[selinux-policy: 625/3172] misc fixes
Daniel J Walsh
dwalsh at fedoraproject.org
Thu Oct 7 19:58:40 UTC 2010
commit 603f90ab9dcde999aaf3a4cf2eb92e013b276544
Author: Chris PeBenito <cpebenito at tresys.com>
Date: Mon Sep 5 18:17:17 2005 +0000
misc fixes
refpolicy/policy/modules/admin/acct.te | 1 +
refpolicy/policy/modules/kernel/bootloader.te | 6 +++---
refpolicy/policy/modules/services/hal.te | 5 +++++
refpolicy/policy/modules/services/mysql.te | 1 +
refpolicy/policy/modules/system/authlogin.if | 24 +++++++++++++++++++++---
refpolicy/policy/modules/system/authlogin.te | 15 +++++++++++----
refpolicy/policy/modules/system/files.if | 18 ++++++++++++++++++
refpolicy/policy/modules/system/getty.te | 1 +
refpolicy/policy/modules/system/init.te | 3 +--
refpolicy/policy/modules/system/logging.te | 4 ++--
refpolicy/policy/modules/system/pcmcia.te | 5 -----
refpolicy/policy/modules/system/userdomain.if | 3 ++-
12 files changed, 66 insertions(+), 20 deletions(-)
---
diff --git a/refpolicy/policy/modules/admin/acct.te b/refpolicy/policy/modules/admin/acct.te
index 5696994..f966524 100644
--- a/refpolicy/policy/modules/admin/acct.te
+++ b/refpolicy/policy/modules/admin/acct.te
@@ -52,6 +52,7 @@ domain_use_wide_inherit_fd(acct_t)
files_read_etc_files(acct_t)
files_read_etc_runtime_files(acct_t)
+files_list_usr(acct_t)
# for nscd
files_dontaudit_search_pids(acct_t)
diff --git a/refpolicy/policy/modules/kernel/bootloader.te b/refpolicy/policy/modules/kernel/bootloader.te
index 08aa301..5b96691 100644
--- a/refpolicy/policy/modules/kernel/bootloader.te
+++ b/refpolicy/policy/modules/kernel/bootloader.te
@@ -66,9 +66,9 @@ allow bootloader_t self:capability { dac_read_search fsetid sys_rawio sys_admin
allow bootloader_t self:process { sigkill sigstop signull signal };
allow bootloader_t self:fifo_file { getattr read write };
-allow bootloader_t boot_t:dir ra_dir_perms;
-allow bootloader_t boot_t:file { rw_file_perms create };
-allow bootloader_t boot_t:lnk_file { r_file_perms create unlink };
+allow bootloader_t boot_t:dir rw_dir_perms;
+allow bootloader_t boot_t:file create_file_perms;
+allow bootloader_t boot_t:lnk_file create_lnk_perms;
allow bootloader_t bootloader_etc_t:file r_file_perms;
# uncomment the following lines if you use "lilo -p"
diff --git a/refpolicy/policy/modules/services/hal.te b/refpolicy/policy/modules/services/hal.te
index 9b2e9eb..7217d1f 100644
--- a/refpolicy/policy/modules/services/hal.te
+++ b/refpolicy/policy/modules/services/hal.te
@@ -116,6 +116,11 @@ optional_policy(`nscd.te',`
nscd_use_socket(hald_t)
')
+optional_policy(`pcmcia.te',`
+ pcmcia_manage_pid(hald_t)
+ pcmcia_manage_runtime_chr(hald_t)
+')
+
optional_policy(`selinuxutil.te',`
seutil_sigchld_newrole(hald_t)
')
diff --git a/refpolicy/policy/modules/services/mysql.te b/refpolicy/policy/modules/services/mysql.te
index d8b8374..4830cf0 100644
--- a/refpolicy/policy/modules/services/mysql.te
+++ b/refpolicy/policy/modules/services/mysql.te
@@ -14,6 +14,7 @@ type mysqld_var_run_t;
files_pid_file(mysqld_var_run_t)
type mysqld_db_t;
+files_type(mysqld_db_t)
type mysqld_etc_t alias etc_mysqld_t;
files_type(mysqld_etc_t)
diff --git a/refpolicy/policy/modules/system/authlogin.if b/refpolicy/policy/modules/system/authlogin.if
index 7635bb1..e05857b 100644
--- a/refpolicy/policy/modules/system/authlogin.if
+++ b/refpolicy/policy/modules/system/authlogin.if
@@ -73,8 +73,6 @@ template(`authlogin_per_userdomain_template',`
seutil_read_config($1_chkpwd_t)
- #can_ldap($1_chkpwd_t)
-
# Transition from the user domain to this domain.
domain_auto_trans($2,chkpwd_exec_t,$1_chkpwd_t)
@@ -104,6 +102,17 @@ template(`authlogin_per_userdomain_template',`
kerberos_use($1_chkpwd_t)
')
+ optional_policy(`ldap.te',`
+ allow $1_chkpwd_t self:tcp_socket create_socket_perms;
+ corenet_tcp_sendrecv_all_if($1_chkpwd_t)
+ corenet_raw_sendrecv_all_if($1_chkpwd_t)
+ corenet_tcp_sendrecv_all_nodes($1_chkpwd_t)
+ corenet_raw_sendrecv_all_nodes($1_chkpwd_t)
+ corenet_tcp_sendrecv_ldap_port($1_chkpwd_t)
+ corenet_tcp_bind_all_nodes($1_chkpwd_t)
+ sysnet_read_config($1_chkpwd_t)
+ ')
+
optional_policy(`nis.te',`
nis_use_ypbind($1_chkpwd_t)
')
@@ -243,7 +252,16 @@ interface(`auth_domtrans_chk_passwd',`
kerberos_use($1)
')
- #can_ldap($1)
+ optional_policy(`ldap.te',`
+ allow $1 self:tcp_socket create_socket_perms;
+ corenet_tcp_sendrecv_all_if($1)
+ corenet_raw_sendrecv_all_if($1)
+ corenet_tcp_sendrecv_all_nodes($1)
+ corenet_raw_sendrecv_all_nodes($1)
+ corenet_tcp_sendrecv_ldap_port($1)
+ corenet_tcp_bind_all_nodes($1)
+ sysnet_read_config($1)
+ ')
optional_policy(`nis.te',`
nis_use_ypbind($1)
diff --git a/refpolicy/policy/modules/system/authlogin.te b/refpolicy/policy/modules/system/authlogin.te
index f804998..d0f55e4 100644
--- a/refpolicy/policy/modules/system/authlogin.te
+++ b/refpolicy/policy/modules/system/authlogin.te
@@ -287,6 +287,17 @@ optional_policy(`kerberos.te',`
kerberos_use(system_chkpwd_t)
')
+optional_policy(`ldap.te',`
+ allow system_chkpwd_t self:tcp_socket create_socket_perms;
+ corenet_tcp_sendrecv_all_if(system_chkpwd_t)
+ corenet_raw_sendrecv_all_if(system_chkpwd_t)
+ corenet_tcp_sendrecv_all_nodes(system_chkpwd_t)
+ corenet_raw_sendrecv_all_nodes(system_chkpwd_t)
+ corenet_tcp_sendrecv_ldap_port(system_chkpwd_t)
+ corenet_tcp_bind_all_nodes(system_chkpwd_t)
+ sysnet_read_config(system_chkpwd_t)
+')
+
optional_policy(`nis.te',`
nis_use_ypbind(system_chkpwd_t)
')
@@ -295,10 +306,6 @@ optional_policy(`nscd.te',`
nscd_use_socket(system_chkpwd_t)
')
-ifdef(`TODO',`
-can_ldap(system_chkpwd_t)
-') dnl end TODO
-
########################################
#
# Utempter local policy
diff --git a/refpolicy/policy/modules/system/files.if b/refpolicy/policy/modules/system/files.if
index dc7a989..2aa0a18 100644
--- a/refpolicy/policy/modules/system/files.if
+++ b/refpolicy/policy/modules/system/files.if
@@ -1610,6 +1610,24 @@ interface(`files_search_usr',`
########################################
## <summary>
+## List the contents of generic
+## directories in /usr.
+## </summary>
+## <param name="domain">
+## Domain allowed access.
+## </param>
+#
+interface(`files_list_usr',`
+ gen_require(`
+ type usr_t;
+ class dir r_dir_perms;
+ ')
+
+ allow $1 usr_t:dir r_dir_perms;
+')
+
+########################################
+## <summary>
## Get the attributes of files in /usr.
## </summary>
## <param name="domain">
diff --git a/refpolicy/policy/modules/system/getty.te b/refpolicy/policy/modules/system/getty.te
index 8aaa31a..3956bc6 100644
--- a/refpolicy/policy/modules/system/getty.te
+++ b/refpolicy/policy/modules/system/getty.te
@@ -13,6 +13,7 @@ domain_wide_inherit_fd(getty_t)
type getty_etc_t;
typealias getty_etc_t alias etc_getty_t;
+files_type(getty_etc_t)
type getty_log_t;
logging_log_file(getty_log_t)
diff --git a/refpolicy/policy/modules/system/init.te b/refpolicy/policy/modules/system/init.te
index a55cd76..1a7e128 100644
--- a/refpolicy/policy/modules/system/init.te
+++ b/refpolicy/policy/modules/system/init.te
@@ -48,9 +48,8 @@ type initrc_exec_t;
domain_entry_file(initrc_t,initrc_exec_t)
type initrc_devpts_t;
-fs_associate(initrc_devpts_t)
-fs_associate_noxattr(initrc_devpts_t)
term_pty(initrc_devpts_t)
+files_type(initrc_devpts_t)
type initrc_var_run_t;
files_pid_file(initrc_var_run_t)
diff --git a/refpolicy/policy/modules/system/logging.te b/refpolicy/policy/modules/system/logging.te
index ee7a5ad..5de1e2c 100644
--- a/refpolicy/policy/modules/system/logging.te
+++ b/refpolicy/policy/modules/system/logging.te
@@ -54,8 +54,7 @@ dontaudit auditd_t self:capability sys_tty_config;
allow auditd_t self:process { signal_perms setsched };
allow auditd_t self:netlink_audit_socket { bind create getattr nlmsg_read nlmsg_write read write };
-allow auditd_t var_log_t:dir search;
-allow auditd_t auditd_log_t:dir rw_dir_perms;
+allow auditd_t var_log_t:dir rw_dir_perms;
allow auditd_t auditd_log_t:file create_file_perms;
allow auditd_t auditd_var_run_t:file create_file_perms;
@@ -78,6 +77,7 @@ init_use_script_pty(auditd_t)
domain_use_wide_inherit_fd(auditd_t)
files_read_etc_files(auditd_t)
+files_list_usr(auditd_t)
logging_send_syslog_msg(auditd_t)
diff --git a/refpolicy/policy/modules/system/pcmcia.te b/refpolicy/policy/modules/system/pcmcia.te
index 025c886..59430db 100644
--- a/refpolicy/policy/modules/system/pcmcia.te
+++ b/refpolicy/policy/modules/system/pcmcia.te
@@ -148,11 +148,6 @@ optional_policy(`pcmcia.te',`
pcmcia_domtrans_cardctl(apmd_t)
')
-# this goes to hald
-optional_policy(`pcmcia.te',`
- pcmcia_manage_pid(hald_t)
- pcmcia_manage_runtime_chr(hald_t)
-')
optional_policy(`rhgb.te',`
rhgb_domain(cardmgr_t)
')
diff --git a/refpolicy/policy/modules/system/userdomain.if b/refpolicy/policy/modules/system/userdomain.if
index 2a8d5b4..939929e 100644
--- a/refpolicy/policy/modules/system/userdomain.if
+++ b/refpolicy/policy/modules/system/userdomain.if
@@ -35,6 +35,7 @@ template(`base_user_template',`
# user pseudoterminal
type $1_devpts_t;
term_user_pty($1_t,$1_devpts_t)
+ files_type($1_devpts_t)
# type for contents of home directory
type $1_home_t, $1_file_type, home_type;
@@ -42,7 +43,7 @@ template(`base_user_template',`
# type of home directory
type $1_home_dir_t, home_dir_type, home_type;
- files_type($1_home_t)
+ files_type($1_home_dir_t)
type $1_tmp_t, $1_file_type;
files_tmp_file($1_tmp_t)
More information about the scm-commits
mailing list