[selinux-policy: 760/3172] targeted and distro fixes for loadable modules

Daniel J Walsh dwalsh at fedoraproject.org
Thu Oct 7 20:10:45 UTC 2010 

commit af4752bcb98cb3c7ceb3f57c2a209abf3bbf45de
Author: Chris PeBenito <cpebenito at tresys.com>
Date:   Wed Oct 19 16:44:24 2005 +0000

    targeted and distro fixes for loadable modules

 refpolicy/policy/modules/services/bind.if     |   15 ---------------
 refpolicy/policy/modules/services/mta.te      |    5 +++--
 refpolicy/policy/modules/services/mysql.if    |    2 +-
 refpolicy/policy/modules/system/userdomain.if |   12 ++++++++----
 4 files changed, 12 insertions(+), 22 deletions(-)
---
diff --git a/refpolicy/policy/modules/services/bind.if b/refpolicy/policy/modules/services/bind.if
index e5469a9..e0f730b 100644
--- a/refpolicy/policy/modules/services/bind.if
+++ b/refpolicy/policy/modules/services/bind.if
@@ -11,9 +11,6 @@
 interface(`bind_domtrans_ndc',`
 	gen_require(`
 		type ndc_t, ndc_exec_t;
-		class process sigchld;
-		class fd use;
-		class fifo_file rw_file_perms;
 	')
 
 	domain_auto_trans($1,ndc_exec_t,ndc_t)
@@ -42,7 +39,6 @@ interface(`bind_domtrans_ndc',`
 interface(`bind_run_ndc',`
 	gen_require(`
 		type ndc_t;
-		class chr_file rw_term_perms;
 	')
 
 	bind_domtrans_ndc($1)
@@ -61,9 +57,6 @@ interface(`bind_run_ndc',`
 interface(`bind_domtrans',`
 	gen_require(`
 		type named_t, named_exec_t;
-		class process sigchld;
-		class fd use;
-		class fifo_file rw_file_perms;
 	')
 
 	domain_auto_trans($1,named_exec_t,named_t)
@@ -85,8 +78,6 @@ interface(`bind_domtrans',`
 interface(`bind_read_dnssec_keys',`
 	gen_require(`
 		type named_conf_t, named_zone_t, dnssec_t;
-		class dir search;
-		class file { getattr read };
 	')
 
 	allow $1 { named_conf_t named_zone_t }:dir search;
@@ -104,8 +95,6 @@ interface(`bind_read_dnssec_keys',`
 interface(`bind_read_config',`
 	gen_require(`
 		type named_conf_t;
-		class dir search;
-		class file { getattr read };
 	')
 
 	allow $1 named_conf_t:dir search;
@@ -123,8 +112,6 @@ interface(`bind_read_config',`
 interface(`bind_write_config',`
 	gen_require(`
 		type named_conf_t;
-		class dir search;
-		class file { write setattr };
 	')
 
 	allow $1 named_conf_t:dir search;
@@ -143,7 +130,6 @@ interface(`bind_write_config',`
 interface(`bind_manage_config_dir',`
 	gen_require(`
 		type named_conf_t;
-		class dir perms;
 	')
 
 	allow $1 named_conf_t:dir create_dir_perms;
@@ -161,7 +147,6 @@ interface(`bind_manage_config_dir',`
 interface(`bind_setattr_pid_dir',`
 	gen_require(`
 		type named_var_run_t;
-		class dir setattr;
 	')
 
 	allow $1 named_var_run_t:dir setattr;
diff --git a/refpolicy/policy/modules/services/mta.te b/refpolicy/policy/modules/services/mta.te
index 1faa732..7eaca38 100644
--- a/refpolicy/policy/modules/services/mta.te
+++ b/refpolicy/policy/modules/services/mta.te
@@ -105,7 +105,8 @@ ifdef(`targeted_policy',`
 	allow system_mail_t mqueue_spool_t:file create_file_perms;
 	allow system_mail_t mqueue_spool_t:lnk_file create_lnk_perms;
 
-	optional_policy(`postfix.te',`',`
+# cjp: another require-in-else to resolve
+#	optional_policy(`postfix.te',`',`
 		corecmd_exec_bin(system_mail_t)
 		corecmd_exec_sbin(system_mail_t)
 
@@ -117,7 +118,7 @@ ifdef(`targeted_policy',`
 		libs_use_shared_libs(system_mail_t)
 		libs_exec_ld_so(system_mail_t)
 		libs_exec_lib_files(system_mail_t)
-	')
+#	')
 ')
 
 optional_policy(`apache.te',`
diff --git a/refpolicy/policy/modules/services/mysql.if b/refpolicy/policy/modules/services/mysql.if
index cbda7b4..a19f112 100644
--- a/refpolicy/policy/modules/services/mysql.if
+++ b/refpolicy/policy/modules/services/mysql.if
@@ -99,7 +99,7 @@ interface(`mysql_rw_db_dir',`
 #
 interface(`mysql_manage_db_dir',`
 	gen_require(`
-		type mysql_db_t;
+		type mysqld_db_t;
 	')
 
 	files_search_var_lib($1)
diff --git a/refpolicy/policy/modules/system/userdomain.if b/refpolicy/policy/modules/system/userdomain.if
index 7223e0a..740867d 100644
--- a/refpolicy/policy/modules/system/userdomain.if
+++ b/refpolicy/policy/modules/system/userdomain.if
@@ -1560,11 +1560,15 @@ interface(`userdom_read_staff_home_files',`
 ## </param>
 #
 interface(`userdom_sigchld_sysadm',`
-	gen_require(`
-		type sysadm_t;
-	')
+	ifdef(`targeted_policy',`
+		unconfined_sigchld($1)
+	',`
+		gen_require(`
+			type sysadm_t;
+		')
 
-	allow $1 sysadm_t:process sigchld;
+		allow $1 sysadm_t:process sigchld;
+	')
 ')
 
 ########################################

More information about the scm-commits mailing list