[selinux-policy: 425/3172] add fstools, and more cleanup
Daniel J Walsh
dwalsh at fedoraproject.org
Thu Oct 7 19:41:29 UTC 2010
commit 58c3da55f3209bd6a385aa6083815171d5272235
Author: Chris PeBenito <cpebenito at tresys.com>
Date: Mon Jun 27 20:59:28 2005 +0000
add fstools, and more cleanup
refpolicy/policy/modules/kernel/bootloader.te | 44 +++----
refpolicy/policy/modules/kernel/kernel.if | 8 +-
refpolicy/policy/modules/services/inetd.te | 16 ++--
refpolicy/policy/modules/system/clock.if | 2 +-
refpolicy/policy/modules/system/corecommands.if | 20 +++
refpolicy/policy/modules/system/files.if | 151 +++++++++++++++++++++--
refpolicy/policy/modules/system/fstools.fc | 36 ++++++
refpolicy/policy/modules/system/fstools.if | 66 ++++++++++
refpolicy/policy/modules/system/fstools.te | 143 +++++++++++++++++++++
refpolicy/policy/modules/system/hotplug.te | 8 +-
refpolicy/policy/modules/system/modutils.te | 9 +-
refpolicy/policy/modules/system/userdomain.te | 4 +
12 files changed, 455 insertions(+), 52 deletions(-)
---
diff --git a/refpolicy/policy/modules/kernel/bootloader.te b/refpolicy/policy/modules/kernel/bootloader.te
index 516c436..ae1d044 100644
--- a/refpolicy/policy/modules/kernel/bootloader.te
+++ b/refpolicy/policy/modules/kernel/bootloader.te
@@ -126,6 +126,7 @@ files_read_generic_etc_files(bootloader_t)
files_read_etc_runtime_files(bootloader_t)
files_read_usr_src(bootloader_t)
files_read_usr_files(bootloader_t)
+files_read_var_file(bootloader_t)
# for nscd
files_dontaudit_search_pids(bootloader_t)
@@ -141,13 +142,16 @@ miscfiles_read_localization(bootloader_t)
seutil_read_binary_pol(bootloader_t)
seutil_read_loadpol(bootloader_t)
-ifdef(`distro_debian', `
-allow bootloader_t bootloader_tmp_t:{ dir file } { relabelfrom relabelto };
-allow bootloader_t modules_object_t:file { relabelfrom relabelto unlink };
-allow bootloader_t boot_t:file relabelfrom;
+ifdef(`distro_debian',`
+ allow bootloader_t bootloader_tmp_t:{ dir file } { relabelfrom relabelto };
+ allow bootloader_t modules_object_t:file { relabelfrom relabelto unlink };
+ allow bootloader_t boot_t:file relabelfrom;
+
+ # for /usr/share/initrd-tools/scripts
+ files_exec_usr_files(bootloader_t)
')
-ifdef(`distro_redhat', `
+ifdef(`distro_redhat',`
# for memlock
allow bootloader_t self:capability ipc_lock;
@@ -157,17 +161,22 @@ ifdef(`distro_redhat', `
# mkinitrd mount initrd on bootloader temp dir
files_mountpoint(bootloader_tmp_t)
+ # new file system defaults to file_t, granting file_t access is still bad.
+ files_manage_isid_type_dir(bootloader_t)
+ files_manage_isid_type_file(bootloader_t)
+ files_manage_isid_type_symlink(bootloader_t)
+ files_manage_isid_type_blk_node(bootloader_t)
+ files_manage_isid_type_chr_node(bootloader_t)
+
# for mke2fs
mount_domtrans(bootloader_t)
')
-optional_policy(`filesystemtools.te', `
+optional_policy(`filesystemtools.te',`
filesystemtools_execute(bootloader_t)
')
-# LVM2 / Device Mapper's /dev/mapper/control
-# maybe we should change the labeling for this
-optional_policy(`lvm.te', `
+optional_policy(`lvm.te',`
dev_rw_lvm_control(bootloader_t)
lvm_domtrans(bootloader_t)
@@ -185,8 +194,9 @@ optional_policy(`modutils.te',`
ifdef(`TODO',`
-allow bootloader_t var_t:dir search;
-allow bootloader_t var_t:file { getattr read };
+dontaudit bootloader_t selinux_config_t:dir search;
+dontaudit bootloader_t { staff_home_dir_t sysadm_home_dir_t }:dir search;
+dontaudit bootloader_t devpts_t:dir create_dir_perms;
ifdef(`distro_debian', `
allow bootloader_t { usr_t lib_t fsadm_exec_t }:file relabelto;
@@ -197,18 +207,6 @@ ifdef(`distro_debian', `
allow bootloader_t dpkg_var_lib_t:dir r_dir_perms;
allow bootloader_t dpkg_var_lib_t:file { getattr read };
- # for /usr/share/initrd-tools/scripts
- can_exec(bootloader_t, usr_t)
-')
-
-ifdef(`distro_redhat', `
- # new file system defaults to file_t, granting file_t access is still bad.
- allow bootloader_t file_t:dir create_dir_perms;
- allow bootloader_t file_t:{ file blk_file chr_file } create_file_perms;
- allow bootloader_t file_t:lnk_file create_lnk_perms;
')
-dontaudit bootloader_t selinux_config_t:dir search;
-dontaudit bootloader_t { staff_home_dir_t sysadm_home_dir_t }:dir search;
-dontaudit bootloader_t devpts_t:dir create_dir_perms;
') dnl end TODO
diff --git a/refpolicy/policy/modules/kernel/kernel.if b/refpolicy/policy/modules/kernel/kernel.if
index eb2d5e1..d8c89cc 100644
--- a/refpolicy/policy/modules/kernel/kernel.if
+++ b/refpolicy/policy/modules/kernel/kernel.if
@@ -172,11 +172,11 @@ interface(`kernel_dontaudit_read_ring_buffer',`
')
########################################
-## <desc>
-##
-## </desc>
+## <summary>
+## Change the level of kernel messages logged to the console.
+## </summary>
## <param name="domain">
-##
+## The type of the process performing this action.
## </param>
#
interface(`kernel_change_ring_buffer_level',`
diff --git a/refpolicy/policy/modules/services/inetd.te b/refpolicy/policy/modules/services/inetd.te
index 493bf96..b59177c 100644
--- a/refpolicy/policy/modules/services/inetd.te
+++ b/refpolicy/policy/modules/services/inetd.te
@@ -88,6 +88,10 @@ fs_search_auto_mountpoints(inetd_t)
term_dontaudit_use_console(inetd_t)
+# Run other daemons in the inetd_child_t domain.
+corecmd_search_bin(inetd_t)
+corecmd_read_sbin_symlink(inetd_t)
+
domain_use_wide_inherit_fd(inetd_t)
files_read_generic_etc_files(inetd_t)
@@ -112,8 +116,8 @@ ifdef(`targeted_policy', `
files_dontaudit_read_root_file(inetd_t)
')
-optional_policy(`rhgb.te',`
- rhgb_domain(inetd_t)
+optional_policy(`mount.te',`
+ mount_send_nfs_client_request(inetd_t)
')
optional_policy(`selinux.te',`
@@ -129,17 +133,13 @@ allow inetd_t proc_t:dir r_dir_perms;
allow inetd_t proc_t:lnk_file read;
dontaudit inetd_t sysadm_home_dir_t:dir search;
-ifdef(`mount.te', `
-allow inetd_t mount_t:udp_socket rw_socket_perms;
+optional_policy(`rhgb.te',`
+ rhgb_domain(inetd_t)
')
# allow any domain to connect to inetd
can_tcp_connect(userdomain, inetd_t)
-# Run other daemons in the inetd_child_t domain.
-allow inetd_t { bin_t sbin_t }:dir search;
-allow inetd_t sbin_t:lnk_file read;
-
# Bind to the telnet, ftp, rlogin and rsh ports.
ifdef(`talk.te', `
allow inetd_t talk_port_t:tcp_socket name_bind;
diff --git a/refpolicy/policy/modules/system/clock.if b/refpolicy/policy/modules/system/clock.if
index cb254ac..2f7e62c 100644
--- a/refpolicy/policy/modules/system/clock.if
+++ b/refpolicy/policy/modules/system/clock.if
@@ -51,7 +51,7 @@ interface(`clock_run',`
########################################
## <desc>
-## Execute hwclock
+## Execute hwclock in the caller domain.
## </desc>
## <param name="domain">
## The type of the process performing this action.
diff --git a/refpolicy/policy/modules/system/corecommands.if b/refpolicy/policy/modules/system/corecommands.if
index 35da2dd..98ac700 100644
--- a/refpolicy/policy/modules/system/corecommands.if
+++ b/refpolicy/policy/modules/system/corecommands.if
@@ -43,6 +43,7 @@ interface(`corecmd_list_bin',`
allow $1 bin_t:dir r_dir_perms;
')
+########################################
## <summary>
## Get the attributes of files in bin directories.
## </summary>
@@ -58,6 +59,7 @@ interface(`corecmd_getattr_bin_file',`
allow $1 bin_t:file getattr;
')
+########################################
## <summary>
## Read symbolic links in bin directories.
## </summary>
@@ -145,6 +147,24 @@ interface(`corecmd_dontaudit_getattr_sbin_file',`
')
########################################
+## <summary>
+## Read symbolic links in sbin directories.
+## </summary>
+## <param name="domain">
+## The type of the process performing this action.
+## </param>
+interface(`corecmd_read_sbin_symlink',`
+ gen_require(`
+ type sbin_t;
+ class dir search;
+ class lnk_file read;
+ ')
+
+ allow $1 sbin_t:dir search;
+ allow $1 sbin_t:lnk_file read;
+')
+
+########################################
#
# corecmd_exec_sbin(domain)
#
diff --git a/refpolicy/policy/modules/system/files.if b/refpolicy/policy/modules/system/files.if
index d50918a..30d7443 100644
--- a/refpolicy/policy/modules/system/files.if
+++ b/refpolicy/policy/modules/system/files.if
@@ -591,9 +591,33 @@ interface(`files_create_etc_config',`
')
')
+
########################################
+## <summary>
+## Do not audit attempts to search directories on new filesystems
+## that have not yet been labeled.
+## </summary>
+## <param name="domain">
+## The type of the process performing this action.
+## </param>
#
-# files_rw_isid_type_dir(domain)
+interface(`files_dontaudit_search_isid_type_dir',`
+ gen_require(`
+ type file_t;
+ class dir search;
+ ')
+
+ dontaudit $1 file_t:dir search;
+')
+
+########################################
+## <summary>
+## Read and write directories on new filesystems
+## that have not yet been labeled.
+## </summary>
+## <param name="domain">
+## The type of the process performing this action.
+## </param>
#
interface(`files_rw_isid_type_dir',`
gen_require(`
@@ -605,29 +629,121 @@ interface(`files_rw_isid_type_dir',`
')
########################################
+## <summary>
+## Create, read, write, and delete directories
+## on new filesystems that have not yet been labeled.
+## </summary>
+## <param name="domain">
+## The type of the process performing this action.
+## </param>
#
-# files_dontaudit_getattr_isid_type_dir(domain)
+interface(`files_manage_isid_type_dir',`
+ gen_require(`
+ type file_t;
+ class dir create_dir_perms;
+ ')
+
+ allow $1 file_t:dir create_dir_perms;
+')
+
+########################################
+## <summary>
+## Create, read, write, and delete files
+## on new filesystems that have not yet been labeled.
+## </summary>
+## <param name="domain">
+## The type of the process performing this action.
+## </param>
#
-interface(`files_dontaudit_getattr_isid_type_dir',`
+interface(`files_manage_isid_type_file',`
gen_require(`
type file_t;
- class dir search;
+ class dir rw_dir_perms;
+ class file create_file_perms;
')
- dontaudit $1 file_t:dir search;
+ allow $1 file_t:dir rw_dir_perms;
+ allow $1 file_t:file create_file_perms;
')
########################################
+## <summary>
+## Create, read, write, and delete symbolic links
+## on new filesystems that have not yet been labeled.
+## </summary>
+## <param name="domain">
+## The type of the process performing this action.
+## </param>
#
-# files_dontaudit_search_isid_type_dir(domain)
+interface(`files_manage_isid_type_symlink',`
+ gen_require(`
+ type file_t;
+ class dir rw_dir_perms;
+ class lnk_file create_lnk_perms;
+ ')
+
+ allow $1 file_t:dir rw_dir_perms;
+ allow $1 file_t:lnk_file create_lnk_perms;
+')
+
+########################################
+## <summary>
+## Read and write block device nodes on new filesystems
+## that have not yet been labeled.
+## </summary>
+## <param name="domain">
+## The type of the process performing this action.
+## </param>
#
-interface(`files_dontaudit_search_isid_type_dir',`
+interface(`files_rw_isid_type_blk_node',`
gen_require(`
type file_t;
class dir search;
+ class blk_file rw_file_perms;
')
- dontaudit $1 file_t:dir search;
+ allow $1 file_t:dir search;
+ allow $1 file_t:blk_file rw_file_perms;
+')
+
+########################################
+## <summary>
+## Create, read, write, and delete block device nodes
+## on new filesystems that have not yet been labeled.
+## </summary>
+## <param name="domain">
+## The type of the process performing this action.
+## </param>
+#
+interface(`files_manage_isid_type_blk_node',`
+ gen_require(`
+ type file_t;
+ class dir rw_dir_perms;
+ class blk_file create_file_perms;
+ ')
+
+ allow $1 file_t:dir rw_dir_perms;
+ allow $1 file_t:blk_file create_file_perms;
+')
+
+########################################
+## <summary>
+## Create, read, write, and delete character device nodes
+## on new filesystems that have not yet been labeled.
+## </summary>
+## <param name="domain">
+## The type of the process performing this action.
+## </param>
+#
+interface(`files_manage_isid_type_chr_node',`
+ gen_require(`
+ type file_t;
+ class dir rw_dir_perms;
+ class chr_file create_file_perms;
+ ')
+
+ allow $1 file_t:dir rw_dir_perms;
+ allow $1 file_t:chr_file create_file_perms;
')
########################################
@@ -808,6 +924,25 @@ interface(`files_dontaudit_search_var',`
')
########################################
+## <summary>
+## Read files in the /var directory.
+## </summary>
+## <param name="domain">
+## The type of the process performing this action.
+## </param>
+#
+interface(`files_read_var_file',`
+ gen_require(`
+ type var_t;
+ class dir search;
+ class file r_file_perms;
+ ')
+
+ allow $1 var_t:dir search;
+ allow $1 var_t:file r_file_perms;
+')
+
+########################################
## <desc>
## Search the /var/lib directory.
## </desc>
diff --git a/refpolicy/policy/modules/system/fstools.fc b/refpolicy/policy/modules/system/fstools.fc
new file mode 100644
index 0000000..cc1d414
--- /dev/null
+++ b/refpolicy/policy/modules/system/fstools.fc
@@ -0,0 +1,36 @@
+/sbin/blockdev -- system_u:object_r:fsadm_exec_t
+/sbin/cfdisk -- system_u:object_r:fsadm_exec_t
+/sbin/dosfsck -- system_u:object_r:fsadm_exec_t
+/sbin/dumpe2fs -- system_u:object_r:fsadm_exec_t
+/sbin/e2fsck -- system_u:object_r:fsadm_exec_t
+/sbin/e2label -- system_u:object_r:fsadm_exec_t
+/sbin/fdisk -- system_u:object_r:fsadm_exec_t
+/sbin/findfs -- system_u:object_r:fsadm_exec_t
+/sbin/fsck.* -- system_u:object_r:fsadm_exec_t
+/sbin/hdparm -- system_u:object_r:fsadm_exec_t
+/sbin/install-mbr -- system_u:object_r:fsadm_exec_t
+/sbin/jfs_.* -- system_u:object_r:fsadm_exec_t
+/sbin/losetup.* -- system_u:object_r:fsadm_exec_t
+/sbin/lsraid -- system_u:object_r:fsadm_exec_t
+/sbin/mkdosfs -- system_u:object_r:fsadm_exec_t
+/sbin/mke2fs -- system_u:object_r:fsadm_exec_t
+/sbin/mkfs.* -- system_u:object_r:fsadm_exec_t
+/sbin/mkraid -- system_u:object_r:fsadm_exec_t
+/sbin/mkreiserfs -- system_u:object_r:fsadm_exec_t
+/sbin/mkswap -- system_u:object_r:fsadm_exec_t
+/sbin/parted -- system_u:object_r:fsadm_exec_t
+/sbin/partprobe -- system_u:object_r:fsadm_exec_t
+/sbin/partx -- system_u:object_r:fsadm_exec_t
+/sbin/raidstart -- system_u:object_r:fsadm_exec_t
+/sbin/reiserfs(ck|tune) -- system_u:object_r:fsadm_exec_t
+/sbin/resize.*fs -- system_u:object_r:fsadm_exec_t
+/sbin/scsi_info -- system_u:object_r:fsadm_exec_t
+/sbin/sfdisk -- system_u:object_r:fsadm_exec_t
+/sbin/swapon.* -- system_u:object_r:fsadm_exec_t
+/sbin/tune2fs -- system_u:object_r:fsadm_exec_t
+
+/usr/bin/partition_uuid -- system_u:object_r:fsadm_exec_t
+/usr/bin/raw -- system_u:object_r:fsadm_exec_t
+/usr/bin/scsi_unique_id -- system_u:object_r:fsadm_exec_t
+
+/usr/sbin/smartctl -- system_u:object_r:fsadm_exec_t
diff --git a/refpolicy/policy/modules/system/fstools.if b/refpolicy/policy/modules/system/fstools.if
new file mode 100644
index 0000000..8c3ac2a
--- /dev/null
+++ b/refpolicy/policy/modules/system/fstools.if
@@ -0,0 +1,66 @@
+## <summary>Tools for filesystem management, such as mkfs and fsck.</summary>
+
+########################################
+## <desc>
+## Execute fs tools in the fstools domain.
+## </desc>
+## <param name="domain">
+## The type of the process performing this action.
+## </param>
+#
+interface(`fstools_domtrans',`
+ gen_require(`
+ type fsadm_t, fsadm_exec_t;
+ class fd use;
+ class fifo_file rw_file_perms;
+ ')
+
+ domain_auto_trans($1,fsadm_exec_t,fsadm_t)
+
+ allow $1 fsadm_t:fd use;
+ allow fsadm_t $1:fd use;
+ allow fsadm_t $1:fifo_file rw_file_perms;
+ allow fsadm_t $1:process sigchld;
+')
+
+########################################
+## <desc>
+## Execute fs tools in the fstools domain, and
+## allow the specified role the fs tools domain.
+## </desc>
+## <param name="domain">
+## The type of the process performing this action.
+## </param>
+## <param name="role">
+## The role to be allowed the fs tools domain.
+## </param>
+## <param name="terminal">
+## The type of the terminal allow the fs tools domain to use.
+## </param>
+#
+interface(`fstools_run',`
+ gen_require(`
+ type fsadm_t;
+ class chr_file { getattr read write ioctl };
+ ')
+
+ fstools_domtrans($1)
+ role $2 types fsadm_t;
+ allow fsadm_t $3:chr_file { getattr read write ioctl };
+')
+
+########################################
+## <desc>
+## Execute fsadm in the caller domain.
+## </desc>
+## <param name="domain">
+## The type of the process performing this action.
+## </param>
+#
+interface(`fstools_exec',`
+ gen_require(`
+ type fsadm_exec_t;
+ ')
+
+ can_exec($1,fsadm_exec_t)
+')
diff --git a/refpolicy/policy/modules/system/fstools.te b/refpolicy/policy/modules/system/fstools.te
new file mode 100644
index 0000000..b4d4c4b
--- /dev/null
+++ b/refpolicy/policy/modules/system/fstools.te
@@ -0,0 +1,143 @@
+
+policy_module(fstools,1.0)
+
+########################################
+#
+# Declarations
+#
+type fsadm_t;
+type fsadm_exec_t;
+init_system_domain(fsadm_t,fsadm_exec_t)
+role system_r types fsadm_t;
+
+type fsadm_tmp_t;
+files_tmp_file(fsadm_tmp_t)
+
+type swapfile_t;
+files_file_type(swapfile_t)
+
+########################################
+
+# ipc_lock is for losetup
+allow fsadm_t self:capability { ipc_lock sys_rawio sys_admin sys_tty_config };
+allow fsadm_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem dyntransition };
+allow fsadm_t self:fd use;
+allow fsadm_t self:fifo_file rw_file_perms;
+allow fsadm_t self:unix_dgram_socket create_socket_perms;
+allow fsadm_t self:unix_stream_socket create_stream_socket_perms;
+allow fsadm_t self:unix_dgram_socket sendto;
+allow fsadm_t self:unix_stream_socket connectto;
+allow fsadm_t self:shm create_shm_perms;
+allow fsadm_t self:sem create_sem_perms;
+allow fsadm_t self:msgq create_msgq_perms;
+allow fsadm_t self:msg { send receive };
+
+can_exec(fsadm_t, fsadm_exec_t)
+
+allow fsadm_t fsadm_tmp_t:dir create_dir_perms;
+allow fsadm_t fsadm_tmp_t:file create_file_perms;
+files_create_tmp_files(fsadm_t, fsadm_tmp_t, { file dir })
+
+# Enable swapping to files
+allow fsadm_t swapfile_t:file { getattr swapon };
+
+kernel_read_system_state(fsadm_t)
+kernel_read_kernel_sysctl(fsadm_t)
+# Allow console log change (updfstab)
+kernel_change_ring_buffer_level(fsadm_t)
+
+# mkreiserfs and other programs need this for UUID
+dev_read_rand(fsadm_t)
+dev_read_urand(fsadm_t)
+# Recreate /dev/cdrom.
+dev_manage_generic_symlinks(fsadm_t)
+# Access to /initrd devices
+dev_search_usbfs(fsadm_t)
+
+fs_search_auto_mountpoints(fsadm_t)
+fs_getattr_xattr_fs(fsadm_t)
+# remount file system to apply changes
+fs_remount_xattr_fs(fsadm_t)
+
+storage_raw_read_fixed_disk(fsadm_t)
+storage_raw_write_fixed_disk(fsadm_t)
+storage_raw_read_removable_device(fsadm_t)
+storage_raw_write_removable_device(fsadm_t)
+storage_read_scsi_generic(fsadm_t)
+
+domain_use_wide_inherit_fd(fsadm_t)
+
+files_list_home(fsadm_t)
+files_read_usr_files(fsadm_t)
+files_read_generic_etc_files(fsadm_t)
+files_list_mnt(fsadm_t)
+# Write to /etc/mtab.
+files_manage_etc_runtime_files(fsadm_t)
+# Access to /initrd devices
+files_rw_isid_type_dir(fsadm_t)
+files_rw_isid_type_blk_node(fsadm_t)
+
+init_use_fd(fsadm_t)
+init_use_script_pty(fsadm_t)
+
+libs_use_ld_so(fsadm_t)
+libs_use_shared_libs(fsadm_t)
+
+logging_send_syslog_msg(fsadm_t)
+
+miscfiles_read_localization(fsadm_t)
+
+modutils_read_module_conf(fsadm_t)
+
+seutil_read_config(fsadm_t)
+
+userdom_use_unpriv_users_fd(fsadm_t)
+
+optional_policy(`nis.te',`
+ nis_use_ypbind(fsadm_t)
+')
+
+ifdef(`TODO',`
+# for swapon
+allow fsadm_t sysfs_t:dir { search getattr };
+
+# for /dev/shm
+allow fsadm_t tmpfs_t:dir { getattr search };
+
+allow fsadm_t bin_t:dir r_dir_perms;
+allow fsadm_t bin_t:notdevfile_class_set r_file_perms;
+allow fsadm_t sbin_t:dir r_dir_perms;
+allow fsadm_t sbin_t:notdevfile_class_set r_file_perms;
+if (read_default_t) {
+allow fsadm_t default_t:dir r_dir_perms;
+allow fsadm_t default_t:notdevfile_class_set r_file_perms;
+}
+
+# mkreiserfs needs this
+allow fsadm_t proc_t:filesystem getattr;
+
+# Access lost+found.
+allow fsadm_t lost_found_t:dir create_dir_perms;
+allow fsadm_t lost_found_t:{ file sock_file fifo_file } create_file_perms;
+allow fsadm_t lost_found_t:lnk_file create_lnk_perms;
+
+allow fsadm_t file_t:dir { search read getattr rmdir create };
+
+# Recreate /mnt/cdrom.
+allow fsadm_t mnt_t:dir { rmdir create };
+
+# Enable swapping to devices and files
+allow fsadm_t fixed_disk_device_t:blk_file { getattr swapon };
+
+# Access terminals.
+ifdef(`gnome-pty-helper.te', `allow fsadm_t sysadm_gph_t:fd use;')
+
+# for smartctl cron jobs
+system_crond_entry(fsadm_exec_t, fsadm_t)
+
+# Access to /initrd devices
+allow fsadm_t unlabeled_t:dir rw_dir_perms;
+allow fsadm_t unlabeled_t:blk_file rw_file_perms;
+allow fsadm_t usbfs_t:dir getattr;
+
+') dnl end TODO
diff --git a/refpolicy/policy/modules/system/hotplug.te b/refpolicy/policy/modules/system/hotplug.te
index 04b5831..ecb0dca 100644
--- a/refpolicy/policy/modules/system/hotplug.te
+++ b/refpolicy/policy/modules/system/hotplug.te
@@ -131,6 +131,10 @@ optional_policy(`consoletype.te',`
consoletype_domtrans(hotplug_t)
')
+optional_policy(`fstools.te',`
+ fstools_domtrans(hotplug_t)
+')
+
optional_policy(`hostname.te',`
hostname_exec(hotplug_t)
')
@@ -188,10 +192,6 @@ optional_policy(`hotplug.te',`
allow hald_t hotplug_etc_t:file { getattr read };
')
-optional_policy(`fsadm.te', `
- domain_auto_trans(hotplug_t, fsadm_exec_t, fsadm_t)
-')
-
optional_policy(`lpd.te', `
allow hotplug_t printer_device_t:chr_file setattr;
')
diff --git a/refpolicy/policy/modules/system/modutils.te b/refpolicy/policy/modules/system/modutils.te
index 31aa051..d03abd9 100644
--- a/refpolicy/policy/modules/system/modutils.te
+++ b/refpolicy/policy/modules/system/modutils.te
@@ -138,12 +138,15 @@ fs_getattr_xattr_fs(depmod_t)
term_use_console(depmod_t)
+corecmd_search_bin(depmod_t)
+corecmd_search_sbin(depmod_t)
+
+domain_use_wide_inherit_fd(depmod_t)
+
init_use_fd(depmod_t)
init_use_script_fd(depmod_t)
init_use_script_pty(depmod_t)
-domain_use_wide_inherit_fd(depmod_t)
-
files_read_etc_runtime_files(depmod_t)
files_read_generic_etc_files(depmod_t)
files_read_usr_src(depmod_t)
@@ -153,8 +156,6 @@ libs_use_shared_libs(depmod_t)
ifdef(`TODO',`
-allow depmod_t { bin_t sbin_t }:dir search;
-
ifdef(`gnome-pty-helper.te', `allow depmod_t sysadm_gph_t:fd use;')
# Read System.map from home directories.
diff --git a/refpolicy/policy/modules/system/userdomain.te b/refpolicy/policy/modules/system/userdomain.te
index 37e4b91..2b757c8 100644
--- a/refpolicy/policy/modules/system/userdomain.te
+++ b/refpolicy/policy/modules/system/userdomain.te
@@ -84,6 +84,10 @@ optional_policy(`clock.te',`
clock_run(sysadm_t,sysadm_r,admin_terminal)
')
+optional_policy(`fstools.te',`
+ fstools_run(sysadm_t,sysadm_r,admin_terminal)
+')
+
optional_policy(`hostname.te',`
hostname_run(sysadm_t,sysadm_r,admin_terminal)
')
More information about the scm-commits
mailing list