[selinux-policy: 491/3172] add macro to expand object class sets for use in require blocks

Thu Oct 7 19:47:05 UTC 2010

commit 157c69416fed3c9eb6ece4d78ee893354997e65e
Author: Chris PeBenito <cpebenito at tresys.com>
Date:   Fri Jul 15 15:53:54 2005 +0000

    add macro to expand object class sets for use in require blocks

 refpolicy/policy/modules/system/domain.if  |   27 +++++++++++++++++++++++++++
 refpolicy/policy/modules/system/pcmcia.te  |    8 +++-----
 refpolicy/policy/support/obj_perm_sets.spt |   23 +++++++++++++++++++++++
 3 files changed, 53 insertions(+), 5 deletions(-)
---

diff --git a/refpolicy/policy/modules/system/domain.if b/refpolicy/policy/modules/system/domain.if
index d67e739..33cbc57 100644
--- a/refpolicy/policy/modules/system/domain.if
+++ b/refpolicy/policy/modules/system/domain.if
@@ -359,6 +359,33 @@ interface(`domain_getsession_all_domains',`
 ')
 
 ########################################
+## <summary>
+##	Do not audit attempts to get the attributes
+##	of all domains sockets, for all socket types.
+## </summary>
+## <desc>
+##	<p>
+##	Do not audit attempts to get the attributes
+##	of all domains sockets, for all socket types.
+##	</p>
+##	<p>
+##	This interface was added for PCMCIA cardmgr
+##	and is probably excessive.
+##	</p>
+## </desc>
+## <param name="domain">
+##	Domain to not audit.
+## </param>
+#
+interface(`domain_dontaudit_getattr_all_sockets',`
+	gen_require(`
+		gen_require_set(getattr,socket_class_set)
+	')
+
+	dontaudit $1 domain:socket_class_set getattr;
+')
+
+########################################
 ## <desc>
 ##	Do not audit attempts to get the attributes
 ##	of all domains UDP sockets.
diff --git a/refpolicy/policy/modules/system/pcmcia.te b/refpolicy/policy/modules/system/pcmcia.te
index 1e14ca7..8a7849b 100644
--- a/refpolicy/policy/modules/system/pcmcia.te
+++ b/refpolicy/policy/modules/system/pcmcia.te
@@ -63,8 +63,11 @@ corecmd_exec_sbin(cardmgr_t)
 
 domain_use_wide_inherit_fd(cardmgr_t)
 domain_exec_all_entry_files(cardmgr_t)
+# Read /proc/PID directories for all domains (for fuser).
+domain_read_all_domains_state(cardmgr_t)
 # cjp: these look excessive:
 domain_dontaudit_getattr_all_unnamed_pipes(cardmgr_t)
+domain_dontaudit_getattr_all_sockets(cardmgr_t)
 
 files_search_home(cardmgr_t)
 files_read_etc_runtime_files(cardmgr_t)
@@ -126,12 +129,7 @@ allow cardmgr_t var_lib_t:file { getattr read };
 # Create device files in /tmp.
 file_type_auto_trans(cardmgr_t, { var_run_t cardmgr_var_run_t device_t tmp_t }, cardmgr_dev_t, { blk_file chr_file })
 
-# Read /proc/PID directories for all domains (for fuser).
-can_ps(cardmgr_t, domain)
-
 dontaudit cardmgr_t ptyfile:chr_file getattr;
-# cjp: these look excessive:
-dontaudit cardmgr_t domain:socket_class_set getattr;
 
 # this goes to apm
 optional_policy(`pcmcia.te',`
diff --git a/refpolicy/policy/support/obj_perm_sets.spt b/refpolicy/policy/support/obj_perm_sets.spt
index b497af1..98a97d6 100644
--- a/refpolicy/policy/support/obj_perm_sets.spt
+++ b/refpolicy/policy/support/obj_perm_sets.spt
@@ -200,3 +200,26 @@ define(`create_shm_perms', `{ associate getattr setattr create destroy read writ
 # Use (read and write) terminals
 #
 define(`rw_term_perms', `{ getattr read write ioctl }')
+
+########################################
+#
+# Expand object class set macros.
+#
+# gen_require_set(permissions,object_class_set)
+#
+# the statement:
+#   gen_require_set({ getattr read },{ foo bar tar })
+#
+# makes:
+#   class foo { getattr read };
+#   class bar { getattr read };
+#   class tar { getattr read };
+#
+# !! This is only used in require blocks. !!
+
+define(`gen_require_set',`
+ifelse(regexp($2, `\w'), -1, `', `dnl
+class regexp($2, `\(\w+\)', `\1') $1;
+gen_require_set($1, regexp($2, `\w+\(.*\)', `\1'))dnl
+') dnl
+')
