[selinux-policy: 695/3172] fixes from sediff
Daniel J Walsh
dwalsh at fedoraproject.org
Thu Oct 7 20:04:59 UTC 2010
commit 681c9a02e7622cffe87e95f05e1f74d2b71608c1
Author: Chris PeBenito <cpebenito at tresys.com>
Date: Thu Sep 22 21:59:50 2005 +0000
fixes from sediff
refpolicy/Changelog | 2 +
refpolicy/policy/modules/admin/consoletype.te | 1 +
refpolicy/policy/modules/kernel/bootloader.if | 17 ++++++++++-
refpolicy/policy/modules/kernel/bootloader.te | 2 +
refpolicy/policy/modules/services/comsat.te | 11 ++++--
refpolicy/policy/modules/services/cron.if | 2 +-
refpolicy/policy/modules/services/cron.te | 7 ++--
refpolicy/policy/modules/services/dhcp.te | 1 +
refpolicy/policy/modules/system/lvm.te | 3 ++
refpolicy/policy/modules/system/modutils.te | 1 +
refpolicy/policy/modules/system/pcmcia.te | 12 ++++----
refpolicy/policy/modules/system/selinuxutil.te | 1 +
refpolicy/policy/modules/system/sysnetwork.if | 36 ++++++++++-------------
refpolicy/policy/modules/system/sysnetwork.te | 6 ++--
14 files changed, 64 insertions(+), 38 deletions(-)
---
diff --git a/refpolicy/Changelog b/refpolicy/Changelog
index c229d0c..1e97afa 100644
--- a/refpolicy/Changelog
+++ b/refpolicy/Changelog
@@ -1,3 +1,5 @@
+- Fix errors uncovered by sediff.
+
* Thu Sep 22 2005 Chris PeBenito <selinux at tresys.com> - 20050922
- Make logrotate, sendmail, sshd, and rpm policies
unconfined in the targeted policy so no special
diff --git a/refpolicy/policy/modules/admin/consoletype.te b/refpolicy/policy/modules/admin/consoletype.te
index 016682c..209d29c 100644
--- a/refpolicy/policy/modules/admin/consoletype.te
+++ b/refpolicy/policy/modules/admin/consoletype.te
@@ -49,6 +49,7 @@ init_use_script_fd(consoletype_t)
domain_use_wide_inherit_fd(consoletype_t)
files_dontaudit_read_root_file(consoletype_t)
+files_list_usr(consoletype_t)
libs_use_ld_so(consoletype_t)
libs_use_shared_libs(consoletype_t)
diff --git a/refpolicy/policy/modules/kernel/bootloader.if b/refpolicy/policy/modules/kernel/bootloader.if
index 472a313..8b2a7c6 100644
--- a/refpolicy/policy/modules/kernel/bootloader.if
+++ b/refpolicy/policy/modules/kernel/bootloader.if
@@ -297,6 +297,22 @@ interface(`bootloader_create_runtime_file',`
########################################
## <summary>
+## Search the contents of the kernel module directories.
+## </summary>
+## <param name="domain">
+## The type of the process performing this action.
+## </param>
+#
+interface(`bootloader_search_kernel_modules',`
+ gen_require(`
+ type modules_object_t;
+ ')
+
+ allow $1 modules_object_t:dir search;
+')
+
+########################################
+## <summary>
## List the contents of the kernel module directories.
## </summary>
## <param name="domain">
@@ -306,7 +322,6 @@ interface(`bootloader_create_runtime_file',`
interface(`bootloader_list_kernel_modules',`
gen_require(`
type modules_object_t;
- class dir r_dir_perms;
')
allow $1 modules_object_t:dir r_dir_perms;
diff --git a/refpolicy/policy/modules/kernel/bootloader.te b/refpolicy/policy/modules/kernel/bootloader.te
index dfc6cde..5914abe 100644
--- a/refpolicy/policy/modules/kernel/bootloader.te
+++ b/refpolicy/policy/modules/kernel/bootloader.te
@@ -120,6 +120,7 @@ domain_exec_all_entry_files(bootloader_t)
domain_use_wide_inherit_fd(bootloader_t)
files_read_etc_files(bootloader_t)
+files_exec_etc_files(bootloader_t)
files_read_etc_runtime_files(bootloader_t)
files_read_usr_src_files(bootloader_t)
files_read_usr_files(bootloader_t)
@@ -135,6 +136,7 @@ init_rw_script_pipe(bootloader_t)
libs_use_ld_so(bootloader_t)
libs_use_shared_libs(bootloader_t)
libs_read_lib(bootloader_t)
+libs_exec_lib_files(bootloader_t)
logging_send_syslog_msg(bootloader_t)
logging_rw_generic_logs(bootloader_t)
diff --git a/refpolicy/policy/modules/services/comsat.te b/refpolicy/policy/modules/services/comsat.te
index 3d5f28e..cfdc353 100644
--- a/refpolicy/policy/modules/services/comsat.te
+++ b/refpolicy/policy/modules/services/comsat.te
@@ -28,7 +28,7 @@ allow comsat_t self:dir search;
allow comsat_t self:fifo_file rw_file_perms;
allow comsat_t self:{ lnk_file file } { getattr read };
allow comsat_t self:netlink_tcpdiag_socket r_netlink_socket_perms;
-allow comsat_t self:tcp_socket create_stream_socket_perms;
+allow comsat_t self:tcp_socket connected_stream_socket_perms;
allow comsat_t comsat_tmp_t:dir create_dir_perms;
allow comsat_t comsat_tmp_t:file create_file_perms;
@@ -41,18 +41,21 @@ kernel_read_kernel_sysctl(comsat_t)
kernel_read_network_state(comsat_t)
kernel_read_system_state(comsat_t)
-corenet_raw_sendrecv_all_if(comsat_t)
corenet_tcp_sendrecv_all_if(comsat_t)
-corenet_raw_sendrecv_all_nodes(comsat_t)
+corenet_udp_sendrecv_all_if(comsat_t)
+corenet_raw_sendrecv_all_if(comsat_t)
corenet_tcp_sendrecv_all_nodes(comsat_t)
-corenet_tcp_bind_all_nodes(comsat_t)
+corenet_udp_sendrecv_all_nodes(comsat_t)
+corenet_raw_sendrecv_all_nodes(comsat_t)
corenet_tcp_sendrecv_all_ports(comsat_t)
+corenet_tcp_bind_all_nodes(comsat_t)
dev_read_urand(comsat_t)
fs_getattr_xattr_fs(comsat_t)
files_read_etc_files(comsat_t)
+files_list_usr(comsat_t)
files_search_spool(comsat_t)
files_search_home(comsat_t)
diff --git a/refpolicy/policy/modules/services/cron.if b/refpolicy/policy/modules/services/cron.if
index 6689e65..7c6c2b1 100644
--- a/refpolicy/policy/modules/services/cron.if
+++ b/refpolicy/policy/modules/services/cron.if
@@ -182,7 +182,7 @@ template(`cron_per_userdomain_template',`
allow $2 $1_crontab_t:process signal;
# Allow crond to read those crontabs in cron spool.
- allow crond_t $1_cron_spool_t:file r_file_perms;
+ allow crond_t $1_cron_spool_t:file create_file_perms;
# dac_override is to create the file in the directory under /tmp
allow $1_crontab_t self:capability { setuid setgid chown dac_override };
diff --git a/refpolicy/policy/modules/services/cron.te b/refpolicy/policy/modules/services/cron.te
index dc4f7ba..da38369 100644
--- a/refpolicy/policy/modules/services/cron.te
+++ b/refpolicy/policy/modules/services/cron.te
@@ -51,10 +51,10 @@ files_tmp_file(system_crond_tmp_t)
# Cron Local policy
#
-allow crond_t self:capability { dac_override setgid setuid net_bind_service sys_nice };
+allow crond_t self:capability { dac_override setgid setuid sys_nice dac_read_search };
dontaudit crond_t self:capability { sys_resource sys_tty_config };
allow crond_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
-allow crond_t self:process setexec;
+allow crond_t self:process { setexec setfscreate };
allow crond_t self:fd use;
allow crond_t self:fifo_file rw_file_perms;
allow crond_t self:unix_dgram_socket create_socket_perms;
@@ -73,7 +73,7 @@ allow crond_t crond_tmp_t:dir create_dir_perms;
allow crond_t crond_tmp_t:file create_file_perms;
files_create_tmp_files(crond_t, crond_tmp_t, { file dir })
-allow crond_t cron_spool_t:dir r_dir_perms;
+allow crond_t cron_spool_t:dir rw_dir_perms;
allow crond_t cron_spool_t:file r_file_perms;
allow crond_t system_cron_spool_t:dir r_dir_perms;
allow crond_t system_cron_spool_t:file r_file_perms;
@@ -104,6 +104,7 @@ domain_use_wide_inherit_fd(crond_t)
files_read_etc_files(crond_t)
files_read_generic_spools(crond_t)
+files_list_usr(crond_t)
# Read from /var/spool/cron.
files_search_var_lib(crond_t)
files_search_default(crond_t)
diff --git a/refpolicy/policy/modules/services/dhcp.te b/refpolicy/policy/modules/services/dhcp.te
index 0c483ca..62a990f 100644
--- a/refpolicy/policy/modules/services/dhcp.te
+++ b/refpolicy/policy/modules/services/dhcp.te
@@ -25,6 +25,7 @@ files_pid_file(dhcpd_var_run_t)
#
dontaudit dhcpd_t self:capability { net_admin sys_tty_config };
+allow dhcpd_t self:process signal_perms;
allow dhcpd_t self:fifo_file { read write getattr };
allow dhcpd_t self:unix_dgram_socket create_socket_perms;
allow dhcpd_t self:unix_stream_socket create_socket_perms;
diff --git a/refpolicy/policy/modules/system/lvm.te b/refpolicy/policy/modules/system/lvm.te
index 2b34fa7..8e443cf 100644
--- a/refpolicy/policy/modules/system/lvm.te
+++ b/refpolicy/policy/modules/system/lvm.te
@@ -42,6 +42,7 @@ files_tmp_file(lvm_tmp_t)
#
dontaudit clvmd_t self:capability sys_tty_config;
+allow clvmd_t self:process signal_perms;
allow clvmd_t self:socket create_socket_perms;
allow clvmd_t self:fifo_file { read write };
allow clvmd_t self:unix_stream_socket { connectto create_stream_socket_perms };
@@ -78,6 +79,8 @@ term_dontaudit_use_console(clvmd_t)
domain_use_wide_inherit_fd(clvmd_t)
+files_list_usr(clvmd_t)
+
init_use_fd(clvmd_t)
init_use_script_pty(clvmd_t)
diff --git a/refpolicy/policy/modules/system/modutils.te b/refpolicy/policy/modules/system/modutils.te
index cdf9e8b..9d40ca4 100644
--- a/refpolicy/policy/modules/system/modutils.te
+++ b/refpolicy/policy/modules/system/modutils.te
@@ -171,6 +171,7 @@ init_use_script_pty(depmod_t)
files_read_etc_runtime_files(depmod_t)
files_read_etc_files(depmod_t)
files_read_usr_src_files(depmod_t)
+files_list_usr(depmod_t)
libs_use_ld_so(depmod_t)
libs_use_shared_libs(depmod_t)
diff --git a/refpolicy/policy/modules/system/pcmcia.te b/refpolicy/policy/modules/system/pcmcia.te
index 96f4d05..25aef61 100644
--- a/refpolicy/policy/modules/system/pcmcia.te
+++ b/refpolicy/policy/modules/system/pcmcia.te
@@ -52,6 +52,8 @@ kernel_list_proc(cardmgr_t)
kernel_read_proc_symlinks(cardmgr_t)
kernel_dontaudit_getattr_message_if(cardmgr_t)
+bootloader_search_kernel_modules(cardmgr_t)
+
dev_read_sysfs(cardmgr_t)
dev_getattr_all_chr_files(cardmgr_t)
dev_getattr_all_blk_files(cardmgr_t)
@@ -79,6 +81,7 @@ domain_dontaudit_ptrace_confined_domains(cardmgr_t)
domain_dontaudit_getattr_all_unnamed_pipes(cardmgr_t)
domain_dontaudit_getattr_all_sockets(cardmgr_t)
+files_list_usr(cardmgr_t)
files_search_home(cardmgr_t)
files_read_etc_runtime_files(cardmgr_t)
files_exec_etc_files(cardmgr_t)
@@ -104,6 +107,8 @@ logging_send_syslog_msg(cardmgr_t)
miscfiles_read_localization(cardmgr_t)
+modutils_domtrans_insmod(cardmgr_t)
+
sysnet_domtrans_ifconfig(cardmgr_t)
# for /etc/resolv.conf
sysnet_create_config(cardmgr_t)
@@ -126,6 +131,7 @@ optional_policy(`sysnetwork.te',`
sysnet_domtrans_dhcpc(cardmgr_t)
sysnet_read_dhcpc_pid(cardmgr_t)
+ sysnet_delete_dhcpc_pid(cardmgr_t)
sysnet_kill_dhcpc(cardmgr_t)
sysnet_sigchld_dhcpc(cardmgr_t)
sysnet_signal_dhcpc(cardmgr_t)
@@ -138,12 +144,6 @@ optional_policy(`udev.te', `
')
ifdef(`TODO',`
-allow cardmgr_t modules_object_t:dir search;
-
-ifdef(`dhcpc.te',`
-allow cardmgr_t dhcpc_var_run_t:file unlink;
-')
-
# Create device files in /tmp.
# cjp: why is this created all over the place?
file_type_auto_trans(cardmgr_t, { var_run_t cardmgr_var_run_t device_t tmp_t }, cardmgr_dev_t, { blk_file chr_file })
diff --git a/refpolicy/policy/modules/system/selinuxutil.te b/refpolicy/policy/modules/system/selinuxutil.te
index ea798ea..2ef6a3c 100644
--- a/refpolicy/policy/modules/system/selinuxutil.te
+++ b/refpolicy/policy/modules/system/selinuxutil.te
@@ -125,6 +125,7 @@ term_use_console(checkpolicy_t)
domain_use_wide_inherit_fd(checkpolicy_t)
+files_list_usr(checkpolicy_t)
# directory search permissions for path to source and binary policy files
files_search_etc(checkpolicy_t)
diff --git a/refpolicy/policy/modules/system/sysnetwork.if b/refpolicy/policy/modules/system/sysnetwork.if
index 47293bb..5e3a4c8 100644
--- a/refpolicy/policy/modules/system/sysnetwork.if
+++ b/refpolicy/policy/modules/system/sysnetwork.if
@@ -11,9 +11,6 @@
interface(`sysnet_domtrans_dhcpc',`
gen_require(`
type dhcpc_t, dhcpc_exec_t;
- class process sigchld;
- class fd use;
- class fifo_file rw_file_perms;
')
corecmd_search_sbin($1)
@@ -61,7 +58,6 @@ interface(`sysnet_run_dhcpc',`
interface(`sysnet_sigchld_dhcpc',`
gen_require(`
type dhcpc_t;
- class process sigchld;
')
allow $1 dhcpc_t:process sigchld;
@@ -78,7 +74,6 @@ interface(`sysnet_sigchld_dhcpc',`
interface(`sysnet_kill_dhcpc',`
gen_require(`
type dhcpc_t;
- class process sigkill;
')
allow $1 dhcpc_t:process sigkill;
@@ -95,7 +90,6 @@ interface(`sysnet_kill_dhcpc',`
interface(`sysnet_sigstop_dhcpc',`
gen_require(`
type dhcpc_t;
- class process sigstop;
')
allow $1 dhcpc_t:process sigstop;
@@ -112,7 +106,6 @@ interface(`sysnet_sigstop_dhcpc',`
interface(`sysnet_signull_dhcpc',`
gen_require(`
type dhcpc_t;
- class process signull;
')
allow $1 dhcpc_t:process signull;
@@ -129,7 +122,6 @@ interface(`sysnet_signull_dhcpc',`
interface(`sysnet_signal_dhcpc',`
gen_require(`
type dhcpc_t;
- class process signal;
')
allow $1 dhcpc_t:process signal;
@@ -146,7 +138,6 @@ interface(`sysnet_signal_dhcpc',`
interface(`sysnet_rw_dhcp_config',`
gen_require(`
type dhcp_etc_t;
- class file { getattr read };
')
files_search_etc($1)
@@ -164,7 +155,6 @@ interface(`sysnet_rw_dhcp_config',`
interface(`sysnet_read_dhcpc_state',`
gen_require(`
type dhcpc_state_t;
- class file { getattr read };
')
allow $1 dhcpc_state_t:file { getattr read };
@@ -181,7 +171,6 @@ interface(`sysnet_read_dhcpc_state',`
interface(`sysnet_read_config',`
gen_require(`
type net_conf_t;
- class file r_file_perms;
')
files_search_etc($1)
@@ -200,7 +189,6 @@ interface(`sysnet_read_config',`
interface(`sysnet_create_config',`
gen_require(`
type net_conf_t;
- class file create_file_perms;
')
files_create_etc_config($1,net_conf_t,file)
@@ -217,7 +205,6 @@ interface(`sysnet_create_config',`
interface(`sysnet_manage_config',`
gen_require(`
type net_conf_t;
- class file create_file_perms;
')
allow $1 net_conf_t:file create_file_perms;
@@ -234,7 +221,6 @@ interface(`sysnet_manage_config',`
interface(`sysnet_read_dhcpc_pid',`
gen_require(`
type dhcpc_var_run_t;
- class file { getattr read };
')
files_list_pids($1)
@@ -243,6 +229,22 @@ interface(`sysnet_read_dhcpc_pid',`
#######################################
## <summary>
+## Delete the dhcp client pid file.
+## </summary>
+## <param name="domain">
+## The type of the process performing this action.
+## </param>
+#
+interface(`sysnet_delete_dhcpc_pid',`
+ gen_require(`
+ type dhcpc_var_run_t;
+ ')
+
+ allow $1 dhcpc_var_run_t:file unlink;
+')
+
+#######################################
+## <summary>
## Execute ifconfig in the ifconfig domain.
## </summary>
## <param name="domain">
@@ -336,7 +338,6 @@ interface(`sysnet_read_dhcp_config',`
interface(`sysnet_search_dhcp_state',`
gen_require(`
type dhcp_state_t;
- class dir search;
')
files_search_var_lib($1)
@@ -370,7 +371,6 @@ interface(`sysnet_search_dhcp_state',`
interface(`sysnet_create_dhcp_state',`
gen_require(`
type dhcp_state_t;
- class dir rw_dir_perms;
')
files_search_var_lib($1)
@@ -393,7 +393,6 @@ interface(`sysnet_create_dhcp_state',`
interface(`sysnet_dns_name_resolve',`
gen_require(`
type net_conf_t;
- class udp_socket create_socket_perms;
')
allow $1 self:udp_socket create_socket_perms;
@@ -419,7 +418,6 @@ interface(`sysnet_dns_name_resolve',`
interface(`sysnet_use_ldap',`
gen_require(`
type net_conf_t;
- class tcp_socket create_socket_perms;
')
allow $1 self:tcp_socket create_socket_perms;
@@ -447,8 +445,6 @@ interface(`sysnet_use_ldap',`
interface(`sysnet_use_portmap',`
gen_require(`
type net_conf_t;
- class tcp_socket create_socket_perms;
- class udp_socket create_socket_perms;
')
allow $1 self:tcp_socket create_socket_perms;
diff --git a/refpolicy/policy/modules/system/sysnetwork.te b/refpolicy/policy/modules/system/sysnetwork.te
index 4790442..75715b6 100644
--- a/refpolicy/policy/modules/system/sysnetwork.te
+++ b/refpolicy/policy/modules/system/sysnetwork.te
@@ -45,12 +45,12 @@ allow dhcpc_t self:capability { dac_override fsetid net_admin net_raw net_bind_s
dontaudit dhcpc_t self:capability sys_tty_config;
# for access("/etc/bashrc", X_OK) on Red Hat
dontaudit dhcpc_t self:capability { dac_read_search sys_module };
-
-allow dhcpc_t self:tcp_socket create_socket_perms;
+allow dhcpc_t self:process signal_perms;
+allow dhcpc_t self:fifo_file rw_file_perms;
+allow dhcpc_t self:tcp_socket create_stream_socket_perms;
allow dhcpc_t self:udp_socket create_socket_perms;
allow dhcpc_t self:packet_socket create_socket_perms;
allow dhcpc_t self:netlink_route_socket { create_socket_perms nlmsg_read };
-allow dhcpc_t self:fifo_file rw_file_perms;
allow dhcpc_t dhcp_etc_t:dir r_dir_perms;
allow dhcpc_t dhcp_etc_t:lnk_file r_file_perms;
More information about the scm-commits
mailing list