[selinux-policy: 290/3172] aliasing
Daniel J Walsh
dwalsh at fedoraproject.org
Thu Oct 7 19:29:56 UTC 2010
commit 7edd02d4f1592c2abed134a61988b64ce00fd952
Author: Chris PeBenito <cpebenito at tresys.com>
Date: Wed Jun 8 21:07:03 2005 +0000
aliasing
refpolicy/policy/modules/system/sysnetwork.if | 14 ++------
refpolicy/policy/modules/system/sysnetwork.te | 41 +++++++++++-------------
refpolicy/policy/modules/system/udev.if | 13 +++-----
refpolicy/policy/modules/system/udev.te | 23 +++++++-------
4 files changed, 40 insertions(+), 51 deletions(-)
---
diff --git a/refpolicy/policy/modules/system/sysnetwork.if b/refpolicy/policy/modules/system/sysnetwork.if
index 3a2a61c..89be24d 100644
--- a/refpolicy/policy/modules/system/sysnetwork.if
+++ b/refpolicy/policy/modules/system/sysnetwork.if
@@ -15,10 +15,7 @@
define(`sysnetwork_dhcpc_transition',`
requires_block_template(`$0'_depend)
- allow $1 dhcpc_exec_t:file { getattr read execute };
- allow $1 dhcpc_t:process transition;
- type_transition $1 dhcpc_exec_t:process dhcpc_t;
- dontaudit $1 dhcpc_t:process { noatsecure siginh rlimitinh };
+ domain_auto_trans($1, dhcp_exec_t, dhcp_t)
allow $1 dhcpc_t:fd use;
allow dhcpc_t $1:fd use;
@@ -49,10 +46,7 @@ define(`sysnetwork_dhcpc_transition_depend',`
define(`sysnetwork_ifconfig_transition',`
requires_block_template(`$0'_depend)
- allow $1 ifconfig_exec_t:file { getattr read execute };
- allow $1 ifconfig_t:process transition;
- type_transition $1 ifconfig_exec_t:process ifconfig_t;
- dontaudit $1 ifconfig_t:process { noatsecure siginh rlimitinh };
+ domain_auto_trans($1, ifconfig_exec_t, ifconfig_t)
allow $1 ifconfig_t:fd use;
allow ifconfig_t $1:fd use;
@@ -117,13 +111,13 @@ define(`sysnetwork_read_network_config',`
requires_block_template(`$0'_depend)
files_search_general_system_config_directory($1)
- allow $1 net_conf_t:file { getattr read };
+ allow $1 net_conf_t:file r_file_perms;
')
define(`sysnetwork_read_network_config_depend',`
type net_conf_t;
- class file { getattr read };
+ class file r_file_perms;
')
## </module>
diff --git a/refpolicy/policy/modules/system/sysnetwork.te b/refpolicy/policy/modules/system/sysnetwork.te
index af58a12..f7a1281 100644
--- a/refpolicy/policy/modules/system/sysnetwork.te
+++ b/refpolicy/policy/modules/system/sysnetwork.te
@@ -46,11 +46,11 @@ dontaudit dhcpc_t self:capability sys_tty_config;
# for access("/etc/bashrc", X_OK) on Red Hat
dontaudit dhcpc_t self:capability { dac_read_search sys_module };
-allow dhcpc_t self:tcp_socket { create ioctl read getattr write setattr append bind getopt setopt shutdown };
-allow dhcpc_t self:udp_socket { create ioctl read getattr write setattr append bind getopt setopt shutdown };
-allow dhcpc_t self:packet_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown };
-allow dhcpc_t self:netlink_route_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown nlmsg_read };
-allow dhcpc_t self:fifo_file { ioctl read getattr lock write append };
+allow dhcpc_t self:tcp_socket create_socket_perms;
+allow dhcpc_t self:udp_socket create_socket_perms;
+allow dhcpc_t self:packet_socket create_socket_perms;
+allow dhcpc_t self:netlink_route_socket { create_socket_perms nlmsg_read };
+allow dhcpc_t self:fifo_file rw_file_perms;
allow dhcpc_t dhcp_etc_t:dir r_dir_perms;
allow dhcpc_t dhcp_etc_t:lnk_file r_file_perms;
@@ -61,26 +61,23 @@ allow dhcpc_t dhcpc_state_t:file create_file_perms;
type_transition dhcpc_t dhcp_state_t:file dhcpc_state_t;
# create pid file
-allow dhcpc_t dhcpc_var_run_t:file { getattr create read write append setattr unlink };
+allow dhcpc_t dhcpc_var_run_t:file create_file_perms;
files_create_daemon_runtime_data(dhcpc_t,dhcpc_var_run_t)
# Allow read/write to /etc/resolv.conf and /etc/ntp.conf. Note that any files
# in /etc created by dhcpcd will be labelled net_conf_t.
-allow dhcpc_t net_conf_t:file { create ioctl read getattr lock write setattr append link unlink rename };
+allow dhcpc_t net_conf_t:file create_file_perms;
files_create_private_config(dhcpc_t,net_conf_t,file)
# create temp files
-allow dhcpc_t dhcpc_tmp_t:dir { create read getattr lock setattr ioctl link unlink rename search add_name remove_name reparent write rmdir };
-allow dhcpc_t dhcpc_tmp_t:file { create ioctl read getattr lock write setattr append link unlink rename };
+allow dhcpc_t dhcpc_tmp_t:dir create_dir_perms;
+allow dhcpc_t dhcpc_tmp_t:file create_file_perms;
files_create_private_tmp_data(dhcpc_t, dhcpc_tmp_t, { file dir })
-allow dhcpc_t dhcpc_exec_t:file { getattr read execute execute_no_trans };
+can_exec(dhcpc_t, dhcpc_exec_t)
# transition to ifconfig
-allow dhcpc_t ifconfig_exec_t:file { getattr read execute };
-allow dhcpc_t ifconfig_t:process transition;
-type_transition dhcpc_t ifconfig_exec_t:process ifconfig_t;
-dontaudit dhcpc_t ifconfig_t:process { noatsecure siginh rlimitinh };
+domain_auto_trans(dhcp_t, ifconfig_exec_t, ifconfig_t)
allow dhcpc_t ifconfig_t:fd use;
allow ifconfig_t dhcpc_t:fd use;
allow ifconfig_t dhcpc_t:fifo_file rw_file_perms;
@@ -244,21 +241,21 @@ allow ifconfig_t self:capability net_admin;
dontaudit ifconfig_t self:capability sys_module;
allow ifconfig_t self:fd use;
-allow ifconfig_t self:fifo_file { read getattr lock ioctl write append };
-allow ifconfig_t self:unix_dgram_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown };
-allow ifconfig_t self:unix_stream_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown listen accept };
+allow ifconfig_t self:fifo_file rw_file_perms;
+allow ifconfig_t self:unix_dgram_socket create_socket_perms;
+allow ifconfig_t self:unix_stream_socket create_stream_socket_perms;
allow ifconfig_t self:unix_dgram_socket sendto;
allow ifconfig_t self:unix_stream_socket connectto;
-allow ifconfig_t self:shm { associate getattr setattr create destroy read write lock unix_read unix_write };
-allow ifconfig_t self:sem { associate getattr setattr create destroy read write unix_read unix_write };
-allow ifconfig_t self:msgq { associate getattr setattr create destroy read write enqueue unix_read unix_write };
+allow ifconfig_t self:shm create_shm_perms;
+allow ifconfig_t self:sem create_sem_perms;
+allow ifconfig_t self:msgq create_msgq_perms;
allow ifconfig_t self:msg { send receive };
# Create UDP sockets, necessary when called from dhcpc
-allow ifconfig_t self:udp_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown };
+allow ifconfig_t self:udp_socket create_socket_perms;
# for /sbin/ip
-allow ifconfig_t self:netlink_route_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown nlmsg_read nlmsg_write };
+allow ifconfig_t self:netlink_route_socket create_netlink_socket_perms;
allow ifconfig_t self:tcp_socket { create ioctl };
files_read_general_system_config(ifconfig_t);
diff --git a/refpolicy/policy/modules/system/udev.if b/refpolicy/policy/modules/system/udev.if
index 87313f3..a6d5734 100644
--- a/refpolicy/policy/modules/system/udev.if
+++ b/refpolicy/policy/modules/system/udev.if
@@ -15,10 +15,7 @@
define(`udev_transition',`
requires_block_template(`$0'_depend)
- allow $1 udev_exec_t:file { getattr read execute };
- allow $1 udev_t:process transition;
- type_transition $1 udev_exec_t:process udev_t;
- dontaudit $1 udev_t:process { noatsecure siginh rlimitinh };
+ domain_auto_trans($1, udev_exec_t, udev_t)
allow $1 udev_t:fd use;
allow udev_t $1:fd use;
@@ -49,13 +46,13 @@ define(`udev_transition_depend',`
define(`udev_read_database',`
requires_block_template(`$0'_depend)
- allow $1 udev_tdb_t:file { getattr read };
+ allow $1 udev_tdb_t:file r_file_perms;
')
define(`udev_read_database_depend',`
type udev_tdb_t;
- class file { getattr read };
+ class file r_file_perms;
')
########################################
@@ -72,13 +69,13 @@ define(`udev_read_database_depend',`
define(`udev_modify_database',`
requires_block_template(`$0'_depend)
- allow $1 udev_tdb_t:file { getattr read write append };
+ allow $1 udev_tdb_t:file rw_file_perms;
')
define(`udev_modify_database_depend',`
type udev_tdb_t;
- class file { getattr read write append };
+ class file rw_file_perms;
')
## </module>
diff --git a/refpolicy/policy/modules/system/udev.te b/refpolicy/policy/modules/system/udev.te
index 6ce9680..da53514 100644
--- a/refpolicy/policy/modules/system/udev.te
+++ b/refpolicy/policy/modules/system/udev.te
@@ -38,29 +38,30 @@ allow udev_t self:capability { chown dac_override dac_read_search fowner fsetid
allow udev_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem dyntransition };
allow udev_t self:process { execmem setfscreate };
allow udev_t self:fd use;
-allow udev_t self:fifo_file { read getattr lock ioctl write append };
+allow udev_t self:fifo_file rw_file_perms;
allow udev_t self:unix_stream_socket { listen accept };
allow udev_t self:unix_dgram_socket sendto;
allow udev_t self:unix_stream_socket connectto;
-allow udev_t self:shm { associate getattr setattr create destroy read write lock unix_read unix_write };
-allow udev_t self:sem { associate getattr setattr create destroy read write unix_read unix_write };
-allow udev_t self:msgq { associate getattr setattr create destroy read write enqueue unix_read unix_write };
+allow udev_t self:shm create_shm_perms;
+allow udev_t self:sem create_sem_perms;
+allow udev_t self:msgq create_msgq_perms;
allow udev_t self:msg { send receive };
-allow udev_t self:rawip_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown };
+allow udev_t self:rawip_socket create_socket_perms;
-allow udev_t udev_exec_t:file { getattr read write ioctl execute execute_no_trans };
+allow udev_t udev_exec_t:file write;
+can_exec(udev_t, udev_exec_t)
-allow udev_t udev_helper_exec_t:dir { read getattr lock search ioctl };
+allow udev_t udev_helper_exec_t:dir r_dir_perms;
# read udev config
-allow udev_t udev_etc_t:file { read getattr lock ioctl };
+allow udev_t udev_etc_t:file r_file_perms;
# create udev database in /dev/.udevdb
-allow udev_t udev_tbl_t:file { create ioctl read getattr lock write setattr append link unlink rename };
+allow udev_t udev_tbl_t:file create_file_perms;
devices_create_dev_entry(udev_t,udev_tbl_t,file)
-allow udev_t udev_var_run_t : dir { read getattr lock search ioctl add_name remove_name write };
-allow udev_t udev_var_run_t : file { create ioctl read getattr lock write setattr append link unlink rename };
+allow udev_t udev_var_run_t : dir rw_file_perms;
+allow udev_t udev_var_run_t : file create_file_perms;
kernel_read_system_state(udev_t)
kernel_get_core_interface_attributes(udev_t)
More information about the scm-commits
mailing list