[selinux-policy: 826/3172] fix most disable_trans errors
Daniel J Walsh
dwalsh at fedoraproject.org
Thu Oct 7 20:16:29 UTC 2010
commit 69dcd685adb4e5bb3334e9f38c0f3b3fcefb7b26
Author: Chris PeBenito <cpebenito at tresys.com>
Date: Mon Oct 24 22:08:13 2005 +0000
fix most disable_trans errors
refpolicy/Makefile | 2 +-
refpolicy/policy/modules/services/cpucontrol.te | 12 ++++++-
refpolicy/policy/modules/services/finger.te | 2 +-
refpolicy/policy/modules/services/inetd.if | 35 +++++++++++++++++++----
refpolicy/policy/modules/services/tftp.te | 2 +-
refpolicy/policy/modules/system/init.if | 6 ++++
refpolicy/policy/modules/system/unconfined.te | 1 +
7 files changed, 49 insertions(+), 11 deletions(-)
---
diff --git a/refpolicy/Makefile b/refpolicy/Makefile
index 6f3ac9f..c49cfdb 100644
--- a/refpolicy/Makefile
+++ b/refpolicy/Makefile
@@ -71,7 +71,7 @@ MONOLITHIC=y
PREFIX := /usr
BINDIR := $(PREFIX)/bin
SBINDIR := $(PREFIX)/sbin
-CHECKPOLICY := $(BINDIR)/checkpolicy
+CHECKPOLICY := /tmp/$(BINDIR)/checkpolicy
CHECKMODULE := $(BINDIR)/checkmodule
SEMOD_PKG := $(BINDIR)/semodule_package
LOADPOLICY := $(SBINDIR)/load_policy
diff --git a/refpolicy/policy/modules/services/cpucontrol.te b/refpolicy/policy/modules/services/cpucontrol.te
index ddb5869..c858827 100644
--- a/refpolicy/policy/modules/services/cpucontrol.te
+++ b/refpolicy/policy/modules/services/cpucontrol.te
@@ -8,14 +8,14 @@ policy_module(cpucontrol,1.0)
type cpucontrol_t;
type cpucontrol_exec_t;
-init_daemon_domain(cpucontrol_t,cpucontrol_exec_t)
+init_system_domain(cpucontrol_t,cpucontrol_exec_t)
type cpucontrol_conf_t;
files_type(cpucontrol_conf_t)
type cpuspeed_t;
type cpuspeed_exec_t;
-init_daemon_domain(cpuspeed_t,cpuspeed_exec_t)
+init_system_domain(cpuspeed_t,cpuspeed_exec_t)
########################################
#
@@ -61,6 +61,10 @@ ifdef(`targeted_policy',`
files_dontaudit_read_root_file(cpucontrol_t)
')
+optional_policy(`nscd.te',`
+ nscd_use_socket(cpucontrol_t)
+')
+
optional_policy(`selinuxutil.te',`
seutil_sigchld_newrole(cpucontrol_t)
')
@@ -117,6 +121,10 @@ ifdef(`targeted_policy',`
files_dontaudit_read_root_file(cpuspeed_t)
')
+optional_policy(`nscd.te',`
+ nscd_use_socket(cpuspeed_t)
+')
+
optional_policy(`selinuxutil.te',`
seutil_sigchld_newrole(cpuspeed_t)
')
diff --git a/refpolicy/policy/modules/services/finger.te b/refpolicy/policy/modules/services/finger.te
index 64c4d5d..72c467f 100644
--- a/refpolicy/policy/modules/services/finger.te
+++ b/refpolicy/policy/modules/services/finger.te
@@ -7,7 +7,7 @@ policy_module(finger,1.0)
#
type fingerd_t;
type fingerd_exec_t;
-init_daemon_domain(fingerd_t,fingerd_exec_t)
+init_system_domain(fingerd_t,fingerd_exec_t)
inetd_tcp_service_domain(fingerd_t,fingerd_exec_t)
type fingerd_etc_t;
diff --git a/refpolicy/policy/modules/services/inetd.if b/refpolicy/policy/modules/services/inetd.if
index 4a85162..3d97f1c 100644
--- a/refpolicy/policy/modules/services/inetd.if
+++ b/refpolicy/policy/modules/services/inetd.if
@@ -32,14 +32,37 @@ interface(`inetd_core_service_domain',`
role system_r types $1;
- domain_auto_trans(inetd_t,$2,$1)
-
- allow $1 inetd_t:fd use;
- allow inetd_t $1:fd use;
- allow $1 inetd_t:fifo_file rw_file_perms;
- allow $1 inetd_t:process sigchld;
-
allow inetd_t $1:process sigkill;
+
+ ifdef(`targeted_policy',`
+ # this regex is a hack, since it assumes there is a
+ # _t at the end of the domain type. If there is no _t
+ # at the end of the type, it returns empty!
+ bool regexp($1, `\(\w+\)_t', `\1_disable_trans') false;
+ if(regexp($1, `\(\w+\)_t', `\1_disable_trans') ) {
+ can_exec(inetd_t,$2)
+ } else {
+ domain_auto_trans(inetd_t,$2,$1)
+ allow inetd_t $1:fd use;
+ allow $1 inetd_t:fd use;
+ allow $1 inetd_t:fifo_file rw_file_perms;
+ allow $1 inetd_t:process sigchld;
+ dontaudit inetd_t $1:process { noatsecure siginh rlimitinh };
+
+ # make sediff happy
+ allow $1 $2:file { rx_file_perms entrypoint };
+ }
+ ',`
+ domain_auto_trans(inetd_t,$2,$1)
+ allow inetd_t $1:fd use;
+ allow $1 inetd_t:fd use;
+ allow $1 inetd_t:fifo_file rw_file_perms;
+ allow $1 inetd_t:process sigchld;
+ dontaudit inetd_t $1:process { noatsecure siginh rlimitinh };
+
+ # make sediff happy
+ allow $1 $2:file { rx_file_perms entrypoint };
+ ')
')
########################################
diff --git a/refpolicy/policy/modules/services/tftp.te b/refpolicy/policy/modules/services/tftp.te
index d6e1096..2b791ad 100644
--- a/refpolicy/policy/modules/services/tftp.te
+++ b/refpolicy/policy/modules/services/tftp.te
@@ -8,7 +8,7 @@ policy_module(tftp,1.0)
type tftpd_t;
type tftpd_exec_t;
-init_daemon_domain(tftpd_t,tftpd_exec_t)
+init_system_domain(tftpd_t,tftpd_exec_t)
inetd_udp_service_domain(tftpd_t,tftpd_exec_t)
type tftpd_var_run_t;
diff --git a/refpolicy/policy/modules/system/init.if b/refpolicy/policy/modules/system/init.if
index 8623dd5..d4b8319 100644
--- a/refpolicy/policy/modules/system/init.if
+++ b/refpolicy/policy/modules/system/init.if
@@ -99,6 +99,9 @@ interface(`init_daemon_domain',`
allow $1 initrc_t:fifo_file rw_file_perms;
allow $1 initrc_t:process sigchld;
allow initrc_t $1:process { noatsecure siginh rlimitinh };
+
+ # make sediff happy
+ allow $1 $2:file { rx_file_perms entrypoint };
}
',`
domain_auto_trans(initrc_t,$2,$1)
@@ -107,6 +110,9 @@ interface(`init_daemon_domain',`
allow $1 initrc_t:fifo_file rw_file_perms;
allow $1 initrc_t:process sigchld;
dontaudit initrc_t $1:process { noatsecure siginh rlimitinh };
+
+ # make sediff happy
+ allow $1 $2:file { rx_file_perms entrypoint };
')
optional_policy(`nscd.te',`
diff --git a/refpolicy/policy/modules/system/unconfined.te b/refpolicy/policy/modules/system/unconfined.te
index 01962c1..99fbe40 100644
--- a/refpolicy/policy/modules/system/unconfined.te
+++ b/refpolicy/policy/modules/system/unconfined.te
@@ -49,4 +49,5 @@ ifdef(`targeted_policy',`
')
') dnl end TODO
+ typeattribute unconfined_t direct_run_init;
')
More information about the scm-commits
mailing list