[selinux-policy: 1548/3172] some cleanup in the kernel layer

Daniel J Walsh dwalsh at fedoraproject.org
Thu Oct 7 21:19:02 UTC 2010 

commit 8b9ebd37693b8abb422f748b4b71e4c8bf5613fe
Author: Chris PeBenito <cpebenito at tresys.com>
Date:   Tue Jul 25 15:23:13 2006 +0000

    some cleanup in the kernel layer

 policy/modules/kernel/devices.te  |   10 +---------
 policy/modules/kernel/selinux.if  |   29 ++++++++++++++---------------
 policy/modules/kernel/terminal.if |    1 -
 3 files changed, 15 insertions(+), 25 deletions(-)
---
diff --git a/policy/modules/kernel/devices.te b/policy/modules/kernel/devices.te
index 8edb0f5..a1940b4 100644
--- a/policy/modules/kernel/devices.te
+++ b/policy/modules/kernel/devices.te
@@ -20,14 +20,6 @@ files_type(device_t)
 files_mountpoint(device_t)
 files_associate_tmp(device_t)
 
-# Only directories and symlinks should be labeled device_t.
-# If there are other files with this type, it is wrong.
-# Relabelto is allowed for setfiles to function, in case
-# a device node has no specific type yet, but is for some
-# reason labeled with a specific type
-#cjp: want this, but udev policy breaks this
-#neverallow domain device_t:{ file fifo_file sock_file chr_file blk_file } ~{ getattr setattr relabelfrom relabelto };
-
 #
 # Type for /dev/agpgart
 #
@@ -206,4 +198,4 @@ files_associate_tmp(device_node)
 
 allow devices_unconfined_type self:capability sys_rawio;
 allow devices_unconfined_type device_node:{ blk_file chr_file } *;
-allow devices_unconfined_type mtrr_device_t:{ dir file } *;
+allow devices_unconfined_type mtrr_device_t:file *;
diff --git a/policy/modules/kernel/selinux.if b/policy/modules/kernel/selinux.if
index f080e2a..c4f9d7e 100644
--- a/policy/modules/kernel/selinux.if
+++ b/policy/modules/kernel/selinux.if
@@ -55,7 +55,7 @@ interface(`selinux_search_fs',`
 		type security_t;
 	')
 
-	allow $1 security_t:dir search;
+	allow $1 security_t:dir search_dir_perms;
 ')
 
 ########################################
@@ -73,7 +73,7 @@ interface(`selinux_dontaudit_search_fs',`
 		type security_t;
 	')
 
-	dontaudit $1 security_t:dir search;
+	dontaudit $1 security_t:dir search_dir_perms;
 ')
 
 ########################################
@@ -92,7 +92,7 @@ interface(`selinux_dontaudit_read_fs',`
 		type security_t;
 	')
 
-	dontaudit $1 security_t:dir search;
+	dontaudit $1 security_t:dir search_dir_perms;
 	dontaudit $1 security_t:file { getattr read };
 ')
 
@@ -112,7 +112,7 @@ interface(`selinux_get_enforce_mode',`
 		type security_t;
 	')
 
-	allow $1 security_t:dir { read search getattr };
+	allow $1 security_t:dir list_dir_perms;
 	allow $1 security_t:file { getattr read };
 ')
 
@@ -144,7 +144,7 @@ interface(`selinux_set_enforce_mode',`
 		bool secure_mode_policyload;
 	')
 
-	allow $1 security_t:dir { read search getattr };
+	allow $1 security_t:dir list_dir_perms;
 	allow $1 security_t:file { getattr read write };
 	typeattribute $1 can_setenforce;
 
@@ -171,7 +171,7 @@ interface(`selinux_load_policy',`
 		bool secure_mode_policyload;
 	')
 
-	allow $1 security_t:dir { read search getattr };
+	allow $1 security_t:dir list_dir_perms;
 	allow $1 security_t:file { getattr read write };
 	typeattribute $1 can_load_policy;
 
@@ -208,8 +208,7 @@ interface(`selinux_set_boolean',`
 		bool secure_mode_policyload;
 	')
 
-	allow $1 security_t:dir search;
-	allow $1 security_t:dir { getattr search read };
+	allow $1 security_t:dir list_dir_perms;
 	allow $1 security_t:file { getattr read write };
 
 	if(!secure_mode_policyload) {
@@ -249,7 +248,7 @@ interface(`selinux_set_parameters',`
 		attribute can_setsecparam;
 	')
 
-	allow $1 security_t:dir { read search getattr };
+	allow $1 security_t:dir list_dir_perms;
 	allow $1 security_t:file { getattr read write };
 	allow $1 security_t:security setsecparam;
 	auditallow $1 security_t:security setsecparam;
@@ -271,7 +270,7 @@ interface(`selinux_validate_context',`
 		type security_t;
 	')
 
-	allow $1 security_t:dir { read search getattr };
+	allow $1 security_t:dir list_dir_perms;
 	allow $1 security_t:file { getattr read write };
 	allow $1 security_t:security check_context;
 ')
@@ -291,7 +290,7 @@ interface(`selinux_compute_access_vector',`
 		type security_t;
 	')
 
-	allow $1 security_t:dir { read search getattr };
+	allow $1 security_t:dir list_dir_perms;
 	allow $1 security_t:file { getattr read write };
 	allow $1 security_t:security compute_av;
 ')
@@ -311,7 +310,7 @@ interface(`selinux_compute_create_context',`
 		type security_t;
 	')
 
-	allow $1 security_t:dir { read search getattr };
+	allow $1 security_t:dir list_dir_perms;
 	allow $1 security_t:file { getattr read write };
 	allow $1 security_t:security compute_create;
 ')
@@ -332,7 +331,7 @@ interface(`selinux_compute_member',`
 		type security_t;
 	')
 
-	allow $1 security_t:dir { read search getattr };
+	allow $1 security_t:dir list_dir_perms;
 	allow $1 security_t:file { getattr read write };
 	allow $1 security_t:security compute_member;
 ')
@@ -361,7 +360,7 @@ interface(`selinux_compute_relabel_context',`
 		type security_t;
 	')
 
-	allow $1 security_t:dir { read search getattr };
+	allow $1 security_t:dir list_dir_perms;
 	allow $1 security_t:file { getattr read write };
 	allow $1 security_t:security compute_relabel;
 ')
@@ -381,7 +380,7 @@ interface(`selinux_compute_user_contexts',`
 		type security_t;
 	')
 
-	allow $1 security_t:dir { read search getattr };
+	allow $1 security_t:dir list_dir_perms;
 	allow $1 security_t:file { getattr read write };
 	allow $1 security_t:security compute_user;
 ')
diff --git a/policy/modules/kernel/terminal.if b/policy/modules/kernel/terminal.if
index 04b2dc2..f0a216c 100644
--- a/policy/modules/kernel/terminal.if
+++ b/policy/modules/kernel/terminal.if
@@ -308,7 +308,6 @@ interface(`term_dontaudit_search_ptys',`
 		type devpts_t;
 	')
 
-	dev_dontaudit_list_all_dev_nodes($1)
 	dontaudit $1 devpts_t:dir search;
 ')

More information about the scm-commits mailing list