[selinux-policy: 3091/3172] Move calls to external interfaces below policy that governs internal interaction.

Thu Oct 7 23:34:58 UTC 2010

commit 02687a70342a88e5e52cacec7b258c745bb5864c
Author: Dominick Grift <domg472 at gmail.com>
Date:   Wed Sep 22 12:07:10 2010 +0200

    Move calls to external interfaces below policy that governs internal interaction.
    
    Move calls to external interfaces below policy that governs internal interaction.

 policy/modules/services/cachefilesd.te |   16 ++++++++--------
 policy/modules/services/djbdns.te      |    6 +++---
 2 files changed, 11 insertions(+), 11 deletions(-)
---

diff --git a/policy/modules/services/cachefilesd.te b/policy/modules/services/cachefilesd.te
index efabfb5..575c16e 100644
--- a/policy/modules/services/cachefilesd.te
+++ b/policy/modules/services/cachefilesd.te
@@ -79,14 +79,6 @@ rpm_use_script_fds(cachefilesd_t)
 #
 allow cachefilesd_t self:capability { setuid setgid sys_admin dac_override };
 
-# Basic access
-files_read_etc_files(cachefilesd_t)
-miscfiles_read_localization(cachefilesd_t)
-logging_send_syslog_msg(cachefilesd_t)
-init_dontaudit_use_script_ptys(cachefilesd_t)
-term_dontaudit_use_generic_ptys(cachefilesd_t)
-term_dontaudit_getattr_unallocated_ttys(cachefilesd_t)
-
 # Allow manipulation of pid file
 allow cachefilesd_t cachefilesd_var_run_t:file create_file_perms;
 manage_files_pattern(cachefilesd_t, cachefilesd_var_run_t, cachefilesd_var_run_t)
@@ -104,6 +96,14 @@ allow cachefilesd_t cachefiles_var_t:file { rename delete_file_perms };
 # Permit statfs on the backing filesystem
 fs_getattr_xattr_fs(cachefilesd_t)
 
+# Basic access
+files_read_etc_files(cachefilesd_t)
+miscfiles_read_localization(cachefilesd_t)
+logging_send_syslog_msg(cachefilesd_t)
+init_dontaudit_use_script_ptys(cachefilesd_t)
+term_dontaudit_use_generic_ptys(cachefilesd_t)
+term_dontaudit_getattr_unallocated_ttys(cachefilesd_t)
+
 ###############################################################################
 #
 # When cachefilesd invokes the kernel module to begin caching, it has to tell
diff --git a/policy/modules/services/djbdns.te b/policy/modules/services/djbdns.te
index 5fd29a5..51e2ce8 100644
--- a/policy/modules/services/djbdns.te
+++ b/policy/modules/services/djbdns.te
@@ -25,9 +25,6 @@ djbdns_daemontools_domain_template(tinydns)
 
 allow djbdns_axfrdns_t self:capability { setuid setgid sys_chroot };
 
-daemontools_ipc_domain(djbdns_axfrdns_t)
-daemontools_read_svc(djbdns_axfrdns_t)
-
 allow djbdns_axfrdns_t djbdns_axfrdns_conf_t:dir list_dir_perms;
 allow djbdns_axfrdns_t djbdns_axfrdns_conf_t:file read_file_perms;
 
@@ -39,6 +36,9 @@ allow djbdns_axfrdns_t djbdns_tinydns_conf_t:file read_file_perms;
 
 files_search_var(djbdns_axfrdns_t)
 
+daemontools_ipc_domain(djbdns_axfrdns_t)
+daemontools_read_svc(djbdns_axfrdns_t)
+
 ucspitcp_service_domain(djbdns_axfrdns_t, djbdns_axfrdns_exec_t)
 
 ########################################
