[selinux-policy: 1192/3172] fix kernel_relabel_unlabeled()
Daniel J Walsh
dwalsh at fedoraproject.org
Thu Oct 7 20:48:00 UTC 2010
commit c66a3aaf98c54adbe88bfa548cf2d739c06cc530
Author: Chris PeBenito <cpebenito at tresys.com>
Date: Fri Feb 3 17:57:16 2006 +0000
fix kernel_relabel_unlabeled()
refpolicy/policy/modules/kernel/kernel.if | 73 +++++++++++++++++++++++-
refpolicy/policy/modules/system/selinuxutil.te | 31 ++++++----
2 files changed, 88 insertions(+), 16 deletions(-)
---
diff --git a/refpolicy/policy/modules/kernel/kernel.if b/refpolicy/policy/modules/kernel/kernel.if
index 9278bb4..79c8f8f 100644
--- a/refpolicy/policy/modules/kernel/kernel.if
+++ b/refpolicy/policy/modules/kernel/kernel.if
@@ -1606,19 +1606,86 @@ interface(`kernel_dontaudit_getattr_unlabeled_chr_files',`
########################################
## <summary>
-## Allow caller to relabel unlabeled objects.
+## Allow caller to relabel unlabeled directories.
## </summary>
## <param name="domain">
## The process type relabeling the objects.
## </param>
#
-interface(`kernel_relabel_unlabeled',`
+interface(`kernel_relabelfrom_unlabeled_dirs',`
+ gen_require(`
+ type unlabeled_t;
+ ')
+
+ allow $1 unlabeled_t:dir { getattr search read relabelfrom };
+')
+
+########################################
+## <summary>
+## Allow caller to relabel unlabeled files.
+## </summary>
+## <param name="domain">
+## The process type relabeling the objects.
+## </param>
+#
+interface(`kernel_relabelfrom_unlabeled_files',`
+ gen_require(`
+ type unlabeled_t;
+ ')
+
+ kernel_list_unlabeled($1)
+ allow $1 unlabeled_t:file { getattr relabelfrom };
+')
+
+########################################
+## <summary>
+## Allow caller to relabel unlabeled symbolic links.
+## </summary>
+## <param name="domain">
+## The process type relabeling the objects.
+## </param>
+#
+interface(`kernel_relabelfrom_unlabeled_symlinks',`
+ gen_require(`
+ type unlabeled_t;
+ ')
+
+ kernel_list_unlabeled($1)
+ allow $1 unlabeled_t:lnk_file { getattr relabelfrom };
+')
+
+########################################
+## <summary>
+## Allow caller to relabel unlabeled named pipes.
+## </summary>
+## <param name="domain">
+## The process type relabeling the objects.
+## </param>
+#
+interface(`kernel_relabelfrom_unlabeled_pipes',`
+ gen_require(`
+ type unlabeled_t;
+ ')
+
+ kernel_list_unlabeled($1)
+ allow $1 unlabeled_t:fifo_file { getattr relabelfrom };
+')
+
+########################################
+## <summary>
+## Allow caller to relabel unlabeled named sockets.
+## </summary>
+## <param name="domain">
+## The process type relabeling the objects.
+## </param>
+#
+interface(`kernel_relabelfrom_unlabeled_sockets',`
gen_require(`
type unlabeled_t;
')
kernel_list_unlabeled($1)
- allow $1 unlabeled_t:dir_file_class_set { getattr relabelfrom };
+ allow $1 unlabeled_t:sock_file { getattr relabelfrom };
')
########################################
diff --git a/refpolicy/policy/modules/system/selinuxutil.te b/refpolicy/policy/modules/system/selinuxutil.te
index 0cf800a..8447279 100644
--- a/refpolicy/policy/modules/system/selinuxutil.te
+++ b/refpolicy/policy/modules/system/selinuxutil.te
@@ -321,7 +321,13 @@ allow restorecon_t { policy_src_t policy_config_t file_context_t selinux_config_
kernel_use_fd(restorecon_t)
kernel_rw_pipes(restorecon_t)
kernel_read_system_state(restorecon_t)
+kernel_relabelfrom_unlabeled_dirs(restorecon_t)
+kernel_relabelfrom_unlabeled_files(restorecon_t)
+kernel_relabelfrom_unlabeled_symlinks(restorecon_t)
+kernel_relabelfrom_unlabeled_pipes(restorecon_t)
+kernel_relabelfrom_unlabeled_sockets(restorecon_t)
+dev_relabel_all_dev_nodes(restorecon_t)
# cjp: why is this needed?
dev_rw_generic_files(restorecon_t)
@@ -359,10 +365,6 @@ logging_send_syslog_msg(restorecon_t)
userdom_use_all_users_fd(restorecon_t)
-# relabeling rules
-kernel_relabel_unlabeled(restorecon_t)
-dev_relabel_all_dev_nodes(restorecon_t)
-
files_relabel_all_files(restorecon_t)
files_list_all(restorecon_t)
# this is to satisfy the assertion:
@@ -474,7 +476,13 @@ allow setfiles_t { policy_src_t policy_config_t file_context_t selinux_config_t
allow setfiles_t { policy_src_t policy_config_t file_context_t selinux_config_t default_context_t }:lnk_file r_file_perms;
kernel_read_system_state(setfiles_t)
-kernel_list_unlabeled(setfiles_t)
+kernel_relabelfrom_unlabeled_dirs(setfiles_t)
+kernel_relabelfrom_unlabeled_files(setfiles_t)
+kernel_relabelfrom_unlabeled_symlinks(setfiles_t)
+kernel_relabelfrom_unlabeled_pipes(setfiles_t)
+kernel_relabelfrom_unlabeled_sockets(setfiles_t)
+
+dev_relabel_all_dev_nodes(setfiles_t)
fs_getattr_xattr_fs(setfiles_t)
fs_list_all(setfiles_t)
@@ -495,6 +503,9 @@ term_use_all_user_ttys(setfiles_t)
term_use_all_user_ptys(setfiles_t)
term_use_unallocated_ttys(setfiles_t)
+# this is to satisfy the assertion:
+auth_relabelto_shadow(setfiles_t)
+
init_use_fd(setfiles_t)
init_use_script_fd(setfiles_t)
init_use_script_ptys(setfiles_t)
@@ -506,6 +517,8 @@ libs_use_shared_libs(setfiles_t)
files_read_etc_runtime_files(setfiles_t)
files_read_etc_files(setfiles_t)
+files_list_all(setfiles_t)
+files_relabel_all_files(setfiles_t)
logging_send_syslog_msg(setfiles_t)
@@ -515,14 +528,6 @@ userdom_use_all_users_fd(setfiles_t)
# for config files in a home directory
userdom_read_all_user_files(setfiles_t)
-# relabeling rules
-kernel_relabel_unlabeled(setfiles_t)
-dev_relabel_all_dev_nodes(setfiles_t)
-files_list_all(setfiles_t)
-files_relabel_all_files(setfiles_t)
-# this is to satisfy the assertion:
-auth_relabelto_shadow(setfiles_t)
-
ifdef(`TODO',`
# for upgrading glibc and other shared objects - without this the upgrade
# scripts will put things in a state such that setfiles can not be run!
More information about the scm-commits
mailing list