[selinux-policy: 1306/3172] add extra dep to init_t interfaces since init_t is in base module right now.

Daniel J Walsh dwalsh at fedoraproject.org
Thu Oct 7 20:58:12 UTC 2010 

commit bcdcc55c7f19fe42bedebb0aa17892c80250e62f
Author: Chris PeBenito <cpebenito at tresys.com>
Date:   Tue Mar 28 21:20:01 2006 +0000

    add extra dep to init_t interfaces since init_t is in base module right now.

 refpolicy/policy/modules/system/init.if |  142 +++++++++++++++++-------------
 refpolicy/policy/modules/system/init.te |    2 +
 2 files changed, 82 insertions(+), 62 deletions(-)
---
diff --git a/refpolicy/policy/modules/system/init.if b/refpolicy/policy/modules/system/init.if
index 819ff14..6902c6a 100644
--- a/refpolicy/policy/modules/system/init.if
+++ b/refpolicy/policy/modules/system/init.if
@@ -192,71 +192,12 @@ interface(`init_exec',`
 interface(`init_getpgid',`
 	gen_require(`
 		type init_t;
-	')
-
-	allow $1 init_t:process getpgid;
-')
-
-########################################
-#
-# init_getattr_initctl(domain)
-#
-interface(`init_getattr_initctl',`
-	gen_require(`
-		type initctl_t;
-	')
-
-	allow $1 initctl_t:fifo_file getattr;
-')
-
-########################################
-#
-# init_dontaudit_getattr_initctl(domain)
-#
-interface(`init_dontaudit_getattr_initctl',`
-	gen_require(`
-		type initctl_t;
-	')
-
-	dontaudit $1 initctl_t:fifo_file getattr;
-')
-
-########################################
-#
-# init_write_initctl(domain)
-#
-interface(`init_write_initctl',`
-	gen_require(`
-		type initctl_t;
-	')
-
-	dev_list_all_dev_nodes($1)
-	allow $1 initctl_t:fifo_file write;
-')
-
-########################################
-#
-# init_rw_initctl(domain)
-#
-interface(`init_rw_initctl',`
-	gen_require(`
-		type initctl_t;
-	')
-
-	dev_list_all_dev_nodes($1)
-	allow $1 initctl_t:fifo_file rw_file_perms;
-')
 
-########################################
-#
-# init_dontaudit_rw_initctl(domain)
-#
-interface(`init_dontaudit_rw_initctl',`
-	gen_require(`
-		type initctl_t;
+		# cjp: remove this when init_t decl is moved back to this module
+		type init_exec_t;
 	')
 
-	dontaudit $1 initctl_t:fifo_file { read write };
+	allow $1 init_t:process getpgid;
 ')
 
 ########################################
@@ -272,6 +213,9 @@ interface(`init_dontaudit_rw_initctl',`
 interface(`init_signull',`
 	gen_require(`
 		type init_t;
+
+		# cjp: remove this when init_t decl is moved back to this module
+		type init_exec_t;
 	')
 
 	allow $1 init_t:process signull;
@@ -290,6 +234,9 @@ interface(`init_signull',`
 interface(`init_sigchld',`
 	gen_require(`
 		type init_t;
+
+		# cjp: remove this when init_t decl is moved back to this module
+		type init_exec_t;
 	')
 
 	allow $1 init_t:process sigchld;
@@ -302,6 +249,9 @@ interface(`init_sigchld',`
 interface(`init_use_fds',`
 	gen_require(`
 		type init_t;
+
+		# cjp: remove this when init_t decl is moved back to this module
+		type init_exec_t;
 	')
 
 	allow $1 init_t:fd use;
@@ -314,6 +264,9 @@ interface(`init_use_fds',`
 interface(`init_dontaudit_use_fds',`
 	gen_require(`
 		type init_t;
+
+		# cjp: remove this when init_t decl is moved back to this module
+		type init_exec_t;
 	')
 
 	dontaudit $1 init_t:fd use;
@@ -332,6 +285,9 @@ interface(`init_dontaudit_use_fds',`
 interface(`init_udp_send',`
 	gen_require(`
 		type init_t;
+
+		# cjp: remove this when init_t decl is moved back to this module
+		type init_exec_t;
 	')
 
 	allow $1 init_t:udp_socket sendto;
@@ -339,6 +295,68 @@ interface(`init_udp_send',`
 ')
 
 ########################################
+#
+# init_getattr_initctl(domain)
+#
+interface(`init_getattr_initctl',`
+	gen_require(`
+		type initctl_t;
+	')
+
+	allow $1 initctl_t:fifo_file getattr;
+')
+
+########################################
+#
+# init_dontaudit_getattr_initctl(domain)
+#
+interface(`init_dontaudit_getattr_initctl',`
+	gen_require(`
+		type initctl_t;
+	')
+
+	dontaudit $1 initctl_t:fifo_file getattr;
+')
+
+########################################
+#
+# init_write_initctl(domain)
+#
+interface(`init_write_initctl',`
+	gen_require(`
+		type initctl_t;
+	')
+
+	dev_list_all_dev_nodes($1)
+	allow $1 initctl_t:fifo_file write;
+')
+
+########################################
+#
+# init_rw_initctl(domain)
+#
+interface(`init_rw_initctl',`
+	gen_require(`
+		type initctl_t;
+	')
+
+	dev_list_all_dev_nodes($1)
+	allow $1 initctl_t:fifo_file rw_file_perms;
+')
+
+########################################
+#
+# init_dontaudit_rw_initctl(domain)
+#
+interface(`init_dontaudit_rw_initctl',`
+	gen_require(`
+		type initctl_t;
+	')
+
+	dontaudit $1 initctl_t:fifo_file { read write };
+')
+
+########################################
 ## <summary>
 ##	Make init scripts an entry point for
 ##	the specified domain.
diff --git a/refpolicy/policy/modules/system/init.te b/refpolicy/policy/modules/system/init.te
index 1dc2d5a..9b45dcf 100644
--- a/refpolicy/policy/modules/system/init.te
+++ b/refpolicy/policy/modules/system/init.te
@@ -21,6 +21,8 @@ attribute direct_init_entry;
 #
 # real declaration moved to mls until
 # range_transition works in loadable modules
+# also remove the extra init_exec_t dependencies
+# in init_t interfaces when the decl gets moved back here.
 gen_require(`
 	type init_t;
 ')

More information about the scm-commits mailing list