[selinux-policy: 1536/3172] more TODO cleanup
Daniel J Walsh
dwalsh at fedoraproject.org
Thu Oct 7 21:18:01 UTC 2010
commit 1f6524ae6058788cca0fe3a0495684c2240ba857
Author: Chris PeBenito <cpebenito at tresys.com>
Date: Thu Jul 6 17:00:29 2006 +0000
more TODO cleanup
refpolicy/policy/modules/apps/games.te | 7 --
refpolicy/policy/modules/apps/gpg.if | 81 +++++++++++---------------
refpolicy/policy/modules/apps/gpg.te | 2 +-
refpolicy/policy/modules/kernel/domain.te | 5 +-
refpolicy/policy/modules/system/authlogin.te | 7 +-
refpolicy/policy/modules/system/raid.te | 5 --
6 files changed, 40 insertions(+), 67 deletions(-)
---
diff --git a/refpolicy/policy/modules/apps/games.te b/refpolicy/policy/modules/apps/games.te
index 786c5d1..e0b6974 100644
--- a/refpolicy/policy/modules/apps/games.te
+++ b/refpolicy/policy/modules/apps/games.te
@@ -75,10 +75,3 @@ optional_policy(`
optional_policy(`
udev_read_db(games_t)
')
-
-ifdef(`TODO',`
- #WHY!!!
- #allow initrc_t games_data_t:dir r_dir_perms;
- #allow initrc_t games_data_t:file r_file_perms;
- #allow initrc_t games_data_t:lnk_file { getattr read };
-')
diff --git a/refpolicy/policy/modules/apps/gpg.if b/refpolicy/policy/modules/apps/gpg.if
index d0a3bed..9d49603 100644
--- a/refpolicy/policy/modules/apps/gpg.if
+++ b/refpolicy/policy/modules/apps/gpg.if
@@ -76,14 +76,6 @@ template(`gpg_per_userdomain_template',`
# GPG local policy
#
- # transition from the userdomain to the derived domain
- domain_auto_trans($2,gpg_exec_t,$1_gpg_t)
-
- allow $2 $1_gpg_t:fd use;
- allow $1_gpg_t $2:fd use;
- allow $1_gpg_t $2:fifo_file rw_file_perms;
- allow $1_gpg_t $2:process sigchld;
-
allow $1_gpg_t self:capability { ipc_lock setuid };
allow { $2 $1_gpg_t } $1_gpg_t:process signal;
# setrlimit is for ulimit -c 0
@@ -96,6 +88,17 @@ template(`gpg_per_userdomain_template',`
allow $1_gpg_t $1_gpg_secret_t:file create_file_perms;
allow $1_gpg_t $1_gpg_secret_t:lnk_file create_lnk_perms;
+ # transition from the userdomain to the derived domain
+ domain_auto_trans($2,gpg_exec_t,$1_gpg_t)
+ allow $1_gpg_t $2:fd use;
+ allow $1_gpg_t $2:fifo_file rw_file_perms;
+ allow $1_gpg_t $2:process sigchld;
+
+ # allow ps to show gpg
+ allow $2 $1_gpg_t:dir { search getattr read };
+ allow $2 $1_gpg_t:{ file lnk_file } { read getattr };
+ allow $2 $1_gpg_t:process getattr;
+
corenet_non_ipsec_sendrecv($1_gpg_t)
corenet_tcp_sendrecv_all_if($1_gpg_t)
corenet_udp_sendrecv_all_if($1_gpg_t)
@@ -138,12 +141,6 @@ template(`gpg_per_userdomain_template',`
# Write content to encrypt/decrypt/sign
write_trusted($1_gpg_t, $1)
-
- ifdef(`gnome-pty-helper.te', `allow $1_gpg_t $1_gph_t:fd use;')
-
- # allow ps to show gpg
- can_ps($1_t, $1_gpg_t)
-
') dnl end TODO
########################################
@@ -161,8 +158,6 @@ template(`gpg_per_userdomain_template',`
# transition from the gpg domain to the helper domain
domain_auto_trans($1_gpg_t,gpg_helper_exec_t,$1_gpg_helper_t)
-
- allow $1_gpg_t $1_gpg_helper_t:fd use;
allow $1_gpg_helper_t $1_gpg_t:fd use;
allow $1_gpg_helper_t $1_gpg_t:fifo_file rw_file_perms;
allow $1_gpg_helper_t $1_gpg_t:process sigchld;
@@ -206,12 +201,10 @@ template(`gpg_per_userdomain_template',`
fs_dontaudit_rw_cifs_files($1_gpg_helper_t)
')
- ifdef(`TODO',`
-
- ifdef(`xdm.te',`
- can_pipe_xdm($1_gpg_t)
+ optional_policy(`
+ xserver_use_xdm_fds($1_gpg_t)
+ xserver_rw_xdm_pipes($1_gpg_t)
')
- ') dnl end TODO
########################################
#
@@ -234,6 +227,11 @@ template(`gpg_per_userdomain_template',`
allow $1_gpg_t $1_gpg_agent_tmp_t:sock_file write;
allow $1_gpg_t $1_gpg_agent_t:unix_stream_socket connectto;
+ # allow ps to show gpg-agent
+ allow $2 $1_gpg_agent_t:dir { search getattr read };
+ allow $2 $1_gpg_agent_t:{ file lnk_file } { read getattr };
+ allow $2 $1_gpg_agent_t:process getattr;
+
# Allow the user shell to signal the gpg-agent program.
allow $2 $1_gpg_agent_t:process { signal sigkill };
@@ -242,10 +240,13 @@ template(`gpg_per_userdomain_template',`
allow $2 $1_gpg_agent_tmp_t:sock_file create_file_perms;
files_tmp_filetrans($1_gpg_agent_t, $1_gpg_agent_tmp_t, { file sock_file dir })
- corecmd_search_bin($1_gpg_agent_t)
-
# Transition from the user domain to the derived domain.
domain_auto_trans($2, gpg_agent_exec_t, $1_gpg_agent_t)
+ allow $1_gpg_agent_t $2:fd use;
+ allow $1_gpg_agent_t $2:fifo_file rw_file_perms;
+ allow $1_gpg_agent_t $2:process sigchld;
+
+ corecmd_search_bin($1_gpg_agent_t)
domain_use_interactive_fds($1_gpg_agent_t)
@@ -256,6 +257,8 @@ template(`gpg_per_userdomain_template',`
# Write to the user domain tty.
userdom_use_user_terminals($1,$1_gpg_agent_t)
+ # read and write ~/.gnupg (gpg-agent stores secret keys in ~/.gnupg/private-keys-v1.d )
+ userdom_search_user_home_dirs($1,$1_gpg_agent_t)
tunable_policy(`use_nfs_home_dirs',`
fs_manage_nfs_dirs($1_gpg_agent_t)
@@ -269,19 +272,6 @@ template(`gpg_per_userdomain_template',`
fs_manage_cifs_symlinks($1_gpg_agent_t)
')
- ifdef(`TODO',`
-
- # allow ps to show gpg-agent
- can_ps($1_t, $1_gpg_agent_t)
-
- allow $1_gpg_agent_t proc_t:dir search;
- allow $1_gpg_agent_t proc_t:lnk_file read;
-
- # read and write ~/.gnupg (gpg-agent stores secret keys in ~/.gnupg/private-keys-v1.d )
- allow $1_gpg_agent_t { home_root_t $1_home_dir_t }:dir search;
-
- ') dnl endif TODO
-
##############################
#
# Pinentry local policy
@@ -290,8 +280,6 @@ template(`gpg_per_userdomain_template',`
# we need to allow gpg-agent to call pinentry so it can get the passphrase
# from the user.
domain_auto_trans($1_gpg_agent_t,pinentry_exec_t,$1_gpg_pinentry_t)
-
- allow $1_gpg_pinentry_t $1_gpg_agent_t:fd use;
allow $1_gpg_agent_t $1_gpg_pinentry_t:fd use;
allow $1_gpg_agent_t $1_gpg_pinentry_t:fifo_file rw_file_perms;
allow $1_gpg_agent_t $1_gpg_pinentry_t:process sigchld;
@@ -312,6 +300,9 @@ template(`gpg_per_userdomain_template',`
miscfiles_read_fonts($1_gpg_pinentry_t)
miscfiles_read_localization($1_gpg_pinentry_t)
+ # for .Xauthority
+ userdom_read_user_home_content_files($1,$1_gpg_pinentry_t)
+
tunable_policy(`use_nfs_home_dirs',`
fs_read_nfs_files($1_gpg_pinentry_t)
')
@@ -320,19 +311,13 @@ template(`gpg_per_userdomain_template',`
fs_read_cifs_files($1_gpg_pinentry_t)
')
- ifdef(`TODO',`
-
- ifdef(`xdm.te', `
- allow $1_gpg_pinentry_t xdm_xserver_tmp_t:dir search;
- allow $1_gpg_pinentry_t xdm_xserver_tmp_t:sock_file { read write };
- allow $1_gpg_pinentry_t xdm_xserver_t:unix_stream_socket connectto;
+ optional_policy(`
+ xserver_stream_connect_xdm_xserver($1_gpg_pinentry_t)
')
- allow $1_gpg_pinentry_t { tmp_t home_root_t }:dir { getattr search };
+ ifdef(`TODO',`
+ allow $1_gpg_pinentry_t tmp_t:dir { getattr search };
- # for .Xauthority
- allow $1_gpg_pinentry_t $1_home_dir_t:dir { getattr search };
- allow $1_gpg_pinentry_t $1_home_t:file r_file_perms;
# wants to put some lock files into the user home dir, seems to work fine without
dontaudit $1_gpg_pinentry_t $1_home_t:dir { read write };
dontaudit $1_gpg_pinentry_t $1_home_t:file write;
diff --git a/refpolicy/policy/modules/apps/gpg.te b/refpolicy/policy/modules/apps/gpg.te
index 830326e..07760d0 100644
--- a/refpolicy/policy/modules/apps/gpg.te
+++ b/refpolicy/policy/modules/apps/gpg.te
@@ -1,5 +1,5 @@
-policy_module(gpg, 1.0.3)
+policy_module(gpg, 1.0.4)
########################################
#
diff --git a/refpolicy/policy/modules/kernel/domain.te b/refpolicy/policy/modules/kernel/domain.te
index c58cb7b..f0e07f2 100644
--- a/refpolicy/policy/modules/kernel/domain.te
+++ b/refpolicy/policy/modules/kernel/domain.te
@@ -1,5 +1,5 @@
-policy_module(domain,1.1.2)
+policy_module(domain,1.1.3)
########################################
#
@@ -71,10 +71,11 @@ neverallow ~{ domain unlabeled_t } *:process *;
# Rules applied to all domains
#
-# read /proc/pid entries
+# read /proc/(pid|self) entries
allow domain self:dir r_dir_perms;
allow domain self:lnk_file r_file_perms;
allow domain self:file rw_file_perms;
+kernel_read_proc_symlinks(domain)
# create child processes in the domain
allow domain self:process { fork sigchld };
diff --git a/refpolicy/policy/modules/system/authlogin.te b/refpolicy/policy/modules/system/authlogin.te
index 6a21bb7..209101a 100644
--- a/refpolicy/policy/modules/system/authlogin.te
+++ b/refpolicy/policy/modules/system/authlogin.te
@@ -1,5 +1,5 @@
-policy_module(authlogin,1.3.6)
+policy_module(authlogin,1.3.7)
########################################
#
@@ -311,8 +311,7 @@ optional_policy(`
nscd_socket_use(utempter_t)
')
-ifdef(`TODO',`
optional_policy(`
- can_pipe_xdm(utempter_t)
-')
+ xserver_use_xdm_fds(utempter_t)
+ xserver_rw_xdm_pipes(utempter_t)
')
diff --git a/refpolicy/policy/modules/system/raid.te b/refpolicy/policy/modules/system/raid.te
index 44db206..8e18595 100644
--- a/refpolicy/policy/modules/system/raid.te
+++ b/refpolicy/policy/modules/system/raid.te
@@ -82,8 +82,3 @@ optional_policy(`
optional_policy(`
udev_read_db(mdadm_t)
')
-
-ifdef(`TODO',`
-# Ignore attempts to read every device file
-dontaudit mdadm_t device_t:{ fifo_file file chr_file blk_file } { read getattr };
-') dnl TODO
More information about the scm-commits
mailing list