[selinux-policy: 3091/3172] Move calls to external interfaces below policy that governs internal interaction.
Daniel J Walsh
dwalsh at fedoraproject.org
Thu Oct 7 23:34:58 UTC 2010
commit 02687a70342a88e5e52cacec7b258c745bb5864c
Author: Dominick Grift <domg472 at gmail.com>
Date: Wed Sep 22 12:07:10 2010 +0200
Move calls to external interfaces below policy that governs internal interaction.
Move calls to external interfaces below policy that governs internal interaction.
policy/modules/services/cachefilesd.te | 16 ++++++++--------
policy/modules/services/djbdns.te | 6 +++---
2 files changed, 11 insertions(+), 11 deletions(-)
---
diff --git a/policy/modules/services/cachefilesd.te b/policy/modules/services/cachefilesd.te
index efabfb5..575c16e 100644
--- a/policy/modules/services/cachefilesd.te
+++ b/policy/modules/services/cachefilesd.te
@@ -79,14 +79,6 @@ rpm_use_script_fds(cachefilesd_t)
#
allow cachefilesd_t self:capability { setuid setgid sys_admin dac_override };
-# Basic access
-files_read_etc_files(cachefilesd_t)
-miscfiles_read_localization(cachefilesd_t)
-logging_send_syslog_msg(cachefilesd_t)
-init_dontaudit_use_script_ptys(cachefilesd_t)
-term_dontaudit_use_generic_ptys(cachefilesd_t)
-term_dontaudit_getattr_unallocated_ttys(cachefilesd_t)
-
# Allow manipulation of pid file
allow cachefilesd_t cachefilesd_var_run_t:file create_file_perms;
manage_files_pattern(cachefilesd_t, cachefilesd_var_run_t, cachefilesd_var_run_t)
@@ -104,6 +96,14 @@ allow cachefilesd_t cachefiles_var_t:file { rename delete_file_perms };
# Permit statfs on the backing filesystem
fs_getattr_xattr_fs(cachefilesd_t)
+# Basic access
+files_read_etc_files(cachefilesd_t)
+miscfiles_read_localization(cachefilesd_t)
+logging_send_syslog_msg(cachefilesd_t)
+init_dontaudit_use_script_ptys(cachefilesd_t)
+term_dontaudit_use_generic_ptys(cachefilesd_t)
+term_dontaudit_getattr_unallocated_ttys(cachefilesd_t)
+
###############################################################################
#
# When cachefilesd invokes the kernel module to begin caching, it has to tell
diff --git a/policy/modules/services/djbdns.te b/policy/modules/services/djbdns.te
index 5fd29a5..51e2ce8 100644
--- a/policy/modules/services/djbdns.te
+++ b/policy/modules/services/djbdns.te
@@ -25,9 +25,6 @@ djbdns_daemontools_domain_template(tinydns)
allow djbdns_axfrdns_t self:capability { setuid setgid sys_chroot };
-daemontools_ipc_domain(djbdns_axfrdns_t)
-daemontools_read_svc(djbdns_axfrdns_t)
-
allow djbdns_axfrdns_t djbdns_axfrdns_conf_t:dir list_dir_perms;
allow djbdns_axfrdns_t djbdns_axfrdns_conf_t:file read_file_perms;
@@ -39,6 +36,9 @@ allow djbdns_axfrdns_t djbdns_tinydns_conf_t:file read_file_perms;
files_search_var(djbdns_axfrdns_t)
+daemontools_ipc_domain(djbdns_axfrdns_t)
+daemontools_read_svc(djbdns_axfrdns_t)
+
ucspitcp_service_domain(djbdns_axfrdns_t, djbdns_axfrdns_exec_t)
########################################
More information about the scm-commits
mailing list