[selinux-policy: 1632/3172] fix up corecommands perm sets, add seutil_manage_config_dirs()
Daniel J Walsh
dwalsh at fedoraproject.org
Thu Oct 7 21:26:11 UTC 2010
commit 582438054db047e1c471dd68e530af0d3f47987c
Author: Chris PeBenito <cpebenito at tresys.com>
Date: Fri Oct 27 13:55:35 2006 +0000
fix up corecommands perm sets, add seutil_manage_config_dirs()
policy/modules/kernel/corecommands.if | 68 ++++++++++++++++----------------
policy/modules/kernel/corecommands.te | 2 +-
policy/modules/system/selinuxutil.if | 21 ++++++++++
policy/modules/system/selinuxutil.te | 2 +-
4 files changed, 57 insertions(+), 36 deletions(-)
---
diff --git a/policy/modules/kernel/corecommands.if b/policy/modules/kernel/corecommands.if
index 8eb3a9e..338068d 100644
--- a/policy/modules/kernel/corecommands.if
+++ b/policy/modules/kernel/corecommands.if
@@ -133,7 +133,7 @@ interface(`corecmd_search_bin',`
type bin_t;
')
- allow $1 bin_t:dir search;
+ allow $1 bin_t:dir search_dir_perms;
')
########################################
@@ -151,7 +151,7 @@ interface(`corecmd_list_bin',`
type bin_t;
')
- allow $1 bin_t:dir r_dir_perms;
+ allow $1 bin_t:dir list_dir_perms;
')
########################################
@@ -187,8 +187,8 @@ interface(`corecmd_read_bin_files',`
type bin_t;
')
- allow $1 bin_t:dir search;
- allow $1 bin_t:file r_file_perms;
+ allow $1 bin_t:dir search_dir_perms;
+ allow $1 bin_t:file read_file_perms;
')
########################################
@@ -206,8 +206,8 @@ interface(`corecmd_read_bin_symlinks',`
type bin_t;
')
- allow $1 bin_t:dir search;
- allow $1 bin_t:lnk_file r_file_perms;
+ allow $1 bin_t:dir search_dir_perms;
+ allow $1 bin_t:lnk_file read_file_perms;
')
########################################
@@ -225,8 +225,8 @@ interface(`corecmd_read_bin_pipes',`
type bin_t;
')
- allow $1 bin_t:dir search;
- allow $1 bin_t:fifo_file r_file_perms;
+ allow $1 bin_t:dir search_dir_perms;
+ allow $1 bin_t:fifo_file read_file_perms;
')
########################################
@@ -244,8 +244,8 @@ interface(`corecmd_read_bin_sockets',`
type bin_t;
')
- allow $1 bin_t:dir search;
- allow $1 bin_t:sock_file r_file_perms;
+ allow $1 bin_t:dir search_dir_perms;
+ allow $1 bin_t:sock_file read_file_perms;
')
########################################
@@ -264,8 +264,8 @@ interface(`corecmd_exec_bin',`
type bin_t;
')
- allow $1 bin_t:dir r_dir_perms;
- allow $1 bin_t:lnk_file r_file_perms;
+ allow $1 bin_t:dir list_dir_perms;
+ allow $1 bin_t:lnk_file read_file_perms;
can_exec($1,bin_t)
')
@@ -368,7 +368,7 @@ interface(`corecmd_bin_spec_domtrans',`
type bin_t;
')
- allow $1 bin_t:dir search;
+ allow $1 bin_t:dir search_dir_perms;
allow $1 bin_t:lnk_file { getattr read };
domain_trans($1,bin_t,$2)
@@ -469,7 +469,7 @@ interface(`corecmd_list_sbin',`
type sbin_t;
')
- allow $1 sbin_t:dir r_dir_perms;
+ allow $1 sbin_t:dir list_dir_perms;
')
########################################
@@ -524,8 +524,8 @@ interface(`corecmd_read_sbin_files',`
type sbin_t;
')
- allow $1 sbin_t:dir search;
- allow $1 sbin_t:file r_file_perms;
+ allow $1 sbin_t:dir search_dir_perms;
+ allow $1 sbin_t:file read_file_perms;
')
########################################
@@ -543,8 +543,8 @@ interface(`corecmd_read_sbin_symlinks',`
type sbin_t;
')
- allow $1 sbin_t:dir search;
- allow $1 sbin_t:lnk_file r_file_perms;
+ allow $1 sbin_t:dir search_dir_perms;
+ allow $1 sbin_t:lnk_file read_file_perms;
')
########################################
@@ -562,8 +562,8 @@ interface(`corecmd_read_sbin_pipes',`
type sbin_t;
')
- allow $1 sbin_t:dir search;
- allow $1 sbin_t:fifo_file r_file_perms;
+ allow $1 sbin_t:dir search_dir_perms;
+ allow $1 sbin_t:fifo_file read_file_perms;
')
########################################
@@ -581,8 +581,8 @@ interface(`corecmd_read_sbin_sockets',`
type sbin_t;
')
- allow $1 sbin_t:dir search;
- allow $1 sbin_t:sock_file r_file_perms;
+ allow $1 sbin_t:dir search_dir_perms;
+ allow $1 sbin_t:sock_file read_file_perms;
')
########################################
@@ -601,8 +601,8 @@ interface(`corecmd_exec_sbin',`
type sbin_t;
')
- allow $1 sbin_t:dir r_dir_perms;
- allow $1 sbin_t:lnk_file r_file_perms;
+ allow $1 sbin_t:dir list_dir_perms;
+ allow $1 sbin_t:lnk_file read_file_perms;
can_exec($1,sbin_t)
')
@@ -705,7 +705,7 @@ interface(`corecmd_sbin_domtrans',`
type sbin_t;
')
- allow $1 sbin_t:dir search;
+ allow $1 sbin_t:dir search_dir_perms;
allow $1 sbin_t:lnk_file { getattr read };
domain_auto_trans($1,sbin_t,$2)
@@ -752,7 +752,7 @@ interface(`corecmd_sbin_spec_domtrans',`
type sbin_t;
')
- allow $1 sbin_t:dir search;
+ allow $1 sbin_t:dir search_dir_perms;
allow $1 sbin_t:lnk_file { getattr read };
domain_trans($1,sbin_t,$2)
@@ -773,8 +773,8 @@ interface(`corecmd_check_exec_shell',`
type bin_t, shell_exec_t;
')
- allow $1 bin_t:dir r_dir_perms;
- allow $1 bin_t:lnk_file r_file_perms;
+ allow $1 bin_t:dir list_dir_perms;
+ allow $1 bin_t:lnk_file read_file_perms;
allow $1 shell_exec_t:file execute;
')
@@ -793,8 +793,8 @@ interface(`corecmd_exec_shell',`
type bin_t, shell_exec_t;
')
- allow $1 bin_t:dir r_dir_perms;
- allow $1 bin_t:lnk_file r_file_perms;
+ allow $1 bin_t:dir list_dir_perms;
+ allow $1 bin_t:lnk_file read_file_perms;
can_exec($1,shell_exec_t)
')
@@ -813,8 +813,8 @@ interface(`corecmd_exec_ls',`
type bin_t, ls_exec_t;
')
- allow $1 bin_t:dir r_dir_perms;
- allow $1 bin_t:lnk_file r_file_perms;
+ allow $1 bin_t:dir list_dir_perms;
+ allow $1 bin_t:lnk_file read_file_perms;
can_exec($1,ls_exec_t)
')
@@ -852,8 +852,8 @@ interface(`corecmd_shell_spec_domtrans',`
type bin_t, shell_exec_t;
')
- allow $1 bin_t:dir r_dir_perms;
- allow $1 bin_t:lnk_file r_file_perms;
+ allow $1 bin_t:dir list_dir_perms;
+ allow $1 bin_t:lnk_file read_file_perms;
domain_trans($1,shell_exec_t,$2)
')
diff --git a/policy/modules/kernel/corecommands.te b/policy/modules/kernel/corecommands.te
index b69a1c0..f86b65e 100644
--- a/policy/modules/kernel/corecommands.te
+++ b/policy/modules/kernel/corecommands.te
@@ -1,5 +1,5 @@
-policy_module(corecommands,1.4.0)
+policy_module(corecommands,1.4.1)
########################################
#
diff --git a/policy/modules/system/selinuxutil.if b/policy/modules/system/selinuxutil.if
index 5579a34..b0b5b81 100644
--- a/policy/modules/system/selinuxutil.if
+++ b/policy/modules/system/selinuxutil.if
@@ -718,6 +718,27 @@ interface(`seutil_manage_selinux_config',`
allow $1 selinux_config_t:lnk_file { getattr read };
')
+#######################################
+## <summary>
+## Create, read, write, and delete
+## the general selinux configuration files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`seutil_manage_config_dirs',`
+ gen_require(`
+ type selinux_config_t;
+ ')
+
+ files_search_etc($1)
+ allow $1 selinux_config_t:dir manage_dir_perms;
+')
+
########################################
## <summary>
## Search the policy directory with default_context files.
diff --git a/policy/modules/system/selinuxutil.te b/policy/modules/system/selinuxutil.te
index 99ab117..3380aac 100644
--- a/policy/modules/system/selinuxutil.te
+++ b/policy/modules/system/selinuxutil.te
@@ -1,5 +1,5 @@
-policy_module(selinuxutil,1.3.1)
+policy_module(selinuxutil,1.3.2)
ifdef(`strict_policy',`
gen_require(`
More information about the scm-commits
mailing list