[selinux-policy: 1306/3172] add extra dep to init_t interfaces since init_t is in base module right now.
Daniel J Walsh
dwalsh at fedoraproject.org
Thu Oct 7 20:58:12 UTC 2010
commit bcdcc55c7f19fe42bedebb0aa17892c80250e62f
Author: Chris PeBenito <cpebenito at tresys.com>
Date: Tue Mar 28 21:20:01 2006 +0000
add extra dep to init_t interfaces since init_t is in base module right now.
refpolicy/policy/modules/system/init.if | 142 +++++++++++++++++-------------
refpolicy/policy/modules/system/init.te | 2 +
2 files changed, 82 insertions(+), 62 deletions(-)
---
diff --git a/refpolicy/policy/modules/system/init.if b/refpolicy/policy/modules/system/init.if
index 819ff14..6902c6a 100644
--- a/refpolicy/policy/modules/system/init.if
+++ b/refpolicy/policy/modules/system/init.if
@@ -192,71 +192,12 @@ interface(`init_exec',`
interface(`init_getpgid',`
gen_require(`
type init_t;
- ')
-
- allow $1 init_t:process getpgid;
-')
-
-########################################
-#
-# init_getattr_initctl(domain)
-#
-interface(`init_getattr_initctl',`
- gen_require(`
- type initctl_t;
- ')
-
- allow $1 initctl_t:fifo_file getattr;
-')
-
-########################################
-#
-# init_dontaudit_getattr_initctl(domain)
-#
-interface(`init_dontaudit_getattr_initctl',`
- gen_require(`
- type initctl_t;
- ')
-
- dontaudit $1 initctl_t:fifo_file getattr;
-')
-
-########################################
-#
-# init_write_initctl(domain)
-#
-interface(`init_write_initctl',`
- gen_require(`
- type initctl_t;
- ')
-
- dev_list_all_dev_nodes($1)
- allow $1 initctl_t:fifo_file write;
-')
-
-########################################
-#
-# init_rw_initctl(domain)
-#
-interface(`init_rw_initctl',`
- gen_require(`
- type initctl_t;
- ')
-
- dev_list_all_dev_nodes($1)
- allow $1 initctl_t:fifo_file rw_file_perms;
-')
-########################################
-#
-# init_dontaudit_rw_initctl(domain)
-#
-interface(`init_dontaudit_rw_initctl',`
- gen_require(`
- type initctl_t;
+ # cjp: remove this when init_t decl is moved back to this module
+ type init_exec_t;
')
- dontaudit $1 initctl_t:fifo_file { read write };
+ allow $1 init_t:process getpgid;
')
########################################
@@ -272,6 +213,9 @@ interface(`init_dontaudit_rw_initctl',`
interface(`init_signull',`
gen_require(`
type init_t;
+
+ # cjp: remove this when init_t decl is moved back to this module
+ type init_exec_t;
')
allow $1 init_t:process signull;
@@ -290,6 +234,9 @@ interface(`init_signull',`
interface(`init_sigchld',`
gen_require(`
type init_t;
+
+ # cjp: remove this when init_t decl is moved back to this module
+ type init_exec_t;
')
allow $1 init_t:process sigchld;
@@ -302,6 +249,9 @@ interface(`init_sigchld',`
interface(`init_use_fds',`
gen_require(`
type init_t;
+
+ # cjp: remove this when init_t decl is moved back to this module
+ type init_exec_t;
')
allow $1 init_t:fd use;
@@ -314,6 +264,9 @@ interface(`init_use_fds',`
interface(`init_dontaudit_use_fds',`
gen_require(`
type init_t;
+
+ # cjp: remove this when init_t decl is moved back to this module
+ type init_exec_t;
')
dontaudit $1 init_t:fd use;
@@ -332,6 +285,9 @@ interface(`init_dontaudit_use_fds',`
interface(`init_udp_send',`
gen_require(`
type init_t;
+
+ # cjp: remove this when init_t decl is moved back to this module
+ type init_exec_t;
')
allow $1 init_t:udp_socket sendto;
@@ -339,6 +295,68 @@ interface(`init_udp_send',`
')
########################################
+#
+# init_getattr_initctl(domain)
+#
+interface(`init_getattr_initctl',`
+ gen_require(`
+ type initctl_t;
+ ')
+
+ allow $1 initctl_t:fifo_file getattr;
+')
+
+########################################
+#
+# init_dontaudit_getattr_initctl(domain)
+#
+interface(`init_dontaudit_getattr_initctl',`
+ gen_require(`
+ type initctl_t;
+ ')
+
+ dontaudit $1 initctl_t:fifo_file getattr;
+')
+
+########################################
+#
+# init_write_initctl(domain)
+#
+interface(`init_write_initctl',`
+ gen_require(`
+ type initctl_t;
+ ')
+
+ dev_list_all_dev_nodes($1)
+ allow $1 initctl_t:fifo_file write;
+')
+
+########################################
+#
+# init_rw_initctl(domain)
+#
+interface(`init_rw_initctl',`
+ gen_require(`
+ type initctl_t;
+ ')
+
+ dev_list_all_dev_nodes($1)
+ allow $1 initctl_t:fifo_file rw_file_perms;
+')
+
+########################################
+#
+# init_dontaudit_rw_initctl(domain)
+#
+interface(`init_dontaudit_rw_initctl',`
+ gen_require(`
+ type initctl_t;
+ ')
+
+ dontaudit $1 initctl_t:fifo_file { read write };
+')
+
+########################################
## <summary>
## Make init scripts an entry point for
## the specified domain.
diff --git a/refpolicy/policy/modules/system/init.te b/refpolicy/policy/modules/system/init.te
index 1dc2d5a..9b45dcf 100644
--- a/refpolicy/policy/modules/system/init.te
+++ b/refpolicy/policy/modules/system/init.te
@@ -21,6 +21,8 @@ attribute direct_init_entry;
#
# real declaration moved to mls until
# range_transition works in loadable modules
+# also remove the extra init_exec_t dependencies
+# in init_t interfaces when the decl gets moved back here.
gen_require(`
type init_t;
')
More information about the scm-commits
mailing list