[selinux-policy: 760/3172] targeted and distro fixes for loadable modules
Daniel J Walsh
dwalsh at fedoraproject.org
Thu Oct 7 20:10:45 UTC 2010
commit af4752bcb98cb3c7ceb3f57c2a209abf3bbf45de
Author: Chris PeBenito <cpebenito at tresys.com>
Date: Wed Oct 19 16:44:24 2005 +0000
targeted and distro fixes for loadable modules
refpolicy/policy/modules/services/bind.if | 15 ---------------
refpolicy/policy/modules/services/mta.te | 5 +++--
refpolicy/policy/modules/services/mysql.if | 2 +-
refpolicy/policy/modules/system/userdomain.if | 12 ++++++++----
4 files changed, 12 insertions(+), 22 deletions(-)
---
diff --git a/refpolicy/policy/modules/services/bind.if b/refpolicy/policy/modules/services/bind.if
index e5469a9..e0f730b 100644
--- a/refpolicy/policy/modules/services/bind.if
+++ b/refpolicy/policy/modules/services/bind.if
@@ -11,9 +11,6 @@
interface(`bind_domtrans_ndc',`
gen_require(`
type ndc_t, ndc_exec_t;
- class process sigchld;
- class fd use;
- class fifo_file rw_file_perms;
')
domain_auto_trans($1,ndc_exec_t,ndc_t)
@@ -42,7 +39,6 @@ interface(`bind_domtrans_ndc',`
interface(`bind_run_ndc',`
gen_require(`
type ndc_t;
- class chr_file rw_term_perms;
')
bind_domtrans_ndc($1)
@@ -61,9 +57,6 @@ interface(`bind_run_ndc',`
interface(`bind_domtrans',`
gen_require(`
type named_t, named_exec_t;
- class process sigchld;
- class fd use;
- class fifo_file rw_file_perms;
')
domain_auto_trans($1,named_exec_t,named_t)
@@ -85,8 +78,6 @@ interface(`bind_domtrans',`
interface(`bind_read_dnssec_keys',`
gen_require(`
type named_conf_t, named_zone_t, dnssec_t;
- class dir search;
- class file { getattr read };
')
allow $1 { named_conf_t named_zone_t }:dir search;
@@ -104,8 +95,6 @@ interface(`bind_read_dnssec_keys',`
interface(`bind_read_config',`
gen_require(`
type named_conf_t;
- class dir search;
- class file { getattr read };
')
allow $1 named_conf_t:dir search;
@@ -123,8 +112,6 @@ interface(`bind_read_config',`
interface(`bind_write_config',`
gen_require(`
type named_conf_t;
- class dir search;
- class file { write setattr };
')
allow $1 named_conf_t:dir search;
@@ -143,7 +130,6 @@ interface(`bind_write_config',`
interface(`bind_manage_config_dir',`
gen_require(`
type named_conf_t;
- class dir perms;
')
allow $1 named_conf_t:dir create_dir_perms;
@@ -161,7 +147,6 @@ interface(`bind_manage_config_dir',`
interface(`bind_setattr_pid_dir',`
gen_require(`
type named_var_run_t;
- class dir setattr;
')
allow $1 named_var_run_t:dir setattr;
diff --git a/refpolicy/policy/modules/services/mta.te b/refpolicy/policy/modules/services/mta.te
index 1faa732..7eaca38 100644
--- a/refpolicy/policy/modules/services/mta.te
+++ b/refpolicy/policy/modules/services/mta.te
@@ -105,7 +105,8 @@ ifdef(`targeted_policy',`
allow system_mail_t mqueue_spool_t:file create_file_perms;
allow system_mail_t mqueue_spool_t:lnk_file create_lnk_perms;
- optional_policy(`postfix.te',`',`
+# cjp: another require-in-else to resolve
+# optional_policy(`postfix.te',`',`
corecmd_exec_bin(system_mail_t)
corecmd_exec_sbin(system_mail_t)
@@ -117,7 +118,7 @@ ifdef(`targeted_policy',`
libs_use_shared_libs(system_mail_t)
libs_exec_ld_so(system_mail_t)
libs_exec_lib_files(system_mail_t)
- ')
+# ')
')
optional_policy(`apache.te',`
diff --git a/refpolicy/policy/modules/services/mysql.if b/refpolicy/policy/modules/services/mysql.if
index cbda7b4..a19f112 100644
--- a/refpolicy/policy/modules/services/mysql.if
+++ b/refpolicy/policy/modules/services/mysql.if
@@ -99,7 +99,7 @@ interface(`mysql_rw_db_dir',`
#
interface(`mysql_manage_db_dir',`
gen_require(`
- type mysql_db_t;
+ type mysqld_db_t;
')
files_search_var_lib($1)
diff --git a/refpolicy/policy/modules/system/userdomain.if b/refpolicy/policy/modules/system/userdomain.if
index 7223e0a..740867d 100644
--- a/refpolicy/policy/modules/system/userdomain.if
+++ b/refpolicy/policy/modules/system/userdomain.if
@@ -1560,11 +1560,15 @@ interface(`userdom_read_staff_home_files',`
## </param>
#
interface(`userdom_sigchld_sysadm',`
- gen_require(`
- type sysadm_t;
- ')
+ ifdef(`targeted_policy',`
+ unconfined_sigchld($1)
+ ',`
+ gen_require(`
+ type sysadm_t;
+ ')
- allow $1 sysadm_t:process sigchld;
+ allow $1 sysadm_t:process sigchld;
+ ')
')
########################################
More information about the scm-commits
mailing list