[selinux-policy: 507/3172] fix typos and import some rules from NSA cvs to make targeted policy work
Daniel J Walsh
dwalsh at fedoraproject.org
Thu Oct 7 19:48:27 UTC 2010
commit 689f6ddb3589de804c1d1d91621d3918e37ee106
Author: Chris PeBenito <cpebenito at tresys.com>
Date: Wed Jul 20 14:25:24 2005 +0000
fix typos and import some rules from NSA cvs to make targeted policy work
refpolicy/policy/modules/services/nscd.if | 20 ++++++++++++++++++++
refpolicy/policy/modules/services/nscd.te | 2 +-
refpolicy/policy/modules/system/authlogin.te | 2 ++
refpolicy/policy/modules/system/modutils.te | 2 +-
refpolicy/policy/modules/system/sysnetwork.te | 3 ++-
5 files changed, 26 insertions(+), 3 deletions(-)
---
diff --git a/refpolicy/policy/modules/services/nscd.if b/refpolicy/policy/modules/services/nscd.if
index 4c858a8..d53878a 100644
--- a/refpolicy/policy/modules/services/nscd.if
+++ b/refpolicy/policy/modules/services/nscd.if
@@ -97,6 +97,26 @@ interface(`nscd_use_shared_mem',`
########################################
## <summary>
+## Read NSCD pid file.
+## </summary>
+## <param name="domain">
+## Domain allowed access.
+## </param>
+#
+interface(`nscd_read_pid',`
+ gen_require(`
+ type nscd_var_run_t;
+ class dir search;
+ class file { getattr read };
+ ')
+
+ files_search_pids($1)
+ allow $1 nscd_var_run_t:dir search;
+ allow $1 nscd_var_run_t:file { getattr read };
+')
+
+########################################
+## <summary>
## Unconfined access to NSCD services.
## </summary>
## <param name="domain">
diff --git a/refpolicy/policy/modules/services/nscd.te b/refpolicy/policy/modules/services/nscd.te
index 4b04a58..792d14a 100644
--- a/refpolicy/policy/modules/services/nscd.te
+++ b/refpolicy/policy/modules/services/nscd.te
@@ -37,7 +37,7 @@ allow nscd_t self:nscd { admin getstat };
allow nscd_t nscd_var_run_t:file create_file_perms;
allow nscd_t nscd_var_run_t:sock_file create_file_perms;
-files_create_pid(nscd_t,nscd_var_run_t,{ file sock_file})
+files_create_pid(nscd_t,nscd_var_run_t,{ file sock_file })
kernel_read_kernel_sysctl(nscd_t)
kernel_list_proc(nscd_t)
diff --git a/refpolicy/policy/modules/system/authlogin.te b/refpolicy/policy/modules/system/authlogin.te
index 29f071a..bbab98b 100644
--- a/refpolicy/policy/modules/system/authlogin.te
+++ b/refpolicy/policy/modules/system/authlogin.te
@@ -181,6 +181,8 @@ domain_use_wide_inherit_fd(pam_console_t)
files_read_etc_files(pam_console_t)
files_search_pids(pam_console_t)
files_list_mnt(pam_console_t)
+# read /etc/mtab
+files_read_etc_runtime_files(pam_console_t)
init_use_fd(pam_console_t)
init_use_script_pty(pam_console_t)
diff --git a/refpolicy/policy/modules/system/modutils.te b/refpolicy/policy/modules/system/modutils.te
index 7c99985..1196611 100644
--- a/refpolicy/policy/modules/system/modutils.te
+++ b/refpolicy/policy/modules/system/modutils.te
@@ -107,7 +107,7 @@ ifdef(`hide_broken_symptoms',`
dev_dontaudit_rw_cardmgr(insmod_t)
')
-ifdef(`tunable_policy',`
+ifdef(`targeted_policy',`
unconfined_domain_template(insmod_t)
')
diff --git a/refpolicy/policy/modules/system/sysnetwork.te b/refpolicy/policy/modules/system/sysnetwork.te
index 31b6588..5dbd0f1 100644
--- a/refpolicy/policy/modules/system/sysnetwork.te
+++ b/refpolicy/policy/modules/system/sysnetwork.te
@@ -56,7 +56,7 @@ allow dhcpc_t dhcp_etc_t:dir r_dir_perms;
allow dhcpc_t dhcp_etc_t:lnk_file r_file_perms;
allow dhcpc_t dhcp_etc_t:file { r_file_perms execute execute_no_trans };
-allow dhcpc_t dhcpc_state_t:dir rw_dir_perms;
+allow dhcpc_t dhcp_state_t:dir rw_dir_perms;
allow dhcpc_t dhcpc_state_t:file create_file_perms;
type_transition dhcpc_t dhcp_state_t:file dhcpc_state_t;
@@ -181,6 +181,7 @@ optional_policy(`nis.te',`
optional_policy(`nscd.te',`
nscd_domtrans(dhcpc_t)
+ nscd_read_pid(dhcpc_t)
')
optional_policy(`ntpd.te',`
More information about the scm-commits
mailing list