcpc_t etc_dhcpd_t };
-files_type(dhcp_etc_t)
+files_config_file(dhcp_etc_t)
# this is shared between dhcpc and dhcpd:
type dhcp_state_t;
@@ -206,7 +206,7 @@ optional_policy(`nis.te',`
nis_signal_ypbind(dhcpc_t)
# dhclient sometimes starts ypbind
init_exec_script(dhcpc_t)
- #nis_domtrans_ypbind(dhcpc_t)
+ nis_domtrans_ypbind(dhcpc_t)
')
optional_policy(`nscd.te',`
diff --git a/refpolicy/policy/modules/system/udev.te b/refpolicy/policy/modules/system/udev.te
index c021f91..fe5626d 100644
--- a/refpolicy/policy/modules/system/udev.te
+++ b/refpolicy/policy/modules/system/udev.te
@@ -21,7 +21,7 @@ domain_wide_inherit_fd(udev_t)
init_daemon_domain(udev_t,udev_exec_t)
type udev_etc_t alias etc_udev_t;
-files_type(udev_etc_t)
+files_config_file(udev_etc_t)
# udev_runtime_t is the type of the udev table file
# cjp: this is probably a copy of udev_tbl_t and can be removed
More information about the scm-commits
mailing list