[selinux-policy: 1516/3172] clean up usercanread
Daniel J Walsh
dwalsh at fedoraproject.org
Thu Oct 7 21:16:19 UTC 2010
commit b68a85cbef8bd09d74c319fdab2cd7acd6809331
Author: Chris PeBenito <cpebenito at tresys.com>
Date: Wed Jun 14 20:52:45 2006 +0000
clean up usercanread
refpolicy/policy/modules/admin/usermanage.te | 4 +-
refpolicy/policy/modules/kernel/filesystem.te | 4 +-
refpolicy/policy/modules/services/cups.te | 51 +++++++++++++------------
refpolicy/policy/modules/services/rpc.if | 40 +++++++++++++++++++
refpolicy/policy/modules/services/rpc.te | 7 +--
refpolicy/policy/modules/services/samba.te | 4 +-
refpolicy/policy/modules/services/xserver.te | 4 +-
refpolicy/policy/modules/system/miscfiles.te | 4 +-
8 files changed, 79 insertions(+), 39 deletions(-)
---
diff --git a/refpolicy/policy/modules/admin/usermanage.te b/refpolicy/policy/modules/admin/usermanage.te
index 8c3897a..446197e 100644
--- a/refpolicy/policy/modules/admin/usermanage.te
+++ b/refpolicy/policy/modules/admin/usermanage.te
@@ -1,5 +1,5 @@
-policy_module(usermanage,1.3.5)
+policy_module(usermanage,1.3.6)
########################################
#
@@ -25,7 +25,7 @@ type crack_exec_t;
domain_entry_file(crack_t,crack_exec_t)
type crack_db_t;
-files_config_file(crack_db_t)
+files_type(crack_db_t)
type crack_tmp_t;
files_tmp_file(crack_tmp_t)
diff --git a/refpolicy/policy/modules/kernel/filesystem.te b/refpolicy/policy/modules/kernel/filesystem.te
index aeeccb6..867de41 100644
--- a/refpolicy/policy/modules/kernel/filesystem.te
+++ b/refpolicy/policy/modules/kernel/filesystem.te
@@ -1,5 +1,5 @@
-policy_module(filesystem,1.3.9)
+policy_module(filesystem,1.3.10)
########################################
#
@@ -159,7 +159,7 @@ genfscon udf / gen_context(system_u:object_r:iso9660_t,s0)
type removable_t;
allow removable_t noxattrfs:filesystem associate;
fs_noxattr_type(removable_t)
-files_config_file(removable_t)
+files_type(removable_t)
#
# nfs_t is the default type for NFS file systems
diff --git a/refpolicy/policy/modules/services/cups.te b/refpolicy/policy/modules/services/cups.te
index 69d6faf..0c24a94 100644
--- a/refpolicy/policy/modules/services/cups.te
+++ b/refpolicy/policy/modules/services/cups.te
@@ -1,5 +1,5 @@
-policy_module(cups,1.3.8)
+policy_module(cups,1.3.9)
########################################
#
@@ -131,8 +131,10 @@ kernel_tcp_recvfrom(cupsd_t)
corenet_non_ipsec_sendrecv(cupsd_t)
corenet_tcp_sendrecv_all_if(cupsd_t)
corenet_udp_sendrecv_all_if(cupsd_t)
+corenet_raw_sendrecv_all_if(cupsd_t)
corenet_tcp_sendrecv_all_nodes(cupsd_t)
corenet_udp_sendrecv_all_nodes(cupsd_t)
+corenet_raw_sendrecv_all_nodes(cupsd_t)
corenet_tcp_sendrecv_all_ports(cupsd_t)
corenet_udp_sendrecv_all_ports(cupsd_t)
corenet_tcp_bind_all_nodes(cupsd_t)
@@ -153,6 +155,8 @@ dev_read_usbfs(cupsd_t)
fs_getattr_all_fs(cupsd_t)
fs_search_auto_mountpoints(cupsd_t)
+# from old usercanread attrib:
+fs_read_removable_files(cupsd_t)
term_dontaudit_use_console(cupsd_t)
term_write_unallocated_ttys(cupsd_t)
@@ -251,20 +255,21 @@ optional_policy(`
')
optional_policy(`
- mount_send_nfs_client_request(cupsd_t)
+ nscd_socket_use(cupsd_t)
')
optional_policy(`
- nscd_socket_use(cupsd_t)
+ portmap_udp_chat(cupsd_t)
')
optional_policy(`
- portmap_udp_chat(cupsd_t)
+ # from old usercanread attrib:
+ rpc_read_nfs_content(cupsd_t)
+ rpc_read_nfs_state_data(cupsd_t)
')
optional_policy(`
samba_rw_var_files(cupsd_t)
- # cjp: rw_dir_perms was here, but doesnt make sense
')
optional_policy(`
@@ -275,6 +280,16 @@ optional_policy(`
udev_read_db(cupsd_t)
')
+optional_policy(`
+ # from old usercanread attrib:
+ usermanage_read_crack_db(cupsd_t)
+')
+
+optional_policy(`
+ # from old usercanread attrib:
+ xserver_read_xkb_libs(cupsd_t)
+')
+
ifdef(`TODO',`
allow web_client_domain cupsd_t:tcp_socket { connectto recvfrom };
allow cupsd_t web_client_domain:tcp_socket { acceptfrom recvfrom };
@@ -308,11 +323,6 @@ allow cupsd_config_t cupsd_t:{ file lnk_file } { getattr read };
allow cupsd_config_t cupsd_t:dir { search getattr read };
allow cupsd_config_t cupsd_t:{ file lnk_file } { read getattr };
allow cupsd_config_t cupsd_t:process getattr;
-# We need to suppress this denial because procps tries to access
-# /proc/pid/environ and this now triggers a ptrace check in recent kernels
-# (2.4 and 2.6). Might want to change procps to not do this, or only if
-# running in a privileged domain.
-dontaudit cupsd_config_t cupsd_t:process ptrace;
allow cupsd_config_t cupsd_config_var_run_t:file create_file_perms;
allow cupsd_config_t cupsd_config_var_run_t:dir rw_dir_perms;
@@ -338,14 +348,12 @@ kernel_read_system_state(cupsd_config_t)
kernel_read_kernel_sysctls(cupsd_config_t)
kernel_tcp_recvfrom(cupsd_config_t)
+corenet_non_ipsec_sendrecv(cupsd_config_t)
corenet_tcp_sendrecv_all_if(cupsd_config_t)
-corenet_raw_sendrecv_all_if(cupsd_config_t)
corenet_tcp_sendrecv_all_nodes(cupsd_config_t)
-corenet_raw_sendrecv_all_nodes(cupsd_config_t)
corenet_tcp_sendrecv_all_ports(cupsd_config_t)
-corenet_non_ipsec_sendrecv(cupsd_config_t)
-corenet_tcp_bind_all_nodes(cupsd_config_t)
corenet_tcp_connect_all_ports(cupsd_config_t)
+corenet_sendrecv_all_client_packets(cupsd_config_t)
dev_read_sysfs(cupsd_config_t)
dev_read_urand(cupsd_config_t)
@@ -493,15 +501,13 @@ kernel_read_kernel_sysctls(cupsd_lpd_t)
kernel_read_system_state(cupsd_lpd_t)
kernel_read_network_state(cupsd_lpd_t)
+corenet_non_ipsec_sendrecv(cupsd_lpd_t)
corenet_tcp_sendrecv_all_if(cupsd_lpd_t)
corenet_udp_sendrecv_all_if(cupsd_lpd_t)
-corenet_raw_sendrecv_all_if(cupsd_lpd_t)
corenet_tcp_sendrecv_all_nodes(cupsd_lpd_t)
corenet_udp_sendrecv_all_nodes(cupsd_lpd_t)
-corenet_raw_sendrecv_all_nodes(cupsd_lpd_t)
corenet_tcp_sendrecv_all_ports(cupsd_lpd_t)
corenet_udp_sendrecv_all_ports(cupsd_lpd_t)
-corenet_non_ipsec_sendrecv(cupsd_lpd_t)
corenet_tcp_bind_all_nodes(cupsd_lpd_t)
corenet_udp_bind_all_nodes(cupsd_lpd_t)
corenet_tcp_connect_ipp_port(cupsd_lpd_t)
@@ -546,10 +552,9 @@ allow hplip_t self:fifo_file rw_file_perms;
allow hplip_t self:process signal_perms;
allow hplip_t self:unix_dgram_socket create_socket_perms;
allow hplip_t self:unix_stream_socket create_socket_perms;
+allow hplip_t self:netlink_route_socket r_netlink_socket_perms;
allow hplip_t self:tcp_socket create_stream_socket_perms;
allow hplip_t self:udp_socket create_socket_perms;
-allow hplip_t self:netlink_route_socket r_netlink_socket_perms;
-# cjp: raw?
allow hplip_t self:rawip_socket create_socket_perms;
allow hplip_t cupsd_etc_t:dir search;
@@ -568,6 +573,7 @@ files_pid_filetrans(hplip_t,hplip_var_run_t,file)
kernel_read_system_state(hplip_t)
kernel_read_kernel_sysctls(hplip_t)
+corenet_non_ipsec_sendrecv(hplip_t)
corenet_tcp_sendrecv_all_if(hplip_t)
corenet_udp_sendrecv_all_if(hplip_t)
corenet_raw_sendrecv_all_if(hplip_t)
@@ -576,7 +582,6 @@ corenet_udp_sendrecv_all_nodes(hplip_t)
corenet_raw_sendrecv_all_nodes(hplip_t)
corenet_tcp_sendrecv_all_ports(hplip_t)
corenet_udp_sendrecv_all_ports(hplip_t)
-corenet_non_ipsec_sendrecv(hplip_t)
corenet_tcp_bind_all_nodes(hplip_t)
corenet_udp_bind_all_nodes(hplip_t)
corenet_tcp_bind_hplip_port(hplip_t)
@@ -641,8 +646,6 @@ optional_policy(`
udev_read_db(hplip_t)
')
-allow hplip_t devpts_t:chr_file { getattr ioctl };
-
########################################
#
# PTAL local policy
@@ -675,12 +678,10 @@ kernel_read_kernel_sysctls(ptal_t)
kernel_list_proc(ptal_t)
kernel_read_proc_symlinks(ptal_t)
+corenet_non_ipsec_sendrecv(ptal_t)
corenet_tcp_sendrecv_all_if(ptal_t)
-corenet_raw_sendrecv_all_if(ptal_t)
corenet_tcp_sendrecv_all_nodes(ptal_t)
-corenet_raw_sendrecv_all_nodes(ptal_t)
corenet_tcp_sendrecv_all_ports(ptal_t)
-corenet_non_ipsec_sendrecv(ptal_t)
corenet_tcp_bind_all_nodes(ptal_t)
corenet_tcp_bind_ptal_port(ptal_t)
diff --git a/refpolicy/policy/modules/services/rpc.if b/refpolicy/policy/modules/services/rpc.if
index 912f8ff..429e099 100644
--- a/refpolicy/policy/modules/services/rpc.if
+++ b/refpolicy/policy/modules/services/rpc.if
@@ -219,6 +219,26 @@ interface(`rpc_domtrans_nfsd',`
########################################
## <summary>
+## Read NFS exported content.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`rpc_read_nfs_content',`
+ gen_require(`
+ type nfsd_ro_t, nfsd_rw_t;
+ ')
+
+ allow $1 { nfsd_ro_t nfsd_rw_t }:dir list_dir_perms;
+ allow $1 { nfsd_ro_t nfsd_rw_t }:file read_file_perms;
+ allow $1 { nfsd_ro_t nfsd_rw_t }:lnk_file { getattr read };
+')
+
+########################################
+## <summary>
## Allow domain to create read and write NFS directories.
## </summary>
## <param name="domain">
@@ -313,3 +333,23 @@ interface(`rpc_search_nfs_state_data',`
files_search_var_lib($1)
allow $1 var_lib_nfs_t:dir search;
')
+
+########################################
+## <summary>
+## Read NFS state data in /var/lib/nfs.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`rpc_read_nfs_state_data',`
+ gen_require(`
+ type var_lib_nfs_t;
+ ')
+
+ files_search_var_lib($1)
+ allow $1 var_lib_nfs_t:dir search_dir_perms;
+ allow $1 var_lib_nfs_t:file read_file_perms;
+')
diff --git a/refpolicy/policy/modules/services/rpc.te b/refpolicy/policy/modules/services/rpc.te
index 1305e08..98e1064 100644
--- a/refpolicy/policy/modules/services/rpc.te
+++ b/refpolicy/policy/modules/services/rpc.te
@@ -1,5 +1,5 @@
-policy_module(rpc,1.2.7)
+policy_module(rpc,1.2.8)
########################################
#
@@ -24,13 +24,12 @@ rpc_domain_template(rpcd)
rpc_domain_template(nfsd)
type nfsd_rw_t;
-files_config_file(nfsd_rw_t)
+files_type(nfsd_rw_t)
type nfsd_ro_t;
-files_config_file(nfsd_ro_t)
+files_type(nfsd_ro_t)
type var_lib_nfs_t;
-files_config_file(var_lib_nfs_t)
files_mountpoint(var_lib_nfs_t)
########################################
diff --git a/refpolicy/policy/modules/services/samba.te b/refpolicy/policy/modules/services/samba.te
index 7364109..f3b82ab 100644
--- a/refpolicy/policy/modules/services/samba.te
+++ b/refpolicy/policy/modules/services/samba.te
@@ -1,5 +1,5 @@
-policy_module(samba,1.2.6)
+policy_module(samba,1.2.7)
#################################
#
@@ -33,7 +33,7 @@ type samba_secrets_t;
files_type(samba_secrets_t)
type samba_share_t; # customizable
-files_config_file(samba_share_t)
+files_type(samba_share_t)
type samba_var_t;
files_type(samba_var_t)
diff --git a/refpolicy/policy/modules/services/xserver.te b/refpolicy/policy/modules/services/xserver.te
index ee6fb5c..cff31cf 100644
--- a/refpolicy/policy/modules/services/xserver.te
+++ b/refpolicy/policy/modules/services/xserver.te
@@ -1,5 +1,5 @@
-policy_module(xserver,1.1.8)
+policy_module(xserver,1.1.9)
########################################
#
@@ -54,7 +54,7 @@ files_tmpfs_file(xdm_tmpfs_t)
# type for /var/lib/xkb
type xkb_var_lib_t;
-files_config_file(xkb_var_lib_t)
+files_type(xkb_var_lib_t)
# Type for the executable used to start the X server, e.g. Xwrapper.
type xserver_exec_t;
diff --git a/refpolicy/policy/modules/system/miscfiles.te b/refpolicy/policy/modules/system/miscfiles.te
index dbe8c96..7ccd2bc 100644
--- a/refpolicy/policy/modules/system/miscfiles.te
+++ b/refpolicy/policy/modules/system/miscfiles.te
@@ -1,5 +1,5 @@
-policy_module(miscfiles,1.0.1)
+policy_module(miscfiles,1.0.2)
########################################
#
@@ -17,7 +17,7 @@ files_type(cert_t)
# files in /usr
#
type fonts_t;
-files_config_file(fonts_t)
+files_type(fonts_t)
#
# type for /usr/share/hwdata
More information about the scm-commits
mailing list