[selinux-policy: 681/3172] loadable module compile fixes

Daniel J Walsh dwalsh at fedoraproject.org
Thu Oct 7 20:03:47 UTC 2010 

commit 25c6746156fc5fce821e4084e060f3871d4cb8b2
Author: Chris PeBenito <cpebenito at tresys.com>
Date:   Wed Sep 21 20:01:40 2005 +0000

    loadable module compile fixes

 refpolicy/policy/modules/admin/netutils.te      |    6 +--
 refpolicy/policy/modules/kernel/kernel.if       |    2 +-
 refpolicy/policy/modules/kernel/storage.if      |   37 +++++++++---------
 refpolicy/policy/modules/services/cron.te       |    4 ++
 refpolicy/policy/modules/services/nscd.if       |    2 +
 refpolicy/policy/modules/services/postgresql.te |    7 +--
 refpolicy/policy/modules/services/samba.te      |    4 +-
 refpolicy/policy/modules/services/ssh.if        |   24 ++++++-----
 refpolicy/policy/modules/system/init.if         |    5 +-
 refpolicy/policy/modules/system/sysnetwork.te   |    2 +-
 refpolicy/policy/support/loadable_module.spt    |   46 ++++++++++++----------
 11 files changed, 73 insertions(+), 66 deletions(-)
---
diff --git a/refpolicy/policy/modules/admin/netutils.te b/refpolicy/policy/modules/admin/netutils.te
index b6ce0ea..50e55de 100644
--- a/refpolicy/policy/modules/admin/netutils.te
+++ b/refpolicy/policy/modules/admin/netutils.te
@@ -147,10 +147,8 @@ optional_policy(`pcmcia.te',`
 	pcmcia_use_cardmgr_fd(ping_t)
 ')
 
-optional_policy(`sysnetwork.te',`
-	optional_policy(`hotplug.te',`
-		hotplug_use_fd(ping_t)
-	')
+optional_policy(`hotplug.te',`
+	hotplug_use_fd(ping_t)
 ')
 
 ifdef(`TODO',`
diff --git a/refpolicy/policy/modules/kernel/kernel.if b/refpolicy/policy/modules/kernel/kernel.if
index 39193e7..06b32a1 100644
--- a/refpolicy/policy/modules/kernel/kernel.if
+++ b/refpolicy/policy/modules/kernel/kernel.if
@@ -1396,7 +1396,7 @@ interface(`kernel_relabel_unlabeled',`
 #
 interface(`kernel_unconfined',`
 	gen_require(`
-		type kernel_t, unlabeled_t;
+		type kernel_t, unlabeled_t, sysctl_t;
 		attribute proc_type, sysctl_type;
 		attribute kern_unconfined;
 		attribute can_load_kernmodule, can_receive_kernel_messages;
diff --git a/refpolicy/policy/modules/kernel/storage.if b/refpolicy/policy/modules/kernel/storage.if
index 63a82db..5062aac 100644
--- a/refpolicy/policy/modules/kernel/storage.if
+++ b/refpolicy/policy/modules/kernel/storage.if
@@ -76,25 +76,6 @@ interface(`storage_dontaudit_setattr_fixed_disk',`
 
 ########################################
 ## <summary>
-##	Do not audit attempts made by the caller to read
-##	fixed disk device nodes.
-## </summary>
-## <param name="domain">
-##	The type of the process to not audit.
-## </param>
-#
-interface(`storage_dontaudit_read_fixed_disk',`
-	gen_require(`
-		type removable_device_t;
-		class blk_file { getattr ioctl read };
-		
-	')
-
-	dontaudit $1 fixed_disk_device_t:blk_file { getattr ioctl read };
-')
-
-########################################
-## <summary>
 ##	Allow the caller to directly read from a fixed disk.
 ##	This is extremly dangerous as it can bypass the
 ##	SELinux protections for filesystem objects, and
@@ -118,6 +99,24 @@ interface(`storage_raw_read_fixed_disk',`
 
 ########################################
 ## <summary>
+##	Do not audit attempts made by the caller to read
+##	fixed disk device nodes.
+## </summary>
+## <param name="domain">
+##	The type of the process to not audit.
+## </param>
+#
+interface(`storage_dontaudit_read_fixed_disk',`
+	gen_require(`
+		type fixed_disk_device_t;
+		
+	')
+
+	dontaudit $1 fixed_disk_device_t:blk_file { getattr ioctl read };
+')
+
+########################################
+## <summary>
 ##	Allow the caller to directly write to a fixed disk.
 ##	This is extremly dangerous as it can bypass the
 ##	SELinux protections for filesystem objects, and
diff --git a/refpolicy/policy/modules/services/cron.te b/refpolicy/policy/modules/services/cron.te
index 214eb03..dc4f7ba 100644
--- a/refpolicy/policy/modules/services/cron.te
+++ b/refpolicy/policy/modules/services/cron.te
@@ -1,6 +1,10 @@
 
 policy_module(cron, 1.0)
 
+gen_require(`
+	class passwd rootok;
+')
+
 ########################################
 #
 # Declarations
diff --git a/refpolicy/policy/modules/services/nscd.if b/refpolicy/policy/modules/services/nscd.if
index 26740c9..aa0b51d 100644
--- a/refpolicy/policy/modules/services/nscd.if
+++ b/refpolicy/policy/modules/services/nscd.if
@@ -34,6 +34,7 @@ interface(`nscd_domtrans',`
 interface(`nscd_use_socket',`
 	gen_require(`
 		type nscd_t, nscd_var_run_t;
+		class nscd { getpwd getgrp gethost shmempwd shmemgrp shmemhost };
 	')
 
 	allow $1 self:unix_stream_socket create_socket_perms;
@@ -61,6 +62,7 @@ interface(`nscd_use_socket',`
 interface(`nscd_use_shared_mem',`
 	gen_require(`
 		type nscd_t, nscd_var_run_t;
+		class nscd { getpwd getgrp gethost shmempwd shmemgrp shmemhost };
 	')
 
 	allow $1 nscd_var_run_t:dir r_dir_perms;
diff --git a/refpolicy/policy/modules/services/postgresql.te b/refpolicy/policy/modules/services/postgresql.te
index 40823d6..66a5b7c 100644
--- a/refpolicy/policy/modules/services/postgresql.te
+++ b/refpolicy/policy/modules/services/postgresql.te
@@ -175,10 +175,6 @@ optional_policy(`nis.te',`
 	nis_use_ypbind(postgresql_t)
 ')
 
-optional_policy(`rhgb.te',`
-	rhgb_domain(postgresql_t)
-')
-
 optional_policy(`selinuxutil.te',`
 	seutil_sigchld_newrole(postgresql_t)
 ')
@@ -188,6 +184,9 @@ optional_policy(`udev.te', `
 ')
 
 ifdef(`TODO',`
+optional_policy(`rhgb.te',`
+	rhgb_domain(postgresql_t)
+')
 ifdef(`targeted_policy', `', `
 bool allow_user_postgresql_connect false;
 
diff --git a/refpolicy/policy/modules/services/samba.te b/refpolicy/policy/modules/services/samba.te
index b73bd1d..7aabe1c 100644
--- a/refpolicy/policy/modules/services/samba.te
+++ b/refpolicy/policy/modules/services/samba.te
@@ -16,8 +16,8 @@ files_pid_file(nmbd_var_run_t)
 type samba_etc_t; #, usercanread;
 files_type(samba_etc_t)
 
-type samba_log_t, logfile;
-files_type(samba_log_t)
+type samba_log_t;
+logging_log_file(samba_log_t)
 
 type samba_net_t;
 domain_type(samba_net_t)
diff --git a/refpolicy/policy/modules/services/ssh.if b/refpolicy/policy/modules/services/ssh.if
index ca7b37e..d7287e8 100644
--- a/refpolicy/policy/modules/services/ssh.if
+++ b/refpolicy/policy/modules/services/ssh.if
@@ -480,22 +480,24 @@ template(`ssh_server_template', `
 		fs_read_cifs_files($1_t)
 	')
 
-	optional_policy(`inetd.te',`
-		tunable_policy(`run_ssh_inetd',`
-			allow $1_t self:process signal;
-			files_list_pids($1_t)
-		',`
-			corenet_tcp_bind_ssh_port($1_t)
-			init_use_fd($1_t)
-			init_use_script_pty($1_t)
-		')
-	',`
+	# cjp: commenting out until typeattribute works in conditional
+	# and require block in optional else is resolved
+	#optional_policy(`inetd.te',`
+	#	tunable_policy(`run_ssh_inetd',`
+	#		allow $1_t self:process signal;
+	#		files_list_pids($1_t)
+	#	',`
+	#		corenet_tcp_bind_ssh_port($1_t)
+	#		init_use_fd($1_t)
+	#		init_use_script_pty($1_t)
+	#	')
+	#',`
 		# These rules should match the else block
 		# of the run_ssh_inetd tunable directly above
 		corenet_tcp_bind_ssh_port($1_t)
 		init_use_fd($1_t)
 		init_use_script_pty($1_t)
-	')
+	#')
 
 	optional_policy(`kerberos.te',`
 		kerberos_use($1_t)
diff --git a/refpolicy/policy/modules/system/init.if b/refpolicy/policy/modules/system/init.if
index f4d943d..f1f0d9f 100644
--- a/refpolicy/policy/modules/system/init.if
+++ b/refpolicy/policy/modules/system/init.if
@@ -592,11 +592,10 @@ interface(`init_dontaudit_use_script_pty',`
 #
 interface(`init_rw_script_tmp_files',`
 	gen_require(`
-		type initrc_var_run_t;
-		class file rw_file_perms;
+		type initrc_tmp_t;
 	')
 
-	# FIXME: read tmp_t dir
+	files_search_tmp($1)
 	allow $1 initrc_tmp_t:file rw_file_perms;
 ')
 
diff --git a/refpolicy/policy/modules/system/sysnetwork.te b/refpolicy/policy/modules/system/sysnetwork.te
index 9ea6f3f..4790442 100644
--- a/refpolicy/policy/modules/system/sysnetwork.te
+++ b/refpolicy/policy/modules/system/sysnetwork.te
@@ -140,7 +140,7 @@ miscfiles_read_localization(dhcpc_t)
 
 modutils_domtrans_insmod(dhcpc_t)
 
-userdom_dontaudit_search_staff_home_dir(sysadm_t)
+userdom_dontaudit_search_staff_home_dir(dhcpc_t)
 
 ifdef(`distro_redhat', `
 	files_exec_etc_files(dhcpc_t)
diff --git a/refpolicy/policy/support/loadable_module.spt b/refpolicy/policy/support/loadable_module.spt
index 244acc0..d5e6194 100644
--- a/refpolicy/policy/support/loadable_module.spt
+++ b/refpolicy/policy/support/loadable_module.spt
@@ -106,31 +106,31 @@ define(`dflt_or_overr',`ifdef(`$1',$1,$2)')
 
 ##############################
 #
+# Extract booleans out of an expression.
+# This needs to be reworked so expressions
+# with parentheses can work.
+
+define(`delcare_required_symbols',`
+ifelse(regexp($1, `\w'), -1, `', `dnl
+bool regexp($1, `\(\w+\)', `\1');
+delcare_required_symbols(regexp($1, `\w+\(.*\)', `\1'))dnl
+') dnl
+')
+
+##############################
+#
 # Tunable declaration
 #
 define(`gen_tunable',`
-	ifdef(`in_gen_require_block',`
-		ifdef(`self_contained_policy',`
-			bool $1;
-		',`
-			# loadable module tunable
-			# require will go here
-			# instead of bool when
-			# loadable modules support
-			# tunables
-			bool $1;
-		')
+	ifdef(`self_contained_policy',`
+		bool $1 dflt_or_overr(`$1'_conf,$2);
 	',`
-		ifdef(`self_contained_policy',`
-			bool $1 dflt_or_overr(`$1'_conf,$2);
-		',`
-			# loadable module tunable
-			# declaration will go here
-			# instead of bool when
-			# loadable modules support
-			# tunables
-			bool $1 dflt_or_overr(`$1'_conf,$2);
-		')
+		# loadable module tunable
+		# declaration will go here
+		# instead of bool when
+		# loadable modules support
+		# tunables
+		bool $1 dflt_or_overr(`$1'_conf,$2);
 	')
 ')
 
@@ -150,6 +150,10 @@ define(`tunable_policy',`
 		# will go here instead of a
 		# conditional when loadable
 		# modules support tunables
+		gen_require(`
+			delcare_required_symbols(`$1')
+		')
+
 		if (`$1') {
 			$2
 		} else {

More information about the scm-commits mailing list