[selinux-policy: 2212/3172] fix ordering of interface calls in locallogin.
Daniel J Walsh
dwalsh at fedoraproject.org
Thu Oct 7 22:16:25 UTC 2010
commit 8cd1306e5b93dbf7131e529144d8145e1f8466b2
Author: Chris PeBenito <cpebenito at tresys.com>
Date: Wed Aug 5 10:06:04 2009 -0400
fix ordering of interface calls in locallogin.
policy/modules/system/locallogin.te | 46 +++++++++++++++++-----------------
1 files changed, 23 insertions(+), 23 deletions(-)
---
diff --git a/policy/modules/system/locallogin.te b/policy/modules/system/locallogin.te
index 3cb6ca2..30e25c7 100644
--- a/policy/modules/system/locallogin.te
+++ b/policy/modules/system/locallogin.te
@@ -61,6 +61,13 @@ kernel_read_kernel_sysctls(local_login_t)
kernel_search_key(local_login_t)
kernel_link_key(local_login_t)
+corecmd_list_bin(local_login_t)
+corecmd_read_bin_symlinks(local_login_t)
+# cjp: these are probably not needed:
+corecmd_read_bin_files(local_login_t)
+corecmd_read_bin_pipes(local_login_t)
+corecmd_read_bin_sockets(local_login_t)
+
dev_setattr_mouse_dev(local_login_t)
dev_getattr_mouse_dev(local_login_t)
dev_getattr_power_mgmt_dev(local_login_t)
@@ -84,6 +91,20 @@ dev_dontaudit_search_sysfs(local_login_t)
dev_dontaudit_getattr_video_dev(local_login_t)
dev_dontaudit_setattr_video_dev(local_login_t)
+domain_read_all_entry_files(local_login_t)
+
+files_read_etc_files(local_login_t)
+files_read_etc_runtime_files(local_login_t)
+files_read_usr_files(local_login_t)
+files_list_mnt(local_login_t)
+files_list_world_readable(local_login_t)
+files_read_world_readable_files(local_login_t)
+files_read_world_readable_symlinks(local_login_t)
+files_read_world_readable_pipes(local_login_t)
+files_read_world_readable_sockets(local_login_t)
+# for when /var/mail is a symlink
+files_read_var_symlinks(local_login_t)
+
fs_search_auto_mountpoints(local_login_t)
storage_dontaudit_getattr_fixed_disk_dev(local_login_t)
@@ -104,27 +125,6 @@ auth_manage_pam_pid(local_login_t)
auth_manage_pam_console_data(local_login_t)
auth_domtrans_pam_console(local_login_t)
-corecmd_list_bin(local_login_t)
-corecmd_read_bin_symlinks(local_login_t)
-# cjp: these are probably not needed:
-corecmd_read_bin_files(local_login_t)
-corecmd_read_bin_pipes(local_login_t)
-corecmd_read_bin_sockets(local_login_t)
-
-domain_read_all_entry_files(local_login_t)
-
-files_read_etc_files(local_login_t)
-files_read_etc_runtime_files(local_login_t)
-files_read_usr_files(local_login_t)
-files_list_mnt(local_login_t)
-files_list_world_readable(local_login_t)
-files_read_world_readable_files(local_login_t)
-files_read_world_readable_symlinks(local_login_t)
-files_read_world_readable_pipes(local_login_t)
-files_read_world_readable_sockets(local_login_t)
-# for when /var/mail is a symlink
-files_read_var_symlinks(local_login_t)
-
init_dontaudit_use_fds(local_login_t)
miscfiles_read_localization(local_login_t)
@@ -219,6 +219,8 @@ files_read_etc_files(sulogin_t)
# because file systems are not mounted:
files_dontaudit_search_isid_type_dirs(sulogin_t)
+auth_read_shadow(sulogin_t)
+
init_getpgid_script(sulogin_t)
logging_send_syslog_msg(sulogin_t)
@@ -226,8 +228,6 @@ logging_send_syslog_msg(sulogin_t)
seutil_read_config(sulogin_t)
seutil_read_default_contexts(sulogin_t)
-auth_read_shadow(sulogin_t)
-
userdom_use_unpriv_users_fds(sulogin_t)
userdom_search_user_home_dirs(sulogin_t)
More information about the scm-commits
mailing list