[selinux-policy: 1018/3172] fix dupe interfaces
Daniel J Walsh
dwalsh at fedoraproject.org
Thu Oct 7 20:32:57 UTC 2010
commit 1470ffb03f09d9d0fb8b01b58fa917392a9b0684
Author: Chris PeBenito <cpebenito at tresys.com>
Date: Mon Dec 5 17:11:14 2005 +0000
fix dupe interfaces
refpolicy/policy/modules/kernel/devices.if | 18 ---------
refpolicy/policy/modules/kernel/files.if | 20 +---------
refpolicy/policy/modules/kernel/filesystem.if | 18 ---------
refpolicy/policy/modules/kernel/kernel.if | 18 ---------
refpolicy/policy/modules/kernel/storage.if | 18 ---------
refpolicy/policy/modules/kernel/terminal.if | 17 --------
refpolicy/policy/modules/services/ppp.if | 18 +--------
refpolicy/policy/modules/services/samba.if | 17 --------
refpolicy/policy/modules/services/squid.if | 28 -------------
refpolicy/policy/modules/system/init.if | 51 ++++++++----------------
10 files changed, 19 insertions(+), 204 deletions(-)
---
diff --git a/refpolicy/policy/modules/kernel/devices.if b/refpolicy/policy/modules/kernel/devices.if
index 0ae1165..83e5dc2 100644
--- a/refpolicy/policy/modules/kernel/devices.if
+++ b/refpolicy/policy/modules/kernel/devices.if
@@ -253,24 +253,6 @@ interface(`dev_dontaudit_setattr_generic_blk_file',`
########################################
## <summary>
-## Allow read, write, create, and delete for generic
-## block files.
-## </summary>
-## <param name="domain">
-## Domain allowed access.
-## </param>
-#
-interface(`dev_manage_generic_blk_file',`
- gen_require(`
- type device_t;
- ')
-
- allow $1 device_t:dir rw_dir_perms;
- allow $1 device_t:blk_file create_file_perms;
-')
-
-########################################
-## <summary>
## Allow read, write, and create for generic character device files.
## </summary>
## <param name="domain">
diff --git a/refpolicy/policy/modules/kernel/files.if b/refpolicy/policy/modules/kernel/files.if
index b78d961..b178766 100644
--- a/refpolicy/policy/modules/kernel/files.if
+++ b/refpolicy/policy/modules/kernel/files.if
@@ -300,10 +300,9 @@ interface(`files_search_all',`
## Domain allowed access.
## </param>
#
-interface(`files_list_all_dirs',`
+interface(`files_list_all',`
gen_require(`
attribute file_type;
- class dir r_dir_perms;
')
allow $1 file_type:dir r_dir_perms;
@@ -2046,23 +2045,6 @@ interface(`files_dontaudit_getattr_tmp_dir',`
########################################
## <summary>
-## Allow domain to getattr on /tmp directory.
-## </summary>
-## <param name="domain">
-## The type of the process performing this action.
-## </param>
-#
-interface(`files_getattr_tmp_dir',`
- gen_require(`
- type tmp_t;
- class dir getattr;
- ')
-
- allow $1 tmp_t:dir getattr;
-')
-
-########################################
-## <summary>
## Search the tmp directory (/tmp).
## </summary>
## <param name="domain">
diff --git a/refpolicy/policy/modules/kernel/filesystem.if b/refpolicy/policy/modules/kernel/filesystem.if
index f089669..f0f7255 100644
--- a/refpolicy/policy/modules/kernel/filesystem.if
+++ b/refpolicy/policy/modules/kernel/filesystem.if
@@ -653,24 +653,6 @@ interface(`fs_execute_cifs_files',`
########################################
## <summary>
-## Do not audit attempts to read or
-## write files on a CIFS or SMB filesystems.
-## </summary>
-## <param name="domain">
-## The type of the domain to not audit.
-## </param>
-#
-interface(`fs_dontaudit_read_cifs_files',`
- gen_require(`
- type cifs_t;
- class file { read write };
- ')
-
- dontaudit $1 cifs_t:file { read write };
-')
-
-########################################
-## <summary>
## Create, read, write, and delete directories
## on a CIFS or SMB network filesystem.
## </summary>
diff --git a/refpolicy/policy/modules/kernel/kernel.if b/refpolicy/policy/modules/kernel/kernel.if
index 5510188..9f25444 100644
--- a/refpolicy/policy/modules/kernel/kernel.if
+++ b/refpolicy/policy/modules/kernel/kernel.if
@@ -1819,24 +1819,6 @@ interface(`kernel_read_file_from',`
########################################
## <summary>
-## Allow the kernel to search the
-## specified directory.
-## </summary>
-## <param name="dir_type">
-## Directory type to search.
-## </param>
-#
-interface(`kernel_search_from',`
- gen_require(`
- type kernel_t;
- class dir search;
- ')
-
- allow kernel_t $1:dir search;
-')
-
-########################################
-## <summary>
## Use the specified types for /lib directory
## and use the dynamic link/loader for automatic loading
## of shared libraries, and the link/loader
diff --git a/refpolicy/policy/modules/kernel/storage.if b/refpolicy/policy/modules/kernel/storage.if
index a437aee..c6c34fb 100644
--- a/refpolicy/policy/modules/kernel/storage.if
+++ b/refpolicy/policy/modules/kernel/storage.if
@@ -363,24 +363,6 @@ interface(`storage_write_scsi_generic',`
########################################
## <summary>
-## Get attributes of the device nodes
-## for the SCSI generic inerface.
-## </summary>
-## <param name="domain">
-## The type of the process performing this action.
-## </param>
-#
-interface(`storage_getattr_scsi_generic',`
- gen_require(`
- type scsi_generic_device_t;
- ')
-
- dev_list_all_dev_nodes($1)
- allow $1 scsi_generic_device_t:chr_file getattr;
-')
-
-########################################
-## <summary>
## Set attributes of the device nodes
## for the SCSI generic inerface.
## </summary>
diff --git a/refpolicy/policy/modules/kernel/terminal.if b/refpolicy/policy/modules/kernel/terminal.if
index f4c7fc6..3dcd01c 100644
--- a/refpolicy/policy/modules/kernel/terminal.if
+++ b/refpolicy/policy/modules/kernel/terminal.if
@@ -642,23 +642,6 @@ interface(`term_reset_tty_labels',`
########################################
## <summary>
-## Do not audit attempts to get the attributes
-## of unallocated ttys.
-## </summary>
-## <param name="domain">
-## Domain allowed access.
-## </param>
-#
-interface(`term_dontaudit_getattr_unallocated_ttys',`
- gen_require(`
- type tty_device_t;
- ')
-
- dontaudit $1 tty_device_t:chr_file getattr;
-')
-
-########################################
-## <summary>
## Write to unallocated ttys.
## </summary>
## <param name="domain">
diff --git a/refpolicy/policy/modules/services/ppp.if b/refpolicy/policy/modules/services/ppp.if
index aa5e4d9..b73fe4e 100644
--- a/refpolicy/policy/modules/services/ppp.if
+++ b/refpolicy/policy/modules/services/ppp.if
@@ -35,7 +35,7 @@ interface(`ppp_dontaudit_use_fd',`
########################################
## <summary>
-## Allow domain to send sigchld to parent of PPP domain type.
+## Send a SIGCHLD signal to PPP.
## </summary>
## <param name="domain">
## Domain allowed access.
@@ -68,22 +68,6 @@ interface(`ppp_signal',`
########################################
## <summary>
-## Send a SIGCHLD signal to PPP.
-## </summary>
-## <param name="domain">
-## Domain allowed access.
-## </param>
-#
-interface(`ppp_sigchld',`
- gen_require(`
- type pppd_t;
- ')
-
- allow $1 pppd_t:process sigchld;
-')
-
-########################################
-## <summary>
## Execute domain in the ppp domain.
## </summary>
## <param name="domain">
diff --git a/refpolicy/policy/modules/services/samba.if b/refpolicy/policy/modules/services/samba.if
index 34b6d48..fd422c8 100644
--- a/refpolicy/policy/modules/services/samba.if
+++ b/refpolicy/policy/modules/services/samba.if
@@ -329,23 +329,6 @@ interface(`samba_read_winbind_pid',`
########################################
## <summary>
-## Allow the specified domain to read the winbind pid files.
-## </summary>
-## <param name="domain">
-## Domain allowed access.
-## </param>
-#
-interface(`samba_read_winbind_pid',`
- gen_require(`
- type winbind_var_run_t;
- ')
-
- files_search_pids($1)
- allow $1 winbind_var_run_t:file r_file_perms;
-')
-
-########################################
-## <summary>
## Connect to winbind.
## </summary>
## <param name="domain">
diff --git a/refpolicy/policy/modules/services/squid.if b/refpolicy/policy/modules/services/squid.if
index 397a3a6..10497bf 100644
--- a/refpolicy/policy/modules/services/squid.if
+++ b/refpolicy/policy/modules/services/squid.if
@@ -11,9 +11,6 @@
interface(`squid_domtrans',`
gen_require(`
type squid_t, squid_exec_t;
- class process sigchld;
- class fd use;
- class fifo_file rw_file_perms;
')
corecmd_search_sbin($1)
@@ -36,7 +33,6 @@ interface(`squid_domtrans',`
interface(`squid_read_config',`
gen_require(`
type squid_conf_t;
- class file r_file_perms;
')
files_search_etc($1)
@@ -45,27 +41,6 @@ interface(`squid_read_config',`
########################################
## <summary>
-## Create, read, write, and delete
-## squid logs.
-## </summary>
-## <param name="domain">
-## Domain allowed access.
-## </param>
-#
-interface(`squid_manage_logs',`
- gen_require(`
- type squid_log_t;
- class dir rw_dir_perms;
- class file create_file_perms;
- ')
-
- logging_search_logs($1)
- allow $1 squid_log_t:dir rw_dir_perms;
- allow $1 squid_log_t:file create_file_perms;
-')
-
-########################################
-## <summary>
## Append squid logs.
## </summary>
## <param name="domain">
@@ -112,8 +87,6 @@ interface(`squid_append_log',`
interface(`squid_manage_logs',`
gen_require(`
type squid_log_t;
- class dir rw_dir_perms;
- class file create_file_perms;
')
logging_search_logs($1)
@@ -132,7 +105,6 @@ interface(`squid_manage_logs',`
interface(`squid_use',`
gen_require(`
type squid_t;
- class tcp_socket { connectto acceptfrom recvfrom };
')
allow $1 squid_t:tcp_socket { connectto recvfrom };
diff --git a/refpolicy/policy/modules/system/init.if b/refpolicy/policy/modules/system/init.if
index 73bfa56..7c08d2c 100644
--- a/refpolicy/policy/modules/system/init.if
+++ b/refpolicy/policy/modules/system/init.if
@@ -442,40 +442,6 @@ interface(`init_write_script_pipe',`
########################################
## <summary>
-## Allow the specified domain to connect to
-## init scripts with a unix domain stream socket.
-## </summary>
-## <param name="domain">
-## Domain allowed access.
-## </param>
-#
-interface(`init_unix_connect_script',`
- gen_require(`
- type initrc_t;
- ')
-
- allow $1 initrc_t:unix_stream_socket connectto;
-')
-
-########################################
-## <summary>
-## Dont audit the specified domain connecting to
-## init scripts with a unix domain stream socket.
-## </summary>
-## <param name="domain">
-## Domain allowed access.
-## </param>
-#
-interface(`init_dontaudit_unix_connect_script',`
- gen_require(`
- type initrc_t;
- ')
-
- dontaudit $1 initrc_t:unix_stream_socket connectto;
-')
-
-########################################
-## <summary>
## Get the attribute of init script entrypoint files.
## </summary>
## <param name="domain">
@@ -692,6 +658,23 @@ interface(`init_unix_connect_script',`
########################################
## <summary>
+## Dont audit the specified domain connecting to
+## init scripts with a unix domain stream socket.
+## </summary>
+## <param name="domain">
+## Domain allowed access.
+## </param>
+#
+interface(`init_dontaudit_unix_connect_script',`
+ gen_require(`
+ type initrc_t;
+ ')
+
+ dontaudit $1 initrc_t:unix_stream_socket connectto;
+')
+
+########################################
+## <summary>
## Send and receive messages from
## init scripts over dbus.
## </summary>
More information about the scm-commits
mailing list