[selinux-policy: 1632/3172] fix up corecommands perm sets, add seutil_manage_config_dirs()

Daniel J Walsh dwalsh at fedoraproject.org
Thu Oct 7 21:26:11 UTC 2010 

commit 582438054db047e1c471dd68e530af0d3f47987c
Author: Chris PeBenito <cpebenito at tresys.com>
Date:   Fri Oct 27 13:55:35 2006 +0000

    fix up corecommands perm sets, add seutil_manage_config_dirs()

 policy/modules/kernel/corecommands.if |   68 ++++++++++++++++----------------
 policy/modules/kernel/corecommands.te |    2 +-
 policy/modules/system/selinuxutil.if  |   21 ++++++++++
 policy/modules/system/selinuxutil.te  |    2 +-
 4 files changed, 57 insertions(+), 36 deletions(-)
---
diff --git a/policy/modules/kernel/corecommands.if b/policy/modules/kernel/corecommands.if
index 8eb3a9e..338068d 100644
--- a/policy/modules/kernel/corecommands.if
+++ b/policy/modules/kernel/corecommands.if
@@ -133,7 +133,7 @@ interface(`corecmd_search_bin',`
 		type bin_t;
 	')
 
-	allow $1 bin_t:dir search;
+	allow $1 bin_t:dir search_dir_perms;
 ')
 
 ########################################
@@ -151,7 +151,7 @@ interface(`corecmd_list_bin',`
 		type bin_t;
 	')
 
-	allow $1 bin_t:dir r_dir_perms;
+	allow $1 bin_t:dir list_dir_perms;
 ')
 
 ########################################
@@ -187,8 +187,8 @@ interface(`corecmd_read_bin_files',`
 		type bin_t;
 	')
 
-	allow $1 bin_t:dir search;
-	allow $1 bin_t:file r_file_perms;
+	allow $1 bin_t:dir search_dir_perms;
+	allow $1 bin_t:file read_file_perms;
 ')
 
 ########################################
@@ -206,8 +206,8 @@ interface(`corecmd_read_bin_symlinks',`
 		type bin_t;
 	')
 
-	allow $1 bin_t:dir search;
-	allow $1 bin_t:lnk_file r_file_perms;
+	allow $1 bin_t:dir search_dir_perms;
+	allow $1 bin_t:lnk_file read_file_perms;
 ')
 
 ########################################
@@ -225,8 +225,8 @@ interface(`corecmd_read_bin_pipes',`
 		type bin_t;
 	')
 
-	allow $1 bin_t:dir search;
-	allow $1 bin_t:fifo_file r_file_perms;
+	allow $1 bin_t:dir search_dir_perms;
+	allow $1 bin_t:fifo_file read_file_perms;
 ')
 
 ########################################
@@ -244,8 +244,8 @@ interface(`corecmd_read_bin_sockets',`
 		type bin_t;
 	')
 
-	allow $1 bin_t:dir search;
-	allow $1 bin_t:sock_file r_file_perms;
+	allow $1 bin_t:dir search_dir_perms;
+	allow $1 bin_t:sock_file read_file_perms;
 ')
 
 ########################################
@@ -264,8 +264,8 @@ interface(`corecmd_exec_bin',`
 		type bin_t;
 	')
 
-	allow $1 bin_t:dir r_dir_perms;
-	allow $1 bin_t:lnk_file r_file_perms;
+	allow $1 bin_t:dir list_dir_perms;
+	allow $1 bin_t:lnk_file read_file_perms;
 	can_exec($1,bin_t)
 
 ')
@@ -368,7 +368,7 @@ interface(`corecmd_bin_spec_domtrans',`
 		type bin_t;
 	')
 
-	allow $1 bin_t:dir search;
+	allow $1 bin_t:dir search_dir_perms;
 	allow $1 bin_t:lnk_file { getattr read };
 
 	domain_trans($1,bin_t,$2)
@@ -469,7 +469,7 @@ interface(`corecmd_list_sbin',`
 		type sbin_t;
 	')
 
-	allow $1 sbin_t:dir r_dir_perms;
+	allow $1 sbin_t:dir list_dir_perms;
 ')
 
 ########################################
@@ -524,8 +524,8 @@ interface(`corecmd_read_sbin_files',`
 		type sbin_t;
 	')
 
-	allow $1 sbin_t:dir search;
-	allow $1 sbin_t:file r_file_perms;
+	allow $1 sbin_t:dir search_dir_perms;
+	allow $1 sbin_t:file read_file_perms;
 ')
 
 ########################################
@@ -543,8 +543,8 @@ interface(`corecmd_read_sbin_symlinks',`
 		type sbin_t;
 	')
 
-	allow $1 sbin_t:dir search;
-	allow $1 sbin_t:lnk_file r_file_perms;
+	allow $1 sbin_t:dir search_dir_perms;
+	allow $1 sbin_t:lnk_file read_file_perms;
 ')
 
 ########################################
@@ -562,8 +562,8 @@ interface(`corecmd_read_sbin_pipes',`
 		type sbin_t;
 	')
 
-	allow $1 sbin_t:dir search;
-	allow $1 sbin_t:fifo_file r_file_perms;
+	allow $1 sbin_t:dir search_dir_perms;
+	allow $1 sbin_t:fifo_file read_file_perms;
 ')
 
 ########################################
@@ -581,8 +581,8 @@ interface(`corecmd_read_sbin_sockets',`
 		type sbin_t;
 	')
 
-	allow $1 sbin_t:dir search;
-	allow $1 sbin_t:sock_file r_file_perms;
+	allow $1 sbin_t:dir search_dir_perms;
+	allow $1 sbin_t:sock_file read_file_perms;
 ')
 
 ########################################
@@ -601,8 +601,8 @@ interface(`corecmd_exec_sbin',`
 		type sbin_t;
 	')
 
-	allow $1 sbin_t:dir r_dir_perms;
-	allow $1 sbin_t:lnk_file r_file_perms;
+	allow $1 sbin_t:dir list_dir_perms;
+	allow $1 sbin_t:lnk_file read_file_perms;
 	can_exec($1,sbin_t)
 ')
 
@@ -705,7 +705,7 @@ interface(`corecmd_sbin_domtrans',`
 		type sbin_t;
 	')
 
-	allow $1 sbin_t:dir search;
+	allow $1 sbin_t:dir search_dir_perms;
 	allow $1 sbin_t:lnk_file { getattr read };
 
 	domain_auto_trans($1,sbin_t,$2)
@@ -752,7 +752,7 @@ interface(`corecmd_sbin_spec_domtrans',`
 		type sbin_t;
 	')
 
-	allow $1 sbin_t:dir search;
+	allow $1 sbin_t:dir search_dir_perms;
 	allow $1 sbin_t:lnk_file { getattr read };
 
 	domain_trans($1,sbin_t,$2)
@@ -773,8 +773,8 @@ interface(`corecmd_check_exec_shell',`
 		type bin_t, shell_exec_t;
 	')
 
-	allow $1 bin_t:dir r_dir_perms;
-	allow $1 bin_t:lnk_file r_file_perms;
+	allow $1 bin_t:dir list_dir_perms;
+	allow $1 bin_t:lnk_file read_file_perms;
 	allow $1 shell_exec_t:file execute;
 ')
 
@@ -793,8 +793,8 @@ interface(`corecmd_exec_shell',`
 		type bin_t, shell_exec_t;
 	')
 
-	allow $1 bin_t:dir r_dir_perms;
-	allow $1 bin_t:lnk_file r_file_perms;
+	allow $1 bin_t:dir list_dir_perms;
+	allow $1 bin_t:lnk_file read_file_perms;
 	can_exec($1,shell_exec_t)
 ')
 
@@ -813,8 +813,8 @@ interface(`corecmd_exec_ls',`
 		type bin_t, ls_exec_t;
 	')
 
-	allow $1 bin_t:dir r_dir_perms;
-	allow $1 bin_t:lnk_file r_file_perms;
+	allow $1 bin_t:dir list_dir_perms;
+	allow $1 bin_t:lnk_file read_file_perms;
 	can_exec($1,ls_exec_t)
 ')
 
@@ -852,8 +852,8 @@ interface(`corecmd_shell_spec_domtrans',`
 		type bin_t, shell_exec_t;
 	')
 
-	allow $1 bin_t:dir r_dir_perms;
-	allow $1 bin_t:lnk_file r_file_perms;
+	allow $1 bin_t:dir list_dir_perms;
+	allow $1 bin_t:lnk_file read_file_perms;
 
 	domain_trans($1,shell_exec_t,$2)
 ')
diff --git a/policy/modules/kernel/corecommands.te b/policy/modules/kernel/corecommands.te
index b69a1c0..f86b65e 100644
--- a/policy/modules/kernel/corecommands.te
+++ b/policy/modules/kernel/corecommands.te
@@ -1,5 +1,5 @@
 
-policy_module(corecommands,1.4.0)
+policy_module(corecommands,1.4.1)
 
 ########################################
 #
diff --git a/policy/modules/system/selinuxutil.if b/policy/modules/system/selinuxutil.if
index 5579a34..b0b5b81 100644
--- a/policy/modules/system/selinuxutil.if
+++ b/policy/modules/system/selinuxutil.if
@@ -718,6 +718,27 @@ interface(`seutil_manage_selinux_config',`
 	allow $1 selinux_config_t:lnk_file { getattr read };
 ')
 
+#######################################
+## <summary>
+##	Create, read, write, and delete
+##	the general selinux configuration files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`seutil_manage_config_dirs',`
+	gen_require(`
+		type selinux_config_t;
+	')
+
+	files_search_etc($1)
+	allow $1 selinux_config_t:dir manage_dir_perms;
+')
+
 ########################################
 ## <summary>
 ##	Search the policy directory with default_context files.
diff --git a/policy/modules/system/selinuxutil.te b/policy/modules/system/selinuxutil.te
index 99ab117..3380aac 100644
--- a/policy/modules/system/selinuxutil.te
+++ b/policy/modules/system/selinuxutil.te
@@ -1,5 +1,5 @@
 
-policy_module(selinuxutil,1.3.1)
+policy_module(selinuxutil,1.3.2)
 
 ifdef(`strict_policy',`
 	gen_require(`

More information about the scm-commits mailing list