[selinux-policy: 1414/3172] split out filetrans part of files_manage_etc_runtime_files(), bug 1663

Daniel J Walsh dwalsh at fedoraproject.org
Thu Oct 7 21:07:37 UTC 2010 

commit 6714c268a54617089b349ddf4b4cfdb6cc5e2f32
Author: Chris PeBenito <cpebenito at tresys.com>
Date:   Tue May 2 18:34:35 2006 +0000

    split out filetrans part of files_manage_etc_runtime_files(), bug 1663

 refpolicy/policy/modules/admin/bootloader.te  |    1 +
 refpolicy/policy/modules/admin/kudzu.te       |    1 +
 refpolicy/policy/modules/kernel/files.if      |   38 ++++++++++++++++++++----
 refpolicy/policy/modules/services/samba.te    |    1 +
 refpolicy/policy/modules/services/watchdog.te |    1 +
 refpolicy/policy/modules/system/fstools.te    |    1 +
 refpolicy/policy/modules/system/hotplug.te    |    1 +
 refpolicy/policy/modules/system/init.te       |    2 +
 refpolicy/policy/modules/system/mount.te      |    3 +-
 9 files changed, 41 insertions(+), 8 deletions(-)
---
diff --git a/refpolicy/policy/modules/admin/bootloader.te b/refpolicy/policy/modules/admin/bootloader.te
index 0bec93a..98aa2f8 100644
--- a/refpolicy/policy/modules/admin/bootloader.te
+++ b/refpolicy/policy/modules/admin/bootloader.te
@@ -110,6 +110,7 @@ files_read_kernel_modules(bootloader_t)
 files_dontaudit_search_pids(bootloader_t)
 # for blkid.tab
 files_manage_etc_runtime_files(bootloader_t)
+files_etc_filetrans_etc_runtime(bootloader_t,file)
 
 init_getattr_initctl(bootloader_t)
 init_use_script_ptys(bootloader_t)
diff --git a/refpolicy/policy/modules/admin/kudzu.te b/refpolicy/policy/modules/admin/kudzu.te
index 6615973..481f0d5 100644
--- a/refpolicy/policy/modules/admin/kudzu.te
+++ b/refpolicy/policy/modules/admin/kudzu.te
@@ -88,6 +88,7 @@ files_search_var(kudzu_t)
 files_search_locks(kudzu_t)
 files_manage_etc_files(kudzu_t)
 files_manage_etc_runtime_files(kudzu_t)
+files_etc_filetrans_etc_runtime(kudzu_t,file)
 files_manage_mnt_files(kudzu_t)
 files_manage_mnt_symlinks(kudzu_t)
 files_dontaudit_search_src(kudzu_t)
diff --git a/refpolicy/policy/modules/kernel/files.if b/refpolicy/policy/modules/kernel/files.if
index 77dad24..5f5a897 100644
--- a/refpolicy/policy/modules/kernel/files.if
+++ b/refpolicy/policy/modules/kernel/files.if
@@ -1684,6 +1684,19 @@ interface(`files_relabel_etc_files',`
 
 ########################################
 #
+# files_etc_filetrans(domain,privatetype,class(es))
+#
+interface(`files_etc_filetrans',`
+	gen_require(`
+		type etc_t;
+	')
+
+	allow $1 etc_t:dir rw_dir_perms;
+	type_transition $1 etc_t:$3 $2;
+')
+
+########################################
+#
 # files_create_boot_flag(domain)
 #
 # /halt, /.autofsck, etc
@@ -1778,21 +1791,32 @@ interface(`files_manage_etc_runtime_files',`
 
 	allow $1 etc_t:dir rw_dir_perms;
 	allow $1 etc_runtime_t:dir rw_dir_perms;
-	allow $1 etc_runtime_t:file create_file_perms;
-	type_transition $1 etc_t:file etc_runtime_t;
+	allow $1 etc_runtime_t:file manage_file_perms;
 ')
 
 ########################################
+## <summary>
+##	Create, etc runtime objects with an automatic
+##	type transition.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <param name="object">
+##	<summary>
+##	The class of the object being created.
+##	</summary>
+## </param>
 #
-# files_etc_filetrans(domain,privatetype,class(es))
-#
-interface(`files_etc_filetrans',`
+interface(`files_etc_filetrans_etc_runtime',`
 	gen_require(`
-		type etc_t;
+		type etc_t, etc_runtime_t;
 	')
 
 	allow $1 etc_t:dir rw_dir_perms;
-	type_transition $1 etc_t:$3 $2;
+	type_transition $1 etc_t:$2 etc_runtime_t;
 ')
 
 ########################################
diff --git a/refpolicy/policy/modules/services/samba.te b/refpolicy/policy/modules/services/samba.te
index bddf574..3f59ac4 100644
--- a/refpolicy/policy/modules/services/samba.te
+++ b/refpolicy/policy/modules/services/samba.te
@@ -496,6 +496,7 @@ corecmd_list_bin(smbmount_t)
 files_list_mnt(smbmount_t)
 files_mounton_mnt(smbmount_t)
 files_manage_etc_runtime_files(smbmount_t)
+files_etc_filetrans_etc_runtime(smbmount_t,file)
 files_read_etc_files(smbmount_t)
 
 miscfiles_read_localization(smbmount_t)
diff --git a/refpolicy/policy/modules/services/watchdog.te b/refpolicy/policy/modules/services/watchdog.te
index d6bc58f..77e8c19 100644
--- a/refpolicy/policy/modules/services/watchdog.te
+++ b/refpolicy/policy/modules/services/watchdog.te
@@ -75,6 +75,7 @@ domain_kill_all_domains(watchdog_t)
 files_read_etc_files(watchdog_t)
 # for updating mtab on umount
 files_manage_etc_runtime_files(watchdog_t)
+files_etc_filetrans_etc_runtime(watchdog_t,file)
 
 fs_unmount_xattr_fs(watchdog_t)
 fs_getattr_all_fs(watchdog_t)
diff --git a/refpolicy/policy/modules/system/fstools.te b/refpolicy/policy/modules/system/fstools.te
index 3b479a0..73a8fe0 100644
--- a/refpolicy/policy/modules/system/fstools.te
+++ b/refpolicy/policy/modules/system/fstools.te
@@ -121,6 +121,7 @@ files_manage_lost_found(fsadm_t)
 files_manage_isid_type_dirs(fsadm_t)
 # Write to /etc/mtab.
 files_manage_etc_runtime_files(fsadm_t)
+files_etc_filetrans_etc_runtime(fsadm_t,file)
 # Access to /initrd devices
 files_rw_isid_type_dirs(fsadm_t)
 files_rw_isid_type_blk_files(fsadm_t)
diff --git a/refpolicy/policy/modules/system/hotplug.te b/refpolicy/policy/modules/system/hotplug.te
index a71dfa6..e159888 100644
--- a/refpolicy/policy/modules/system/hotplug.te
+++ b/refpolicy/policy/modules/system/hotplug.te
@@ -91,6 +91,7 @@ domain_dontaudit_getattr_all_domains(hotplug_t)
 
 files_read_etc_files(hotplug_t)
 files_manage_etc_runtime_files(hotplug_t)
+files_etc_filetrans_etc_runtime(hotplug_t,file)
 files_exec_etc_files(hotplug_t)
 # for when filesystems are not mounted early in the boot:
 files_dontaudit_search_isid_type_dirs(hotplug_t)
diff --git a/refpolicy/policy/modules/system/init.te b/refpolicy/policy/modules/system/init.te
index 4ae76e0..55f0cdc 100644
--- a/refpolicy/policy/modules/system/init.te
+++ b/refpolicy/policy/modules/system/init.te
@@ -146,6 +146,7 @@ files_read_etc_files(init_t)
 files_rw_generic_pids(init_t)
 files_dontaudit_search_isid_type_dirs(init_t)
 files_manage_etc_runtime_files(init_t)
+files_etc_filetrans_etc_runtime(init_t,file)
 # Run /etc/X11/prefdm:
 files_exec_etc_files(init_t)
 # file descriptors inherited from the rootfs:
@@ -337,6 +338,7 @@ files_delete_all_pids(initrc_t)
 files_delete_all_pid_dirs(initrc_t)
 files_read_etc_files(initrc_t)
 files_manage_etc_runtime_files(initrc_t)
+files_etc_filetrans_etc_runtime(initrc_t,file)
 files_manage_generic_locks(initrc_t)
 files_exec_etc_files(initrc_t)
 files_read_usr_files(initrc_t)
diff --git a/refpolicy/policy/modules/system/mount.te b/refpolicy/policy/modules/system/mount.te
index acf6d73..8c9c181 100644
--- a/refpolicy/policy/modules/system/mount.te
+++ b/refpolicy/policy/modules/system/mount.te
@@ -71,6 +71,7 @@ domain_use_interactive_fds(mount_t)
 files_search_all(mount_t)
 files_read_etc_files(mount_t)
 files_manage_etc_runtime_files(mount_t)
+files_etc_filetrans_etc_runtime(mount_t,file)
 files_mounton_all_mountpoints(mount_t)
 files_unmount_rootfs(mount_t)
 # These rules need to be generalized.  Only admin, initrc should have it:
@@ -164,6 +165,6 @@ optional_policy(`
 #
 
 ifdef(`targeted_policy',`
-	files_manage_etc_runtime_files(unconfined_mount_t)
+	files_etc_filetrans_etc_runtime(unconfined_mount_t,file)
 	unconfined_domain(unconfined_mount_t)
 ')

More information about the scm-commits mailing list