[selinux-policy: 44/3172] add sysnetwork

Daniel J Walsh dwalsh at fedoraproject.org
Thu Oct 7 19:08:45 UTC 2010 

commit 91a7ab6cb339b7e2a4556c6d5ff945484f537869
Author: Chris PeBenito <cpebenito at tresys.com>
Date:   Mon Apr 25 21:28:25 2005 +0000

    add sysnetwork

 refpolicy/policy/modules/system/init.te    |   10 +++++-----
 refpolicy/policy/modules/system/logging.te |    2 ++
 2 files changed, 7 insertions(+), 5 deletions(-)
---
diff --git a/refpolicy/policy/modules/system/init.te b/refpolicy/policy/modules/system/init.te
index 02c82e2..9b53826 100644
--- a/refpolicy/policy/modules/system/init.te
+++ b/refpolicy/policy/modules/system/init.te
@@ -186,6 +186,9 @@ allow initrc_t initrc_state_t:dir { create read getattr lock setattr ioctl unlin
 allow initrc_t initrc_state_t:file { create ioctl read getattr lock write setattr append link unlink rename };
 allow initrc_t initrc_state_t:lnk_file { create read getattr setattr unlink rename };
 
+allow initrc_t self:tcp_socket { connect listen accept create ioctl read getattr write setattr append bind getopt setopt shutdown };
+allow initrc_t self:udp_socket { connect create ioctl read getattr write setattr append bind getopt setopt shutdown };
+
 kernel_read_system_state(initrc_t)
 kernel_read_software_raid_state(initrc_t)
 kernel_read_network_state(initrc_t)
@@ -207,9 +210,6 @@ filesystem_unmount_all_filesystems(initrc_t)
 filesystem_remount_all_filesystems(initrc_t)
 filesystem_get_all_filesystems_attributes(initrc_t)
 
-# can_network(initrc_t):
-allow initrc_t self:tcp_socket { connect listen accept create ioctl read getattr write setattr append bind getopt setopt shutdown };
-allow initrc_t self:udp_socket { connect create ioctl read getattr write setattr append bind getopt setopt shutdown };
 corenetwork_network_tcp_on_all_interfaces(initrc_t)
 corenetwork_network_raw_on_all_interfaces(initrc_t)
 corenetwork_network_udp_on_all_interfaces(initrc_t)
@@ -220,8 +220,6 @@ corenetwork_network_tcp_on_all_ports(initrc_t)
 corenetwork_network_udp_on_all_ports(initrc_t)
 corenetwork_bind_tcp_on_all_nodes(initrc_t)
 corenetwork_bind_udp_on_all_nodes(initrc_t)
-#allow initrc_t net_conf_t:file r_file_perms;
-#sysnetwork_read_network_config(initrc_t)
 
 domain_kill_all_domains(initrc_t)
 domain_read_all_domains_process_state(initrc_t)
@@ -270,6 +268,8 @@ logging_send_system_log_message(initrc_t)
 selinux_read_config(initrc_t)
 selinux_read_default_contexts(run_init_t)
 
+sysnetwork_read_network_config(initrc_t)
+
 modutils_read_kernel_module_loading_config(initrc_t)
 
 authlogin_modify_login_records(initrc_t)
diff --git a/refpolicy/policy/modules/system/logging.te b/refpolicy/policy/modules/system/logging.te
index 30c6978..de0a6e3 100644
--- a/refpolicy/policy/modules/system/logging.te
+++ b/refpolicy/policy/modules/system/logging.te
@@ -116,6 +116,8 @@ file_type_auto_trans(syslogd_t, var_lib_t, devlog_t, sock_file)
 libraries_use_dynamic_loader(syslogd_t)
 libraries_read_shared_libraries(syslogd_t)
 
+sysnetwork_read_network_config(syslogd_t)
+
 miscfiles_read_localization(syslogd_t)
 
 #

More information about the scm-commits mailing list