[selinux-policy: 469/3172] tag for 20050707 release
Daniel J Walsh
dwalsh at fedoraproject.org
Thu Oct 7 19:45:13 UTC 2010
commit 58c7777e145a644a6b50cc8c97ab5886e73f6909
Author: Chris PeBenito <cpebenito at tresys.com>
Date: Thu Jul 7 17:25:53 2005 +0000
tag for 20050707 release
docs/macro_conversion_guide | 749 ++++++++++++++++---------------------------
refpolicy/VERSION | 2 +-
2 files changed, 276 insertions(+), 475 deletions(-)
---
diff --git a/docs/macro_conversion_guide b/docs/macro_conversion_guide
index 5613836..ba0601a 100644
--- a/docs/macro_conversion_guide
+++ b/docs/macro_conversion_guide
@@ -8,226 +8,6 @@
########################################
#
-# Object class sets
-#
-
-#
-# devfile_class_set
-#
-{ chr_file blk_file }
-
-#
-# dgram_socket_class_set
-#
-{ udp_socket unix_dgram_socket }
-
-#
-# dir_file_class_set
-#
-{ dir file lnk_file sock_file fifo_file chr_file blk_file }
-
-#
-# file_class_set
-#
-{ file lnk_file sock_file fifo_file chr_file blk_file }
-
-#
-# notdevfile_class_set
-#
-{ file lnk_file sock_file fifo_file }
-
-#
-# socket_class_set
-#
-{ tcp_socket udp_socket rawip_socket netlink_socket packet_socket unix_stream_socket unix_dgram_socket netlink_route_socket netlink_firewall_socket netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket netlink_selinux_socket netlink_audit_socket netlink_ip6fw_socket netlink_dnrt_socket }
-
-#
-# stream_socket_class_set
-#
-{ tcp_socket unix_stream_socket }
-
-#
-# unpriv_socket_class_set
-#
-{ tcp_socket udp_socket unix_stream_socket unix_dgram_socket }
-
-########################################
-#
-# Permission Sets
-#
-
-#
-# connected_socket_perms
-#
-{ create ioctl read getattr write setattr append bind getopt setopt shutdown }
-
-#
-# connected_stream_socket_perms
-#
-{ create ioctl read getattr write setattr append bind getopt setopt shutdown listen accept }
-
-#
-# create_dir_perms
-#
-{ create read getattr lock setattr ioctl link unlink rename search add_name remove_name reparent write rmdir }
-
-#
-# create_file_perms
-#
-{ create ioctl read getattr lock write setattr append link unlink rename }
-
-#
-# create_lnk_perms
-#
-{ create read getattr setattr link unlink rename }
-
-#
-# create_msgq_perms
-#
-{ associate getattr setattr create destroy read write enqueue unix_read unix_write }
-
-#
-# create_netlink_socket_perms
-#
-{ create ioctl read getattr write setattr append bind connect getopt setopt shutdown nlmsg_read nlmsg_write }
-
-#
-# create_sem_perms
-#
-{ associate getattr setattr create destroy read write unix_read unix_write }
-
-#
-# create_shm_perms
-#
-{ associate getattr setattr create destroy read write lock unix_read unix_write }
-
-#
-# create_socket_perms
-#
-{ create ioctl read getattr write setattr append bind connect getopt setopt shutdown }
-
-#
-# create_stream_socket_perms
-#
-{ create ioctl read getattr write setattr append bind connect getopt setopt shutdown listen accept }
-
-#
-# link_file_perms
-#
-{ getattr link unlink rename }
-
-#
-# mount_fs_perms
-#
-{ mount remount unmount getattr }
-
-#
-# packet_perms
-#
-{ tcp_recv tcp_send udp_recv udp_send rawip_recv rawip_send }
-
-#
-# r_dir_perms
-#
-{ read getattr lock search ioctl }
-
-#
-# r_file_perms
-#
-{ read getattr lock ioctl }
-
-#
-# r_msgq_perms
-#
-{ associate getattr read unix_read }
-
-#
-# r_netlink_socket_perms
-#
-{ create ioctl read getattr write setattr append bind connect getopt setopt shutdown nlmsg_read }
-
-#
-# r_sem_perms
-#
-{ associate getattr read unix_read }
-
-#
-# r_shm_perms
-#
-{ associate getattr read unix_read }
-
-#
-# ra_dir_perms
-#
-{ read getattr lock search ioctl add_name write }
-
-#
-# ra_file_perms
-#
-{ ioctl read getattr lock append }
-
-#
-# rw_dir_perms
-#
-{ read getattr lock search ioctl add_name remove_name write }
-
-#
-# rw_file_perms
-#
-{ getattr read write append ioctl lock }
-
-#
-# rw_msgq_perms
-#
-{ associate getattr read write enqueue unix_read unix_write }
-
-#
-# rw_netlink_socket_perms
-#
-{ create ioctl read getattr write setattr append bind connect getopt setopt shutdown nlmsg_read nlmsg_write }
-
-#
-# rw_sem_perms
-#
-{ associate getattr read write unix_read unix_write }
-
-#
-# rw_shm_perms
-#
-{ associate getattr read write lock unix_read unix_write }
-
-#
-# rw_socket_perms
-#
-{ ioctl read getattr write setattr append bind connect getopt setopt shutdown }
-
-#
-# rw_stream_socket_perms
-#
-{ ioctl read getattr write setattr append bind connect getopt setopt shutdown listen accept }
-
-#
-# rx_file_perms
-#
-{ read getattr lock execute ioctl }
-
-#
-# signal_perms
-#
-{ sigchld sigkill sigstop signull signal }
-
-#
-# stat_file_perms
-#
-{ getattr }
-
-#
-# x_file_perms
-#
-{ getattr execute }
-
-########################################
-#
# Attributes
#
# $1 is the type this attribute is on
@@ -240,17 +20,17 @@
#
# auth: complete
#
-authlogin_read_shadow_passwords($1)
+auth_read_shadow($1)
#
# auth_chkpwd: complete
#
-authlogin_check_password_transition($1)
+auth_domtrans_chk_passwd($1)
#
# file_type: complete
#
-files_make_file($1)
+files_file_type($1)
#
# fs_domain: complete
@@ -262,12 +42,12 @@ storage_raw_write_fixed_disk($1)
#
# privfd: complete
#
-domain_make_file_descriptors_widely_inheritable($1)
+domain_wide_inherit_fd($1)
#
# privlog: complete
#
-logging_send_system_log_message($1)
+logging_send_syslog_msg($1)
#
# privmail:
@@ -281,22 +61,22 @@ allow mta_user_agent $1:fifo_file { read write };
#
# privmodule: complete
#
-modutils_insmod_transition($1)
+modutils_domtrans_insmod($1)
#
# privowner: complete
#
-kernel_make_object_identity_change_constraint_exception($1)
+domain_obj_id_change_exempt($1)
#
# privrole: complete
#
-kernel_make_role_change_constraint_exception($1)
+domain_role_change_exempt($1)
#
# privuser: complete
#
-kernel_make_process_identity_change_constraint_exception($1)
+domain_subj_id_change_exempt($1)
########################################
#
@@ -312,14 +92,10 @@ allow $1 devpts_t:dir { read search getattr };
allow $1 $2_devpts_t:chr_file { read write getattr ioctl };
#
-# admin_domain():
-#
-
-#
# append_log_domain():
#
type $1_log_t;
-logging_make_log_file($1_log_t)
+logging_log_file($1_log_t)
allow $1_t var_log_t:dir ra_dir_perms;
allow $1_t $1_log_t:file { create ra_file_perms };
type_transition $1_t var_log_t:file $1_log_t;
@@ -328,7 +104,7 @@ type_transition $1_t var_log_t:file $1_log_t;
# append_logdir_domain():
#
type $1_log_t;
-logging_make_log_file($1_log_t)
+logging_log_file($1_log_t)
allow $1_t var_log_t:dir ra_dir_perms;
allow $1_t $1_log_t:dir { setattr ra_dir_perms };
allow $1_t $1_log_t:file { create ra_file_perms };
@@ -339,48 +115,48 @@ type_transition $1_t var_log_t:file $1_log_t;
#
type $1_t;
type $1_exec_t;
-domain_make_domain($1_t)
-domain_make_entrypoint_file($1_t,$1_exec_t)
+domain_type($1_t)
+domain_entry_file($1_t,$1_exec_t)
role sysadm_r types $1_t;
domain_auto_trans(sysadm_t, $1_exec_t, $1_t)
-libraries_use_dynamic_loader($1_t)
-libraries_use_shared_libraries($1_t)
+libs_use_ld_so($1_t)
+libs_use_shared_libs($1_t)
#
# base_can_network($1,$2):
#
-allow $1 self:$2_socket { create ioctl read getattr write setattr append bind getopt setopt shutdown };
-corenetwork_network_$2_on_all_interfaces($1)
-corenetwork_network_raw_on_all_interfaces($1)
-corenetwork_network_$2_on_all_nodes($1)
-corenetwork_network_raw_on_all_nodes($1)
-corenetwork_bind_$2_on_all_nodes($1)
-corenetwork_network_$2_on_all_ports($1)
-sysnetwork_read_network_config($1)
+allow $1 self:$2_socket connected_socket_perms;
+corenet_$2_sendrecv_all_if($1)
+corenet_raw_sendrecv_all_if($1)
+corenet_$2_sendrecv_all_nodes($1)
+corenet_raw_sendrecv_all_nodes($1)
+corenet_$2_sendrecv_all_ports($1)
+corenet_$2_bind_all_nodes($1)
+sysnet_read_config($1)
#
# base_can_network($1,$2,$3):
#
-allow $1 self:$2_socket { create ioctl read getattr write setattr append bind getopt setopt shutdown };
-corenetwork_network_$2_on_all_interfaces($1)
-corenetwork_network_raw_on_all_interfaces($1)
-corenetwork_network_$2_on_all_nodes($1)
-corenetwork_network_raw_on_all_nodes($1)
-corenetwork_bind_$2_on_all_nodes($1)
-corenetwork_network_$2_on_$3_port($1)
-sysnetwork_read_network_config($1)
+allow $1 self:$2_socket connected_socket_perms;
+corenet_$2_sendrecv_all_if($1)
+corenet_raw_sendrecv_all_if($1)
+corenet_$2_sendrecv_all_nodes($1)
+corenet_raw_sendrecv_all_nodes($1)
+corenet_$2_bind_all_nodes($1)
+corenet_$2_sendrecv_$3_port($1)
+sysnet_read_config($1)
#
# base_file_read_access():
#
-files_list_home_directories($1)
-files_read_general_application_resources($1)
+files_list_home($1)
+files_read_usr_files($1)
allow $1 bin_t:dir r_dir_perms;
allow $1 bin_t:notdevfile_class_set r_file_perms;
allow $1 sbin_t:dir r_dir_perms;
allow $1 sbin_t:notdevfile_class_set r_file_perms;
kernel_read_kernel_sysctl($1)
-selinux_read_config($1)
+seutil_read_config($1)
if (read_default_t) {
allow $1 default_t:dir r_dir_perms;
allow $1 default_t:notdevfile_class_set r_file_perms;
@@ -395,10 +171,6 @@ allow $1_t devpts_t:dir { getattr read search };
dontaudit $1_t bsdpty_device_t:chr_file { getattr read write };
#
-# base_user_domain():
-#
-
-#
# can_create():
#
# for each i in $3
@@ -422,7 +194,7 @@ allow $1 $2:$3 { create ioctl read getattr lock write setattr append link unlink
#
# can_create_other_pty(): complete
#
-terminal_create_private_pseudoterminal($1_t,$2_devpts_t)
+term_create_pty($1_t,$2_devpts_t)
allow $1_t $2_devpts_t:chr_file { setattr ioctl read getattr lock write append };
#
@@ -430,26 +202,21 @@ allow $1_t $2_devpts_t:chr_file { setattr ioctl read getattr lock write append }
#
# $2 may require more conversion
type $1_devpts_t $2;
-terminal_make_pseudoterminal($1_devpts_t)
+term_pty($1_devpts_t)
allow $1_t $1_devpts_t:chr_file { setattr ioctl read getattr lock write append };
-terminal_create_private_pseudoterminal($1_t,$1_devpts_t)
-
-#
-# can_exec(): complete
-#
-allow $1 $2:file { getattr read execute execute_no_trans };
+term_create_pty($1_t,$1_devpts_t)
#
# can_exec_any(): complete
#
-domain_execute_all_entrypoint_programs($1)
-files_execute_system_config_script($1)
-corecommands_execute_general_programs($1)
-corecommands_execute_system_programs($1)
-libraries_use_dynamic_loader($1)
-libraries_use_shared_libraries($1)
-libraries_execute_dynamic_loader($1)
-libraries_execute_library_scripts($1)
+domain_exec_all_entry_files($1)
+files_exec_generic_etc_files($1)
+corecmd_exec_bin($1)
+corecmd_exec_sbin($1)
+libs_use_ld_so($1)
+libs_use_shared_libs($1)
+libs_exec_ld_so($1)
+libs_exec_lib_files($1)
#
# can_getcon():
@@ -460,37 +227,39 @@ kernel_read_system_state($1)
#
# can_getsecurity(): complete
#
-kernel_get_selinuxfs_mount_point($1)
-kernel_validate_selinux_context($1)
-kernel_compute_selinux_access_vector($1)
-kernel_compute_selinux_create_context($1)
-kernel_compute_selinux_relabel_context($1)
-kernel_compute_selinux_reachable_user_contexts($1)
+selinux_get_fs_mount($1)
+selinux_validate_context($1)
+selinux_compute_access_vector($1)
+selinux_compute_create_context($1)
+selinux_compute_relabel_context($1)
+selinux_compute_user_contexts($1)
#
-# can_kerberos():
+# can_kerberos(): complete
#
-ifdef(`kerberos.te',`
-if (allow_kerberos) {
-can_network_client($1, `kerberos_port_t')
-can_resolve($1)
-}
-') dnl kerberos.te
-dontaudit $1 krb5_conf_t:file write;
-allow $1 krb5_conf_t:file { getattr read };
+optional_policy(`kerberos.te',`
+ kerberos_use($1)
+')
#
-# can_ldap():
+# can_ldap(): complete
#
-ifdef(`slapd.te',`
-can_network_client_tcp($1, `ldap_port_t')
+optional_policy(`ldap.te',`
+ allow $1 self:tcp_socket create_socket_perms;
+ corenet_tcp_sendrecv_all_if($1)
+ corenet_raw_sendrecv_all_if($1)
+ corenet_tcp_sendrecv_all_nodes($1)
+ corenet_raw_sendrecv_all_nodes($1)
+ corenet_tcp_sendrecv_ldap_port($1)
+ corenet_tcp_bind_all_nodes($1)
+ sysnet_read_config($1)
')
#
# can_loadpol(): complete
#
-kernel_get_selinuxfs_mount_point($1)
-kernel_load_selinux_policy($1)
+selinux_get_fs_mount($1)
+selinux_load_policy($1)
#
# can_network():
@@ -510,38 +279,38 @@ can_network_udp($1, `$2')
#
# can_network_client_tcp($1): complete
#
-allow $1 self:tcp_socket { create connect ioctl read getattr write setattr append bind getopt setopt shutdown };
-corenetwork_network_tcp_on_all_interfaces($1)
-corenetwork_network_raw_on_all_interfaces($1)
-corenetwork_network_tcp_on_all_nodes($1)
-corenetwork_network_raw_on_all_nodes($1)
-corenetwork_bind_tcp_on_all_nodes($1)
-corenetwork_network_tcp_on_all_ports($1)
-sysnetwork_read_network_config($1)
+allow $1 self:tcp_socket create_socket_perms;
+corenet_tcp_sendrecv_all_if($1)
+corenet_raw_sendrecv_all_if($1)
+corenet_tcp_sendrecv_all_nodes($1)
+corenet_raw_sendrecv_all_nodes($1)
+corenet_tcp_sendrecv_all_ports($1)
+corenet_tcp_bind_all_nodes($1)
+sysnet_read_config($1)
#
# can_network_client_tcp($1,$2):
#
# remove _port_t from $2
-allow system_mail_t self:tcp_socket { create connect ioctl read getattr write setattr append bind getopt setopt shutdown };
-corenetwork_network_tcp_on_all_interfaces(system_mail_t)
-corenetwork_network_raw_on_all_interfaces(system_mail_t)
-corenetwork_network_tcp_on_all_nodes(system_mail_t)
-corenetwork_network_raw_on_all_nodes(system_mail_t)
-corenetwork_bind_tcp_on_all_nodes(system_mail_t)
-corenetwork_network_tcp_on_$2_port(system_mail_t)
-sysnetwork_read_network_config(system_mail_t)
+allow $1 self:tcp_socket create_socket_perms;
+corenet_tcp_sendrecv_all_if($1)
+corenet_raw_sendrecv_all_if($1)
+corenet_tcp_sendrecv_all_nodes($1)
+corenet_raw_sendrecv_all_nodes($1)
+corenet_tcp_sendrecv_$2_port($1)
+corenet_tcp_bind_all_nodes($1)
+sysnet_read_config($1)
#
# can_network_server():
#
-allow $1 self:tcp_socket { listen accept };
+allow $1 self:tcp_socket create_stream_socket_perms;
base_can_network($1, tcp, `$2')
#
# can_network_server_tcp():
#
-allow $1 self:tcp_socket { listen accept };
+allow $1 self:tcp_socket create_stream_socket_perms;
base_can_network($1, tcp, `$2')
#
@@ -575,24 +344,24 @@ allow $1 $2:process ptrace;
allow $2 $1:process sigchld;
#
-# can_resolve():
+# can_resolve(): complete
#
tunable_policy(`use_dns',`
-allow $1 self:udp_socket { create ioctl read getattr write setattr append bind getopt setopt shutdown connect };
-corenetwork_network_udp_on_all_interfaces($1)
-corenetwork_network_raw_on_all_interfaces($1)
-corenetwork_network_udp_on_all_nodes($1)
-corenetwork_network_raw_on_all_nodes($1)
-corenetwork_bind_udp_on_all_nodes($1)
-corenetwork_network_udp_on_dns_port($1)
-sysnetwork_read_network_config($1)
+ allow $1 self:udp_socket create_socket_perms;
+ corenet_udp_sendrecv_all_if($1)
+ corenet_raw_sendrecv_all_if($1)
+ corenet_udp_sendrecv_all_nodes($1)
+ corenet_raw_sendrecv_all_nodes($1)
+ corenet_udp_sendrecv_dns_port($1)
+ corenet_udp_bind_all_nodes($1)
+ sysnet_read_config($1)
')
#
# can_setbool(): complete
#
-kernel_get_selinuxfs_mount_point($1)
-kernel_set_selinux_boolean($1)
+selinux_get_fs_mount($1)
+selinux_set_boolean($1)
#
# can_setcon(): complete
@@ -600,15 +369,15 @@ kernel_set_selinux_boolean($1)
# get mount point is due to libselinux init
#
allow $1 self:process setcurrent;
-kernel_get_selinuxfs_mount_point($1)
+selinux_get_fs_mount($1)
#
# can_setenforce(): complete
#
# get mount point is due to libselinux init
#
-kernel_get_selinuxfs_mount_point($1)
-kernel_set_selinux_enforcement_mode($1)
+selinux_get_fs_mount($1)
+selinux_set_enforce_mode($1)
#
# can_setexec(): complete
@@ -616,7 +385,7 @@ kernel_set_selinux_enforcement_mode($1)
# get mount point is due to libselinux init
#
allow $1 self:process setexec;
-kernel_get_selinuxfs_mount_point($1)
+selinux_get_fs_mount($1)
#
# can_setfscreate(): complete
@@ -624,38 +393,34 @@ kernel_get_selinuxfs_mount_point($1)
# get mount point is due to libselinux init
#
allow $1 self:process setfscreate;
-kernel_get_selinuxfs_mount_point($1)
+selinux_get_fs_mount($1)
#
# can_setsecparam(): complete
#
# get mount point is due to libselinux init
#
-kernel_get_selinuxfs_mount_point($1)
+selinux_get_fs_mount($1)
kernel_setsecparam($1)
#
# can_sysctl(): complete
#
-kernel_modify_all_sysctl($1)
+kernel_rw_all_sysctl($1)
#
# can_tcp_connect
-# (policy is commented out)
-# Irrelevant until we have labeled networking.
#
-#allow $1 $2:tcp_socket { connectto recvfrom };
-#allow $2 $1:tcp_socket { acceptfrom recvfrom };
-#allow $2 kernel_t:tcp_socket recvfrom;
-#allow $1 kernel_t:tcp_socket recvfrom;
+allow $1 $2:tcp_socket { connectto recvfrom };
+allow $2 $1:tcp_socket { acceptfrom recvfrom };
+allow $2 kernel_t:tcp_socket recvfrom;
+allow $1 kernel_t:tcp_socket recvfrom;
#
# can_udp_send():
-# (policy is commented out)
-# Irrelevant until we have labeled networking.
#
-#allow $1 $2:udp_socket sendto;
-#allow $2 $1:udp_socket recvfrom;
+allow $1 $2:udp_socket sendto;
+allow $2 $1:udp_socket recvfrom;
#
# can_unix_connect():
@@ -668,8 +433,11 @@ allow $1 $2:unix_stream_socket connectto;
allow $1 $2:unix_dgram_socket sendto;
#
-# can_ypbind():
+# can_ypbind(): complete
#
+optional_policy(`nis.te',`
+ nis_use_ypbind($1)
+')
#
# create_append_log_file():
@@ -696,42 +464,37 @@ allow $1 $2:lnk_file { create read getattr setattr link unlink rename };
#
type $1_t;
type $1_exec_t;
-init_make_daemon_domain($1_t,$1_exec_t)
+init_daemon_domain($1_t,$1_exec_t)
role system_r types $1_t;
dontaudit $1_t self:capability sys_tty_config;
allow $1_t self:process { sigchld sigkill sigstop signull signal };
kernel_read_kernel_sysctl($1_t)
-kernel_read_hardware_state($1_t)
-terminal_ignore_use_console($1_t)
-init_use_file_descriptors($1_t)
-init_script_use_pseudoterminal($1_t)
-domain_use_widely_inheritable_file_descriptors($1_t)
-libraries_use_dynamic_loader($1_t)
-libraries_use_shared_libraries($1_t)
-logging_send_system_log_message($1_t)
-allow $1_t proc_t:dir r_dir_perms;
-allow $1_t proc_t:lnk_file read;
-tunable_policy(`direct_sysadm_daemon', `
-dontaudit $1_t admin_tty_type:chr_file rw_file_perms;
+dev_read_sysfs($1_t)
+fs_search_auto_mountpoints($1_t)
+term_dontaudit_use_console($1_t)
+domain_use_wide_inherit_fd($1_t)
+init_use_fd($1_t)
+init_use_script_pty($1_t)
+libs_use_ld_so($1_t)
+libs_use_shared_libs($1_t)
+logging_send_syslog_msg($1_t)
+userdom_dontaudit_use_unpriv_user_fd($1_t)
+ifdef(`targeted_policy',`
+ term_dontaudit_use_unallocated_tty($1_t)
+ term_dontaudit_use_generic_pty($1_t)
+ files_dontaudit_read_root_file($1_t)
')
-tunable_policy(`targeted_policy', `
-terminal_ignore_use_general_physical_terminal($1_t)
-terminal_ignore_use_general_pseudoterminal($1_t)
-files_ignore_read_rootfs_file($1_t)
-')
-optional_policy(`rhgb.te', `
-allow $1_t rhgb_t:process sigchld;
-allow $1_t rhgb_t:fd use;
-allow $1_t rhgb_t:fifo_file { read write };
+optional_policy(`rhgb.te',`
+ rhgb_domain($1_t)
')
optional_policy(`selinux.te',`
-selinux_newrole_sigchld($1_t)
+ seutil_newrole_sigchld($1_t)
')
optional_policy(`udev.te', `
-udev_read_database($1_t)
+ udev_read_db($1_t)
')
-dontaudit $1_t unpriv_userdomain:fd use;
-allow $1_t autofs_t:dir { search getattr };
+allow $1_t proc_t:dir r_dir_perms;
+allow $1_t proc_t:lnk_file read;
#
@@ -739,43 +502,41 @@ allow $1_t autofs_t:dir { search getattr };
#
type $1_t;
type $1_exec_t;
-init_make_daemon_domain($1_t,$1_exec_t)
+init_daemon_domain($1_t,$1_exec_t)
type $1_var_run_t;
-files_make_daemon_runtime_file($1_var_run_t)
-allow $1_t $1_var_run_t:file { getattr create read write append setattr unlink };
-files_create_daemon_runtime_data($1_t,$1_var_run_t)
+files_pid_file($1_var_run_t)
dontaudit $1_t self:capability sys_tty_config;
+allow $1_t $1_var_run_t:file { getattr create read write append setattr unlink };
+files_create_pid($1_t,$1_var_run_t)
kernel_read_kernel_sysctl($1_t)
-kernel_read_hardware_state($1_t)
-filesystem_get_all_filesystems_attributes($1_t)
-terminal_ignore_use_console($1_t)
-init_use_file_descriptors($1_t)
-init_script_use_pseudoterminal($1_t)
-domain_use_widely_inheritable_file_descriptors($1_t)
-logging_send_system_log_message($1_t)
-libraries_use_dynamic_loader($1_t)
-libraries_use_shared_libraries($1_t)
+dev_read_sysfs($1_t)
+fs_getattr_all_fs($1_t)
+fs_search_auto_mountpoints($1_t)
+term_dontaudit_use_console($1_t)
+domain_use_wide_inherit_fd($1_t)
+init_use_fd($1_t)
+init_use_script_pty($1_t)
+libs_use_ld_so($1_t)
+libs_use_shared_libs($1_t)
+logging_send_syslog_msg($1_t)
miscfiles_read_localization($1_t)
-tunable_policy(`targeted_policy', `
-terminal_ignore_use_general_physical_terminal($1_t)
-terminal_ignore_use_general_pseudoterminal($1_t)
-files_ignore_read_rootfs_file($1_t)
+userdom_dontaudit_use_unpriv_user_fd($1_t)
+ifdef(`targeted_policy', `
+ term_dontaudit_use_unallocated_tty($1_t)
+ term_dontaudit_use_generic_pty($1_t)
+ files_dontaudit_read_root_file($1_t)
')
-optional_policy(`rhgb.te', `
-allow $1_t rhgb_t:process sigchld;
-allow $1_t rhgb_t:fd use;
-allow $1_t rhgb_t:fifo_file { read write };
+optional_policy(`rhgb.te',`
+ rhgb_domain($1_t)
')
optional_policy(`selinux.te',`
-selinux_newrole_sigchld($1_t)
+ seutil_newrole_sigchld($1_t)
')
optional_policy(`udev.te', `
-udev_read_database($1_t)
+ udev_read_db($1_t)
')
allow $1_t proc_t:dir r_dir_perms;
allow $1_t proc_t:lnk_file read;
-dontaudit $1_t unpriv_userdomain:fd use;
-allow $1_t autofs_t:dir { search getattr };
dontaudit $1_t sysadm_home_dir_t:dir search;
#
@@ -790,8 +551,8 @@ domain_auto_trans($1, $2_exec_t, $2_t)
allow $2_t $1:fd use;
allow $2_t $1:process sigchld;
allow $2_t self:process signal_perms;
-libraries_use_dynamic_loader($2_t)
-libraries_use_shared_libraries($2_t)
+libs_use_ld_so($2_t)
+libs_use_shared_libs($2_t)
allow $2_t proc_t:dir r_dir_perms;
allow $2_t proc_t:lnk_file read;
allow $2_t device_t:dir getattr;
@@ -800,14 +561,14 @@ allow $2_t device_t:dir getattr;
# etc_domain():
#
type $1_etc_t; #, usercanread;
-files_make_file($1_etc_t)
+files_file_type($1_etc_t)
allow $1_t $1_etc_t:file { getattr read };
#
# etcdir_domain():
#
type $1_etc_t; #, usercanread;
-files_make_file($1_etc_t)
+files_file_type($1_etc_t)
allow $1_t $1_etc_t:file r_file_perms;
allow $1_t $1_etc_t:dir r_dir_perms;
allow $1_t $1_etc_t:lnk_file { getattr read };
@@ -831,37 +592,33 @@ can_create_internal($1,$3,$i)
type_transition $1 $2:$i $3;
#
-# full_user_role():
-#
-
-#
-# general_domain_access():
+# general_domain_access(): complete
#
allow $1 self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem dyntransition };
allow $1 self:fd use;
-allow $1 self:fifo_file { read getattr lock ioctl write append };
-allow $1 self:unix_dgram_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown };
-allow $1 self:unix_stream_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown listen accept };
+allow $1 self:fifo_file rw_file_perms;
+allow $1 self:unix_dgram_socket create_socket_perms;
+allow $1 self:unix_stream_socket create_stream_socket_perms;
allow $1 self:unix_dgram_socket sendto;
allow $1 self:unix_stream_socket connectto;
-allow $1 self:shm { associate getattr setattr create destroy read write lock unix_read unix_write };
-allow $1 self:sem { associate getattr setattr create destroy read write unix_read unix_write };
-allow $1 self:msgq { associate getattr setattr create destroy read write enqueue unix_read unix_write };
+allow $1 self:shm create_shm_perms;
+allow $1 self:sem create_sem_perms;
+allow $1 self:msgq create_msgq_perms;
allow $1 self:msg { send receive };
-allow $1 unpriv_userdomain:fd use;
-can_ypbind($1)
-ifdef(`automount.te', `
-allow $1 autofs_t:dir { search getattr };
+fs_search_auto_mountpoints($1)
+userdom_use_unpriv_user_fd($1)
+optional_policy(`nis.te',`
+ nis_use_ypbind($1)
')
#
# general_proc_read_access(): complete
#
kernel_read_system_state($1)
-kernel_read_network_state($1)
+kernel_read_sendrecv_state($1)
kernel_read_software_raid_state($1)
-kernel_get_core_interface_attributes($1)
-kernel_get_message_interface_attributes($1)
+kernel_getattr_core($1)
+kernel_getattr_message_if($1)
kernel_read_kernel_sysctl($1)
#
@@ -891,58 +648,107 @@ role staff_r types $1;
#
type $1_t;
type $1_exec_t;
-init_make_daemon_domain($1_t,$1_exec_t)
+init_daemon_domain($1_t,$1_exec_t)
dontaudit $1_t self:capability sys_tty_config;
-kernel_read_hardware_state($1_t)
-terminal_ignore_use_console($1_t)
-init_use_file_descriptors($1_t)
-libraries_use_dynamic_loader($1_t)
-libraries_use_shared_libraries($1_t)
-logging_send_system_log_message($1_t)
+dev_read_sysfs($1_t)
+term_dontaudit_use_console($1_t)
+init_use_fd($1_t)
+libs_use_ld_so($1_t)
+libs_use_shared_libs($1_t)
+logging_send_syslog_msg($1_t)
tunable_policy(`targeted_policy', `
-terminal_ignore_use_general_physical_terminal($1_t)
-terminal_ignore_use_general_pseudoterminal($1_t)
-files_ignore_read_rootfs_file($1_t)
+term_dontaudit_use_unallocated_tty($1_t)
+term_dontaudit_use_generic_pty($1_t)
+files_dontaudit_read_root_file($1_t)
')dnl end targeted_policy tunable
allow $1_t proc_t:dir r_dir_perms;
allow $1_t proc_t:lnk_file read;
optional_policy(`udev.te', `
-udev_read_database($1_t)
+udev_read_db($1_t)
')
allow $1_t autofs_t:dir { search getattr };
dontaudit $1_t unpriv_userdomain:fd use;
#
+# inetd_child_domain():
+#
+type $1_t; #, nscd_client_domain;
+type $1_exec_t;
+inetd_(udp_|tcp_)?service_domain($1_t,$1_exec_t)
+role system_r types $1_t;
+type $1_tmp_t;
+files_tmp_file($1_tmp_t)
+type $1_var_run_t;
+files_pid_file($1_var_run_t)
+allow $1_t self:process signal_perms;
+allow $1_t self:fifo_file rw_file_perms;
+allow $1_t self:tcp_socket { listen accept connected_socket_perms }
+# for identd
+# cjp: this should probably only be inetd_child rules?
+allow $1_t self:netlink_tcpdiag_socket r_netlink_socket_perms;
+allow $1_t self:capability { setuid setgid };
+allow $1_t self:dir search;
+allow $1_t self:{ lnk_file file } { getattr read };
+#allow $1_t home_root_t:dir search;
+#can_kerberos($1_t)
+#end for identd
+allow $1_t $1_tmp_t:dir create_dir_perms;
+allow $1_t $1_tmp_t:file create_file_perms;
+files_create_tmp_files($1_t, $1_tmp_t, { file dir })
+allow $1_t $1_var_run_t:file create_file_perms;
+files_create_pid($1_t,$1_var_run_t)
+kernel_read_kernel_sysctl($1_t)
+kernel_read_system_state($1_t)
+kernel_read_network_state($1_t)
+corenet_sendrecv_tcp_on_all_interfaces($1_t)
+corenet_sendrecv_raw_on_all_interfaces($1_t)
+corenet_sendrecv_tcp_on_all_nodes($1_t)
+corenet_sendrecv_raw_on_all_nodes($1_t)
+corenet_bind_tcp_on_all_nodes($1_t)
+corenet_sendrecv_tcp_on_all_ports($1_t)
+dev_read_urand($1_t)
+fs_getattr_xattr_fs($1_t)
+files_read_generic_etc_files($1_t)
+libs_use_ld_so($1_t)
+libs_use_shared_libs($1_t)
+logging_send_syslog_msg($1_t)
+miscfiles_read_localization($1_t)
+sysnet_read_config($1_t)
+optional_policy(`nis.te',`
+ nis_use_ypbind($1_t)
+')
+
+#
# legacy_domain(): complete
#
allow $1_t self:process execmem;
-libraries_legacy_use_shared_libraries($1_t)
-libraries_legacy_use_dynamic_loader($1_t)
+libs_legacy_use_shared_libs($1_t)
+libs_legacy_use_ld_so($1_t)
#
# lock_domain(): complete
#
type $1_lock_t;
-files_make_lock_file($1_lock_t)
-allow $1_t $1_lock_t:file { create ioctl read getattr lock write setattr append link unlink rename };
-files_create_private_lock_file($1_t,$1_lock_t)
+files_lock_file($1_lock_t)
+allow $1_t $1_lock_t:file create_file_perms;
+files_create_lock_file($1_t,$1_lock_t)
#
# log_domain(): complete
#
type $1_log_t;
-logging_make_log_file($1_log_t)
-allow $1_t $1_log_t:file { create ioctl read getattr lock write setattr append link unlink rename };
-logging_create_private_log($1_t,$1_log_t)
+logging_log_file($1_log_t)
+allow $1_t $1_log_t:file create_file_perms;
+logging_create_log($1_t,$1_log_t)
#
# logdir_domain(): complete
#
type $1_log_t;
-logging_make_log_file($1_log_t)
-allow $1_t $1_log_t:file { create ioctl read getattr lock write setattr append link unlink rename };
-allow $1_t $1_log_t:dir { getattr search read lock ioctl add_name remove_name write setattr };
-logging_create_private_log($1_t,$1_log_t,{ file dir })
+logging_log_file($1_log_t)
+allow $1_t $1_log_t:file create_file_perms;
+allow $1_t $1_log_t:dir rw_dir_perms;
+logging_search_logs($1_t,$1_log_t,{ file dir })
#
# mini_user_domain():
@@ -1026,13 +832,13 @@ allow $1 $2:lnk_file { getattr read };
# system_domain():
#
type $1_t;
-domain_make_domain($1_t)
+domain_type($1_t)
role system_r types $1_t;
type $1_exec_t;
-domain_make_entrypoint_file($1_t,$1_exec_t)
-libraries_use_dynamic_loader($1_t)
-libraries_use_shared_libraries($1_t)
-logging_send_system_log_message($1_t)
+domain_entry_file($1_t,$1_exec_t)
+libs_use_ld_so($1_t)
+libs_use_shared_libs($1_t)
+logging_send_syslog_msg($1_t)
allow $1_t etc_t:dir r_dir_perms;
#
@@ -1041,13 +847,13 @@ allow $1_t etc_t:dir r_dir_perms;
# $2 may need more handling
#
type $1_tmp_t $2;
-files_make_temporary_file($1_tmp_t)
+files_tmp_file($1_tmp_t)
# no class specified:
-allow $1_t $1_tmp_t:dir { create read getattr lock setattr ioctl link unlink rename search add_name remove_name reparent write rmdir };
-allow $1_t $1_tmp_t:file { create ioctl read getattr lock write setattr append link unlink rename };
-files_create_private_tmp_data($1_t, $1_tmp_t, { file dir })
+allow $1_t $1_tmp_t:dir create_dir_perms;
+allow $1_t $1_tmp_t:file create_file_perms;
+files_create_tmp_files($1_t, $1_tmp_t, { file dir })
# class specified:
-files_create_private_tmp_data($1_t, $1_tmp_t, $3)
+files_create_tmp_files($1_t, $1_tmp_t, $3)
# $3 manage object perms here
#
@@ -1056,16 +862,21 @@ files_create_private_tmp_data($1_t, $1_tmp_t, $3)
# $2 may need more handling
#
type $1_tmp_t $2;
-files_make_temporary_file($1_tmp_t)
-files_create_private_tmp_data($1_t, $1_tmp_t, $3)
+files_tmp_file($1_tmp_t)
+files_create_tmp_files($1_t, $1_tmp_t, $3)
allow $1_t $1_tmp_t:$3 manage_obj_perms;
#
-# tmpfs_domain():
+# tmpfs_domain(): complete
#
-type $1_tmpfs_t, file_type, sysadmfile, tmpfsfile;
-file_type_auto_trans($1_t, tmpfs_t, $1_tmpfs_t)
-allow $1_tmpfs_t tmpfs_t:filesystem associate;
+type $1_tmpfs_t;
+files_tmpfs_file($1_tmpfs_t)
+allow $1_t $1_tmpfs_t:dir { read getattr lock search ioctl add_name remove_name write };
+allow $1_t $1_tmpfs_t:file { create ioctl read getattr lock write setattr append link unlink rename };
+allow $1_t $1_tmpfs_t:lnk_file { create read getattr setattr link unlink rename };
+allow $1_t $1_tmpfs_t:sock_file { create ioctl read getattr lock write setattr append link unlink rename };
+allow $1_t $1_tmpfs_t:fifo_file { create ioctl read getattr lock write setattr append link unlink rename };
+filesystem_create_private_tmpfs_data($1_t,$1_tmpfs_t,{ dir file lnk_file sock_file fifo_file })
#
# unconfined_domain():
@@ -1078,16 +889,12 @@ type $1_t, domain, privlog $2;
type $1_exec_t, file_type, sysadmfile, exec_type;
role sysadm_r types $1_t;
domain_auto_trans(sysadm_t, $1_exec_t, $1_t)
-libraries_use_dynamic_loader($1_t)
-libraries_use_shared_libraries($1_t)
+libs_use_ld_so($1_t)
+libs_use_shared_libs($1_t)
in_user_role($1_t)
domain_auto_trans(userdomain, $1_exec_t, $1_t)
#
-# user_domain():
-#
-
-#
# uses_authbind():
#
domain_auto_trans($1, authbind_exec_t, authbind_t)
@@ -1096,26 +903,20 @@ allow authbind_t $1:fd use;
allow authbind_t $1:{ tcp_socket udp_socket } rw_socket_perms;
#
-# uses_shlib(): complete
-#
-libraries_use_dynamic_loader($1)
-libraries_use_shared_libraries($1)
-
-#
# var_lib_domain():
#
type $1_var_lib_t, file_type, sysadmfile;
typealias $1_var_lib_t alias var_lib_$1_t;
file_type_auto_trans($1_t, var_lib_t, $1_var_lib_t, file)
-allow $1_t $1_var_lib_t:dir { read getattr lock search ioctl add_name remove_name write };
+allow $1_t $1_var_lib_t:dir rw_dir_perms;
#
# var_run_domain($1):
#
-type $1_var_run_t, file_type, sysadmfile, pidfile;
-file_type_auto_trans($1_t, var_run_t, $1_var_run_t, file)
-allow $1_t var_t:dir search;
-allow $1_t $1_var_run_t:dir { read getattr lock search ioctl add_name remove_name write };
+type $1_var_run_t;
+files_pid_file($1_var_run_t)
+allow $1_t $1_var_run_t:file create_file_perms;
+files_create_pid($1_t,$1_var_run_t)
#
# var_run_domain($1,$2):
diff --git a/refpolicy/VERSION b/refpolicy/VERSION
index 91637d6..74d811d 100644
--- a/refpolicy/VERSION
+++ b/refpolicy/VERSION
@@ -1 +1 @@
-20050615
+20050707
More information about the scm-commits
mailing list