[selinux-policy: 109/3172] move type delcarations after attribute delcarations to fix a typeattribute ordering issue. comment o
Daniel J Walsh
dwalsh at fedoraproject.org
Thu Oct 7 19:14:31 UTC 2010
commit f66a1af94b141791a64aa4ea80067245be69f7a6
Author: Chris PeBenito <cpebenito at tresys.com>
Date: Thu May 5 14:08:26 2005 +0000
move type delcarations after attribute delcarations to fix a typeattribute
ordering issue. comment out the TODO types with a # so they don't get moved
refpolicy/Makefile | 9 +++++----
refpolicy/policy/modules/system/authlogin.te | 12 ++++++++++--
refpolicy/policy/modules/system/mount.te | 8 ++++----
refpolicy/policy/modules/system/sysnetwork.te | 6 +++---
4 files changed, 22 insertions(+), 13 deletions(-)
---
diff --git a/refpolicy/Makefile b/refpolicy/Makefile
index 10fafa5..dd151da 100644
--- a/refpolicy/Makefile
+++ b/refpolicy/Makefile
@@ -80,7 +80,7 @@ POST_TE_FILES := $(addprefix $(MISCDIR),users constraints mls initial_sid_contex
ALL_FC_FILES := $(foreach dir,$(ALL_MODULES),$(wildcard $(dir)/*.fc))
-POLICY_SECTIONS := tmp/pre_te_files.conf tmp/generated_definitions.conf tmp/all_interfaces.conf tmp/all_attributes.conf tmp/only_te_rules.conf tmp/all_post.conf
+POLICY_SECTIONS := tmp/pre_te_files.conf tmp/generated_definitions.conf tmp/all_interfaces.conf tmp/all_attrs_types.conf tmp/only_te_rules.conf tmp/all_post.conf
override M4PARAM += -D monolithic_policy
@@ -176,11 +176,12 @@ tmp/post_te_files.conf: $(POST_TE_FILES)
# extract attributes and put them first. extract post te stuff
# like genfscon and put last. portcon, nodecon, and netifcon
# is delayed since they are generated by m4
-tmp/all_attributes.conf tmp/only_te_rules.conf tmp/all_post.conf: tmp/all_te_files.conf tmp/post_te_files.conf
- $(QUIET) grep ^attribute tmp/all_te_files.conf > tmp/all_attributes.conf || true
+tmp/all_attrs_types.conf tmp/only_te_rules.conf tmp/all_post.conf: tmp/all_te_files.conf tmp/post_te_files.conf
+ $(QUIET) grep ^attribute tmp/all_te_files.conf > tmp/all_attrs_types.conf || true
+ $(QUIET) grep '^type ' tmp/all_te_files.conf >> tmp/all_attrs_types.conf
$(QUIET) cat tmp/post_te_files.conf > tmp/all_post.conf
$(QUIET) grep ^genfscon tmp/all_te_files.conf >> tmp/all_post.conf || true
- $(QUIET) sed -e /^attribute/d -e /^genfscon/d < tmp/all_te_files.conf > tmp/only_te_rules.conf
+ $(QUIET) sed -e /^attribute/d -e '/^type /d' -e /^genfscon/d < tmp/all_te_files.conf > tmp/only_te_rules.conf
########################################
#
diff --git a/refpolicy/policy/modules/system/authlogin.te b/refpolicy/policy/modules/system/authlogin.te
index d3cd88b..90a305c 100644
--- a/refpolicy/policy/modules/system/authlogin.te
+++ b/refpolicy/policy/modules/system/authlogin.te
@@ -7,8 +7,7 @@ policy_module(authlogin,1.0)
# Declarations
#
type chkpwd_exec_t;
-authlogin_per_userdomain_template(system)
-domain_make_entrypoint_file(system_chkpwd_t,chkpwd_exec_t)
+files_make_file(chkpwd_exec_t)
type faillog_t;
logging_make_log_file(faillog_t)
@@ -224,6 +223,15 @@ allow initrc_t pam_var_console_t:dir r_dir_perms;
########################################
#
+# System check password local policy
+#
+
+authlogin_per_userdomain_template(system)
+
+domain_make_entrypoint_file(system_chkpwd_t,chkpwd_exec_t)
+
+########################################
+#
# Utempter local policy
#
diff --git a/refpolicy/policy/modules/system/mount.te b/refpolicy/policy/modules/system/mount.te
index 1e017d3..6065359 100644
--- a/refpolicy/policy/modules/system/mount.te
+++ b/refpolicy/policy/modules/system/mount.te
@@ -73,10 +73,10 @@ allow mount_t var_lib_nfs_t:dir mounton;
allow mount_t lib_t:file { getattr read };
# TODO: Need to examine this further. Not sure how to handle this
-type sysadm_mount_source_t, file_type, sysadmfile, $1_file_type;
-allow sysadm_t sysadm_mount_source_t:file create_file_perms;
-allow sysadm_t sysadm_mount_source_t:file { relabelto relabelfrom };
-allow mount_t sysadm_mount_source_t:file rw_file_perms;
+#type sysadm_mount_source_t, file_type, sysadmfile, $1_file_type;
+#allow sysadm_t sysadm_mount_source_t:file create_file_perms;
+#allow sysadm_t sysadm_mount_source_t:file { relabelto relabelfrom };
+#allow mount_t sysadm_mount_source_t:file rw_file_perms;
# TODO: Probably need a macro for reading/unlinking files
# for when /etc/mtab loses its type
diff --git a/refpolicy/policy/modules/system/sysnetwork.te b/refpolicy/policy/modules/system/sysnetwork.te
index 652ceab..ddd1f26 100644
--- a/refpolicy/policy/modules/system/sysnetwork.te
+++ b/refpolicy/policy/modules/system/sysnetwork.te
@@ -200,9 +200,9 @@ allow ping_t cardmgr_t:fd use;
') dnl end if ping
ifdef(`dhcpd.te', `', `
-type dhcp_state_t, file_type, sysadmfile;
-type dhcp_etc_t, file_type, sysadmfile, usercanread;
-typealias dhcp_etc_t alias { etc_dhcp_t etc_dhcpc_t etc_dhcpd_t };
+#type dhcp_state_t, file_type, sysadmfile;
+#type dhcp_etc_t, file_type, sysadmfile, usercanread;
+#typealias dhcp_etc_t alias { etc_dhcp_t etc_dhcpc_t etc_dhcpd_t };
')
allow dhcpc_t dhcp_etc_t:dir { getattr read search };
More information about the scm-commits
mailing list