[selinux-policy: 109/3172] move type delcarations after attribute delcarations to fix a typeattribute ordering issue. comment o

Daniel J Walsh dwalsh at fedoraproject.org
Thu Oct 7 19:14:31 UTC 2010 

commit f66a1af94b141791a64aa4ea80067245be69f7a6
Author: Chris PeBenito <cpebenito at tresys.com>
Date:   Thu May 5 14:08:26 2005 +0000

    move type delcarations after attribute delcarations to fix a typeattribute
    ordering issue. comment out the TODO types with a # so they don't get moved

 refpolicy/Makefile                            |    9 +++++----
 refpolicy/policy/modules/system/authlogin.te  |   12 ++++++++++--
 refpolicy/policy/modules/system/mount.te      |    8 ++++----
 refpolicy/policy/modules/system/sysnetwork.te |    6 +++---
 4 files changed, 22 insertions(+), 13 deletions(-)
---
diff --git a/refpolicy/Makefile b/refpolicy/Makefile
index 10fafa5..dd151da 100644
--- a/refpolicy/Makefile
+++ b/refpolicy/Makefile
@@ -80,7 +80,7 @@ POST_TE_FILES := $(addprefix $(MISCDIR),users constraints mls initial_sid_contex
 
 ALL_FC_FILES := $(foreach dir,$(ALL_MODULES),$(wildcard $(dir)/*.fc))
 
-POLICY_SECTIONS := tmp/pre_te_files.conf tmp/generated_definitions.conf tmp/all_interfaces.conf tmp/all_attributes.conf tmp/only_te_rules.conf tmp/all_post.conf
+POLICY_SECTIONS := tmp/pre_te_files.conf tmp/generated_definitions.conf tmp/all_interfaces.conf tmp/all_attrs_types.conf tmp/only_te_rules.conf tmp/all_post.conf
 
 override M4PARAM += -D monolithic_policy
 
@@ -176,11 +176,12 @@ tmp/post_te_files.conf: $(POST_TE_FILES)
 # extract attributes and put them first. extract post te stuff
 # like genfscon and put last.  portcon, nodecon, and netifcon
 # is delayed since they are generated by m4
-tmp/all_attributes.conf tmp/only_te_rules.conf tmp/all_post.conf: tmp/all_te_files.conf tmp/post_te_files.conf
-	$(QUIET) grep ^attribute tmp/all_te_files.conf > tmp/all_attributes.conf || true
+tmp/all_attrs_types.conf tmp/only_te_rules.conf tmp/all_post.conf: tmp/all_te_files.conf tmp/post_te_files.conf
+	$(QUIET) grep ^attribute tmp/all_te_files.conf > tmp/all_attrs_types.conf || true
+	$(QUIET) grep '^type ' tmp/all_te_files.conf >> tmp/all_attrs_types.conf
 	$(QUIET) cat tmp/post_te_files.conf > tmp/all_post.conf
 	$(QUIET) grep ^genfscon tmp/all_te_files.conf >> tmp/all_post.conf || true
-	$(QUIET) sed -e /^attribute/d -e /^genfscon/d < tmp/all_te_files.conf > tmp/only_te_rules.conf
+	$(QUIET) sed -e /^attribute/d -e '/^type /d' -e /^genfscon/d < tmp/all_te_files.conf > tmp/only_te_rules.conf
 
 ########################################
 #
diff --git a/refpolicy/policy/modules/system/authlogin.te b/refpolicy/policy/modules/system/authlogin.te
index d3cd88b..90a305c 100644
--- a/refpolicy/policy/modules/system/authlogin.te
+++ b/refpolicy/policy/modules/system/authlogin.te
@@ -7,8 +7,7 @@ policy_module(authlogin,1.0)
 # Declarations
 #
 type chkpwd_exec_t;
-authlogin_per_userdomain_template(system)
-domain_make_entrypoint_file(system_chkpwd_t,chkpwd_exec_t)
+files_make_file(chkpwd_exec_t)
 
 type faillog_t;
 logging_make_log_file(faillog_t)
@@ -224,6 +223,15 @@ allow initrc_t pam_var_console_t:dir r_dir_perms;
 
 ########################################
 #
+# System check password local policy
+#
+
+authlogin_per_userdomain_template(system)
+
+domain_make_entrypoint_file(system_chkpwd_t,chkpwd_exec_t)
+
+########################################
+#
 # Utempter local policy
 #
 
diff --git a/refpolicy/policy/modules/system/mount.te b/refpolicy/policy/modules/system/mount.te
index 1e017d3..6065359 100644
--- a/refpolicy/policy/modules/system/mount.te
+++ b/refpolicy/policy/modules/system/mount.te
@@ -73,10 +73,10 @@ allow mount_t var_lib_nfs_t:dir mounton;
 allow mount_t lib_t:file { getattr read };
 
 # TODO: Need to examine this further. Not sure how to handle this
-type sysadm_mount_source_t, file_type, sysadmfile, $1_file_type;
-allow sysadm_t sysadm_mount_source_t:file create_file_perms;
-allow sysadm_t sysadm_mount_source_t:file { relabelto relabelfrom };
-allow mount_t sysadm_mount_source_t:file rw_file_perms;
+#type sysadm_mount_source_t, file_type, sysadmfile, $1_file_type;
+#allow sysadm_t sysadm_mount_source_t:file create_file_perms;
+#allow sysadm_t sysadm_mount_source_t:file { relabelto relabelfrom };
+#allow mount_t sysadm_mount_source_t:file rw_file_perms;
 
 # TODO: Probably need a macro for reading/unlinking files
 # for when /etc/mtab loses its type
diff --git a/refpolicy/policy/modules/system/sysnetwork.te b/refpolicy/policy/modules/system/sysnetwork.te
index 652ceab..ddd1f26 100644
--- a/refpolicy/policy/modules/system/sysnetwork.te
+++ b/refpolicy/policy/modules/system/sysnetwork.te
@@ -200,9 +200,9 @@ allow ping_t cardmgr_t:fd use;
 ') dnl end if ping
 
 ifdef(`dhcpd.te', `', `
-type dhcp_state_t, file_type, sysadmfile;
-type dhcp_etc_t, file_type, sysadmfile, usercanread; 
-typealias dhcp_etc_t alias { etc_dhcp_t etc_dhcpc_t etc_dhcpd_t };
+#type dhcp_state_t, file_type, sysadmfile;
+#type dhcp_etc_t, file_type, sysadmfile, usercanread; 
+#typealias dhcp_etc_t alias { etc_dhcp_t etc_dhcpc_t etc_dhcpd_t };
 ')
 
 allow dhcpc_t dhcp_etc_t:dir { getattr read search };

More information about the scm-commits mailing list