[selinux-policy: 1977/3172] trunk: Policy size optimization with a non-security file attribute from James Carter.
Daniel J Walsh
dwalsh at fedoraproject.org
Thu Oct 7 21:55:46 UTC 2010
commit 3338f231d59b3ef0b798385cda9fa9801f741390
Author: Chris PeBenito <cpebenito at tresys.com>
Date: Thu Jul 31 14:05:46 2008 +0000
trunk: Policy size optimization with a non-security file attribute from James Carter.
Changelog | 2 +
policy/modules/kernel/files.if | 113 ++++++++++++++++++++++----------------
policy/modules/kernel/files.te | 4 +-
policy/modules/system/logging.te | 4 +-
4 files changed, 73 insertions(+), 50 deletions(-)
---
diff --git a/Changelog b/Changelog
index 017d2ce..647ef43 100644
--- a/Changelog
+++ b/Changelog
@@ -1,3 +1,5 @@
+- Policy size optimization with a non-security file attribute from James
+ Carter.
- Database labeled networking update from KaiGai Kohei.
- Several misc changes from the Fedora policy, cherry picked by David
Hrdeman.
diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if
index 4ba7e8a..9e4865b 100644
--- a/policy/modules/kernel/files.if
+++ b/policy/modules/kernel/files.if
@@ -32,10 +32,10 @@
#
interface(`files_type',`
gen_require(`
- attribute file_type;
+ attribute file_type, non_security_file_type;
')
- typeattribute $1 file_type;
+ typeattribute $1 file_type, non_security_file_type;
')
########################################
@@ -217,11 +217,30 @@ interface(`files_poly_member_tmp',`
#
interface(`files_security_file',`
gen_require(`
- attribute security_file_type;
+ attribute file_type, security_file_type;
')
- files_type($1)
- typeattribute $1 security_file_type;
+ typeattribute $1 file_type, security_file_type;
+')
+
+########################################
+## <summary>
+## Make the specified type usable for
+## security file filesystem mount points.
+## </summary>
+## <param name="type">
+## <summary>
+## Type to be used for mount points.
+## </summary>
+## </param>
+#
+interface(`files_security_mountpoint',`
+ gen_require(`
+ attribute mountpoint;
+ ')
+
+ files_security_file($1)
+ typeattribute $1 mountpoint;
')
########################################
@@ -316,10 +335,10 @@ interface(`files_dontaudit_getattr_all_dirs',`
#
interface(`files_list_non_security',`
gen_require(`
- attribute file_type, security_file_type;
+ attribute non_security_file_type;
')
- list_dirs_pattern($1, { file_type -security_file_type }, { file_type -security_file_type })
+ list_dirs_pattern($1, non_security_file_type, non_security_file_type)
')
########################################
@@ -335,10 +354,10 @@ interface(`files_list_non_security',`
#
interface(`files_dontaudit_list_non_security',`
gen_require(`
- attribute file_type, security_file_type;
+ attribute non_security_file_type;
')
- dontaudit $1 { file_type -security_file_type }:dir list_dir_perms;
+ dontaudit $1 non_security_file_type:dir list_dir_perms;
')
########################################
@@ -354,11 +373,11 @@ interface(`files_dontaudit_list_non_security',`
#
interface(`files_mounton_non_security',`
gen_require(`
- attribute file_type, security_file_type;
+ attribute non_security_file_type;
')
- allow $1 { file_type -security_file_type }:dir mounton;
- allow $1 { file_type -security_file_type }:file mounton;
+ allow $1 non_security_file_type:dir mounton;
+ allow $1 non_security_file_type:file mounton;
')
########################################
@@ -373,10 +392,28 @@ interface(`files_mounton_non_security',`
#
interface(`files_write_non_security_dirs',`
gen_require(`
- attribute file_type, security_file_type;
+ attribute non_security_file_type;
+ ')
+
+ allow $1 non_security_file_type:dir write;
+')
+
+########################################
+## <summary>
+## Allow attempts to manage non-security directories
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to allow
+## </summary>
+## </param>
+#
+interface(`files_manage_non_security_dirs',`
+ gen_require(`
+ attribute non_security_file_type;
')
- allow $1 { file_type -security_file_type }:dir write;
+ allow $1 non_security_file_type:dir manage_dir_perms;
')
########################################
@@ -430,10 +467,10 @@ interface(`files_dontaudit_getattr_all_files',`
#
interface(`files_dontaudit_getattr_non_security_files',`
gen_require(`
- attribute file_type, security_file_type;
+ attribute non_security_file_type;
')
- dontaudit $1 { file_type -security_file_type }:file getattr;
+ dontaudit $1 non_security_file_type:file getattr;
')
########################################
@@ -498,11 +535,11 @@ interface(`files_execmod_all_files',`
#
interface(`files_read_non_security_files',`
gen_require(`
- attribute file_type, security_file_type;
+ attribute non_security_file_type;
')
- read_files_pattern($1, { file_type -security_file_type }, { file_type -security_file_type })
- read_lnk_files_pattern($1, { file_type -security_file_type }, { file_type -security_file_type })
+ read_files_pattern($1, non_security_file_type, non_security_file_type)
+ read_lnk_files_pattern($1, non_security_file_type, non_security_file_type)
')
########################################
@@ -648,10 +685,10 @@ interface(`files_dontaudit_read_all_symlinks',`
#
interface(`files_dontaudit_getattr_non_security_symlinks',`
gen_require(`
- attribute file_type, security_file_type;
+ attribute non_security_file_type;
')
- dontaudit $1 { file_type -security_file_type }:lnk_file getattr;
+ dontaudit $1 non_security_file_type:lnk_file getattr;
')
########################################
@@ -667,10 +704,10 @@ interface(`files_dontaudit_getattr_non_security_symlinks',`
#
interface(`files_dontaudit_getattr_non_security_blk_files',`
gen_require(`
- attribute file_type, security_file_type;
+ attribute non_security_file_type;
')
- dontaudit $1 { file_type -security_file_type }:blk_file getattr;
+ dontaudit $1 non_security_file_type:blk_file getattr;
')
########################################
@@ -686,10 +723,10 @@ interface(`files_dontaudit_getattr_non_security_blk_files',`
#
interface(`files_dontaudit_getattr_non_security_chr_files',`
gen_require(`
- attribute file_type, security_file_type;
+ attribute non_security_file_type;
')
- dontaudit $1 { file_type -security_file_type }:chr_file getattr;
+ dontaudit $1 non_security_file_type:chr_file getattr;
')
########################################
@@ -763,10 +800,10 @@ interface(`files_dontaudit_getattr_all_pipes',`
#
interface(`files_dontaudit_getattr_non_security_pipes',`
gen_require(`
- attribute file_type, security_file_type;
+ attribute non_security_file_type;
')
- dontaudit $1 { file_type -security_file_type }:fifo_file getattr;
+ dontaudit $1 non_security_file_type:fifo_file getattr;
')
########################################
@@ -820,10 +857,10 @@ interface(`files_dontaudit_getattr_all_sockets',`
#
interface(`files_dontaudit_getattr_non_security_sockets',`
gen_require(`
- attribute file_type, security_file_type;
+ attribute non_security_file_type;
')
- dontaudit $1 { file_type -security_file_type }:sock_file getattr;
+ dontaudit $1 non_security_file_type:sock_file getattr;
')
########################################
@@ -4750,21 +4787,3 @@ interface(`files_unconfined',`
typeattribute $1 files_unconfined_type;
')
-
-########################################
-## <summary>
-## Allow attempts to monage any directory
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain to allow
-## </summary>
-## </param>
-#
-interface(`files_manage_non_security_dirs',`
- gen_require(`
- attribute file_type, security_file_type;
- ')
-
- allow $1 { file_type -security_file_type }:dir manage_dir_perms;
-')
diff --git a/policy/modules/kernel/files.te b/policy/modules/kernel/files.te
index c4e3058..d58f902 100644
--- a/policy/modules/kernel/files.te
+++ b/policy/modules/kernel/files.te
@@ -1,5 +1,5 @@
-policy_module(files, 1.9.0)
+policy_module(files, 1.9.1)
########################################
#
@@ -26,6 +26,8 @@ attribute polymember;
# sensitive security files whose accesses should
# not be dontaudited for uses
attribute security_file_type;
+# and its opposite
+attribute non_security_file_type;
attribute tmpfile;
attribute tmpfsfile;
diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te
index ce76009..f5292e8 100644
--- a/policy/modules/system/logging.te
+++ b/policy/modules/system/logging.te
@@ -1,5 +1,5 @@
-policy_module(logging, 1.11.0)
+policy_module(logging, 1.11.1)
########################################
#
@@ -18,7 +18,7 @@ files_security_file(auditd_etc_t)
type auditd_log_t;
files_security_file(auditd_log_t)
-files_mountpoint(auditd_log_t)
+files_security_mountpoint(auditd_log_t)
type auditd_t;
type auditd_exec_t;
More information about the scm-commits
mailing list