[selinux-policy: 2055/3172] trunk 2 patches from dan.

Daniel J Walsh dwalsh at fedoraproject.org
Thu Oct 7 22:02:26 UTC 2010 

commit 659c8650c764e230cacafad17fec1190a6c7d436
Author: Chris PeBenito <cpebenito at tresys.com>
Date:   Mon Nov 17 15:48:12 2008 +0000

    trunk 2 patches from dan.

 policy/modules/services/courier.fc |    1 +
 policy/modules/services/courier.te |    5 +++-
 policy/modules/services/dhcp.fc    |    1 +
 policy/modules/services/dhcp.if    |   40 ++++++++++++++++++++++++++++++++++++
 policy/modules/services/dhcp.te    |   20 +++++++----------
 5 files changed, 54 insertions(+), 13 deletions(-)
---
diff --git a/policy/modules/services/courier.fc b/policy/modules/services/courier.fc
index 7a91fd2..f1bf79a 100644
--- a/policy/modules/services/courier.fc
+++ b/policy/modules/services/courier.fc
@@ -20,4 +20,5 @@
 
 /var/run/courier(/.*)?			--	gen_context(system_u:object_r:courier_var_run_t,s0)
 
+/var/spool/authdaemon(/.*)?			gen_context(system_u:object_r:courier_spool_t,s0)
 /var/spool/courier(/.*)?			gen_context(system_u:object_r:courier_spool_t,s0)
diff --git a/policy/modules/services/courier.te b/policy/modules/services/courier.te
index 475e509..d0080ba 100644
--- a/policy/modules/services/courier.te
+++ b/policy/modules/services/courier.te
@@ -1,5 +1,5 @@
 
-policy_module(courier, 1.6.1)
+policy_module(courier, 1.6.2)
 
 ########################################
 #
@@ -53,6 +53,9 @@ allow courier_authdaemon_t courier_tcpd_t:fd use;
 allow courier_authdaemon_t courier_tcpd_t:tcp_socket rw_stream_socket_perms;
 allow courier_authdaemon_t courier_tcpd_t:fifo_file rw_file_perms;
 
+manage_sock_files_pattern(courier_authdaemon_t, courier_spool_t, courier_spool_t)
+files_search_spool(courier_authdaemon_t)
+
 corecmd_search_bin(courier_authdaemon_t)
 
 # for SSP
diff --git a/policy/modules/services/dhcp.fc b/policy/modules/services/dhcp.fc
index 4d40b6b..767e0c7 100644
--- a/policy/modules/services/dhcp.fc
+++ b/policy/modules/services/dhcp.fc
@@ -1,3 +1,4 @@
+/etc/rc\.d/init\.d/dhcpd	--	gen_context(system_u:object_r:dhcpd_initrc_exec_t,s0)
 
 /usr/sbin/dhcpd.*		--	gen_context(system_u:object_r:dhcpd_exec_t,s0)
 
diff --git a/policy/modules/services/dhcp.if b/policy/modules/services/dhcp.if
index 349b35d..c3a5039 100644
--- a/policy/modules/services/dhcp.if
+++ b/policy/modules/services/dhcp.if
@@ -19,3 +19,43 @@ interface(`dhcpd_setattr_state_files',`
 	sysnet_search_dhcp_state($1)
 	allow $1 dhcpd_state_t:file setattr;
 ')
+
+########################################
+## <summary>
+##	All of the rules required to administrate 
+##	an dhcp environment
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <param name="role">
+##	<summary>
+##	The role to be allowed to manage the dhcp domain.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`dhcpd_admin',`
+	gen_require(`
+		type dhcpd_t; type dhcpd_tmp_t;	type dhcpd_state_t;
+		type dhcpd_var_run_t, dhcpd_initrc_exec_t;
+	')
+
+	allow $1 dhcpd_t:process { ptrace signal_perms };
+	ps_process_pattern($1, dhcpd_t)
+
+	init_labeled_script_domtrans($1, dhcpd_initrc_exec_t)
+	domain_system_change_exemption($1)
+	role_transition $2 dhcpd_initrc_exec_t system_r;
+	allow $2 system_r;
+
+	files_list_tmp($1)
+	admin_pattern($1, dhcpd_tmp_t)
+
+	admin_pattern($1, dhcpd_state_t)
+
+	files_list_pids($1)
+	admin_pattern($1, dhcpd_var_run_t)
+')
diff --git a/policy/modules/services/dhcp.te b/policy/modules/services/dhcp.te
index a81476a..007ebc2 100644
--- a/policy/modules/services/dhcp.te
+++ b/policy/modules/services/dhcp.te
@@ -1,5 +1,5 @@
 
-policy_module(dhcp, 1.6.1)
+policy_module(dhcp, 1.6.2)
 
 ########################################
 #
@@ -10,6 +10,9 @@ type dhcpd_t;
 type dhcpd_exec_t;
 init_daemon_domain(dhcpd_t, dhcpd_exec_t)
 
+type dhcpd_initrc_exec_t;
+init_script_file(dhcpd_initrc_exec_t)
+
 type dhcpd_state_t;
 files_type(dhcpd_state_t)
 
@@ -24,13 +27,12 @@ files_pid_file(dhcpd_var_run_t)
 # Local policy
 #
 
-allow dhcpd_t self:capability net_raw;
+allow dhcpd_t self:capability { net_raw sys_resource };
 dontaudit dhcpd_t self:capability { net_admin sys_tty_config };
 allow dhcpd_t self:process signal_perms;
 allow dhcpd_t self:fifo_file rw_fifo_file_perms;
 allow dhcpd_t self:unix_dgram_socket create_socket_perms;
 allow dhcpd_t self:unix_stream_socket create_socket_perms;
-allow dhcpd_t self:netlink_route_socket r_netlink_socket_perms;
 allow dhcpd_t self:tcp_socket create_stream_socket_perms;
 allow dhcpd_t self:udp_socket create_socket_perms;
 # Allow dhcpd_t to use packet sockets
@@ -51,6 +53,7 @@ files_pid_filetrans(dhcpd_t, dhcpd_var_run_t, file)
 
 kernel_read_system_state(dhcpd_t)
 kernel_read_kernel_sysctls(dhcpd_t)
+kernel_read_network_state(dhcpd_t)
 
 corenet_all_recvfrom_unlabeled(dhcpd_t)
 corenet_all_recvfrom_netlabel(dhcpd_t)
@@ -88,11 +91,12 @@ files_read_usr_files(dhcpd_t)
 files_read_etc_runtime_files(dhcpd_t)
 files_search_var_lib(dhcpd_t)
 
+auth_use_nsswitch(dhcpd_t)
+
 logging_send_syslog_msg(dhcpd_t)
 
 miscfiles_read_localization(dhcpd_t)
 
-sysnet_read_config(dhcpd_t)
 sysnet_read_dhcp_config(dhcpd_t)
 
 userdom_dontaudit_use_unpriv_user_fds(dhcpd_t)
@@ -113,14 +117,6 @@ optional_policy(`
 ')
 
 optional_policy(`
-	nis_use_ypbind(dhcpd_t)
-')
-
-optional_policy(`
-	nscd_socket_use(dhcpd_t)
-')
-
-optional_policy(`
 	seutil_sigchld_newrole(dhcpd_t)
 ')

More information about the scm-commits mailing list