[selinux-policy: 898/3172] * fixes uncovered by sediff * fix disable_trans support so the daemon can be both init and inet serv

Daniel J Walsh dwalsh at fedoraproject.org
Thu Oct 7 20:22:39 UTC 2010 

commit 0500e01f2d62cf5e62af9391cd0ba8da6f721e27
Author: Chris PeBenito <cpebenito at tresys.com>
Date:   Mon Oct 31 20:32:53 2005 +0000

    * fixes uncovered by sediff
    * fix disable_trans support so the daemon can be both
    init and inet services, and not get dup bool decl

 refpolicy/policy/modules/services/apache.if  |    2 +-
 refpolicy/policy/modules/services/apache.te  |    2 +
 refpolicy/policy/modules/services/finger.te  |    2 +-
 refpolicy/policy/modules/services/inetd.if   |    5 +++-
 refpolicy/policy/modules/services/inetd.te   |    1 +
 refpolicy/policy/modules/services/mailman.if |    2 +-
 refpolicy/policy/modules/services/tftp.te    |    2 +-
 refpolicy/policy/modules/system/domain.if    |    2 +-
 refpolicy/policy/modules/system/hotplug.te   |    1 +
 refpolicy/policy/modules/system/init.if      |    5 +++-
 refpolicy/policy/modules/system/udev.if      |   29 ++++++++++++++++++-------
 11 files changed, 38 insertions(+), 15 deletions(-)
---
diff --git a/refpolicy/policy/modules/services/apache.if b/refpolicy/policy/modules/services/apache.if
index c66ebbb..7f96e01 100644
--- a/refpolicy/policy/modules/services/apache.if
+++ b/refpolicy/policy/modules/services/apache.if
@@ -81,7 +81,7 @@ template(`apache_content_template',`
 	allow httpd_$1_script_t httpd_$1_script_rw_t:lnk_file create_lnk_perms;
 	allow httpd_$1_script_t httpd_$1_script_rw_t:sock_file create_file_perms;
 	allow httpd_$1_script_t httpd_$1_script_rw_t:fifo_file create_file_perms;
-	files_create_tmp_files(httpd_$1_script_t,httpd_$1_script_rw_t,{ file lnk_file sock_file fifo_file })
+	files_create_tmp_files(httpd_$1_script_t,httpd_$1_script_rw_t,{ dir file lnk_file sock_file fifo_file })
 
 	kernel_dontaudit_search_sysctl(httpd_$1_script_t)
 	kernel_dontaudit_search_kernel_sysctl(httpd_$1_script_t)
diff --git a/refpolicy/policy/modules/services/apache.te b/refpolicy/policy/modules/services/apache.te
index 03f5f29..570ef7a 100644
--- a/refpolicy/policy/modules/services/apache.te
+++ b/refpolicy/policy/modules/services/apache.te
@@ -130,6 +130,7 @@ allow httpd_t self:capability { chown dac_override kill setgid setuid sys_tty_co
 dontaudit httpd_t self:capability { net_admin sys_tty_config };
 allow httpd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
 allow httpd_t self:fd use;
+allow httpd_t self:sock_file r_file_perms;
 allow httpd_t self:fifo_file rw_file_perms;
 allow httpd_t self:shm create_shm_perms;
 allow httpd_t self:sem create_sem_perms;
@@ -384,6 +385,7 @@ optional_policy(`mailman.te',`
 	mailman_signal_cgi(httpd_t)
 	mailman_domtrans_cgi(httpd_t)
 	# should have separate types for public and private archives
+	mailman_search_data(httpd_t)
 	mailman_read_archive(httpd_t)
 ')
 
diff --git a/refpolicy/policy/modules/services/finger.te b/refpolicy/policy/modules/services/finger.te
index b45c65a..ce2cfb9 100644
--- a/refpolicy/policy/modules/services/finger.te
+++ b/refpolicy/policy/modules/services/finger.te
@@ -7,7 +7,7 @@ policy_module(finger,1.0)
 #
 type fingerd_t;
 type fingerd_exec_t;
-init_system_domain(fingerd_t,fingerd_exec_t)
+init_daemon_domain(fingerd_t,fingerd_exec_t)
 inetd_tcp_service_domain(fingerd_t,fingerd_exec_t)
 
 type fingerd_etc_t;
diff --git a/refpolicy/policy/modules/services/inetd.if b/refpolicy/policy/modules/services/inetd.if
index b144729..d03e202 100644
--- a/refpolicy/policy/modules/services/inetd.if
+++ b/refpolicy/policy/modules/services/inetd.if
@@ -36,7 +36,10 @@ interface(`inetd_core_service_domain',`
 		# this regex is a hack, since it assumes there is a
 		# _t at the end of the domain type.  If there is no _t
 		# at the end of the type, it returns empty!
-		bool regexp($1, `\(\w+\)_t', `\1_disable_trans') false;
+		ifdef(`__define_'regexp($1, `\(\w+\)_t', `\1_disable_trans'),`',`
+			bool regexp($1, `\(\w+\)_t', `\1_disable_trans') false;
+			define(`__define_'regexp($1, `\(\w+\)_t', `\1_disable_trans'))
+		')
 		if(regexp($1, `\(\w+\)_t', `\1_disable_trans') ) {
 #			can_exec(inetd_t,$2)
 			# cjp: this must be wrong
diff --git a/refpolicy/policy/modules/services/inetd.te b/refpolicy/policy/modules/services/inetd.te
index d24fa6c..9c55937 100644
--- a/refpolicy/policy/modules/services/inetd.te
+++ b/refpolicy/policy/modules/services/inetd.te
@@ -183,6 +183,7 @@ allow inetd_child_t inetd_child_tmp_t:file create_file_perms;
 files_create_tmp_files(inetd_child_t, inetd_child_tmp_t, { file dir })
 
 allow inetd_child_t inetd_child_var_run_t:file create_file_perms;
+allow inetd_child_t inetd_child_var_run_t:dir rw_dir_perms;
 files_create_pid(inetd_child_t,inetd_child_var_run_t)
 
 kernel_read_kernel_sysctl(inetd_child_t)
diff --git a/refpolicy/policy/modules/services/mailman.if b/refpolicy/policy/modules/services/mailman.if
index 0d86f24..d099648 100644
--- a/refpolicy/policy/modules/services/mailman.if
+++ b/refpolicy/policy/modules/services/mailman.if
@@ -182,7 +182,7 @@ interface(`mailman_search_data',`
 		type mailman_data_t;
 	')
 
-	allow $1 mailman_data_t:dir search;
+	allow $1 mailman_data_t:dir search_dir_perms;
 ')
 
 #######################################
diff --git a/refpolicy/policy/modules/services/tftp.te b/refpolicy/policy/modules/services/tftp.te
index 93fc7f5..91c71d5 100644
--- a/refpolicy/policy/modules/services/tftp.te
+++ b/refpolicy/policy/modules/services/tftp.te
@@ -8,7 +8,7 @@ policy_module(tftp,1.0)
 
 type tftpd_t;
 type tftpd_exec_t;
-init_system_domain(tftpd_t,tftpd_exec_t)
+init_daemon_domain(tftpd_t,tftpd_exec_t)
 inetd_udp_service_domain(tftpd_t,tftpd_exec_t)
 
 type tftpd_var_run_t;
diff --git a/refpolicy/policy/modules/system/domain.if b/refpolicy/policy/modules/system/domain.if
index a7e665b..b21d713 100644
--- a/refpolicy/policy/modules/system/domain.if
+++ b/refpolicy/policy/modules/system/domain.if
@@ -989,7 +989,7 @@ interface(`domain_unconfined',`
 # domain_trans(source_domain,entrypoint_file,target_domain)
 #
 template(`domain_trans',`
-	allow $1 $2:file rx_file_perms;
+	allow $1 $2:file { getattr read execute };
 	allow $1 $3:process transition;
 	dontaudit $1 $3:process { noatsecure siginh rlimitinh };
 ')
diff --git a/refpolicy/policy/modules/system/hotplug.te b/refpolicy/policy/modules/system/hotplug.te
index 8b05c41..23912ec 100644
--- a/refpolicy/policy/modules/system/hotplug.te
+++ b/refpolicy/policy/modules/system/hotplug.te
@@ -187,6 +187,7 @@ optional_policy(`sysnetwork.te',`
 
 optional_policy(`udev.te', `
 	udev_domtrans(hotplug_t)
+	udev_helper_domtrans(hotplug_t)
 	udev_read_db(hotplug_t)
 ')
 
diff --git a/refpolicy/policy/modules/system/init.if b/refpolicy/policy/modules/system/init.if
index d4b8319..4c92dfa 100644
--- a/refpolicy/policy/modules/system/init.if
+++ b/refpolicy/policy/modules/system/init.if
@@ -88,7 +88,10 @@ interface(`init_daemon_domain',`
 		# this regex is a hack, since it assumes there is a
 		# _t at the end of the domain type.  If there is no _t
 		# at the end of the type, it returns empty!
-		bool regexp($1, `\(\w+\)_t', `\1_disable_trans') false;
+		ifdef(`__define_'regexp($1, `\(\w+\)_t', `\1_disable_trans'),`',`
+			bool regexp($1, `\(\w+\)_t', `\1_disable_trans') false;
+			define(`__define_'regexp($1, `\(\w+\)_t', `\1_disable_trans'))
+		')
 		if(regexp($1, `\(\w+\)_t', `\1_disable_trans') ) {
 			can_exec(initrc_t,$2)
 			can_exec(direct_run_init,$2)
diff --git a/refpolicy/policy/modules/system/udev.if b/refpolicy/policy/modules/system/udev.if
index b15f3a2..01d1920 100644
--- a/refpolicy/policy/modules/system/udev.if
+++ b/refpolicy/policy/modules/system/udev.if
@@ -11,9 +11,6 @@
 interface(`udev_domtrans',`
 	gen_require(`
 		type udev_t, udev_exec_t;
-		class process sigchld;
-		class fd use;
-		class fifo_file rw_file_perms;
 	')
 
 	domain_auto_trans($1, udev_exec_t, udev_t)
@@ -26,6 +23,27 @@ interface(`udev_domtrans',`
 
 ########################################
 ## <summary>
+##	Execute a udev helper in the udev domain.
+## </summary>
+## <param name="domain">
+##	The type of the process performing this action.
+## </param>
+#
+interface(`udev_helper_domtrans',`
+	gen_require(`
+		type udev_t, udev_helper_exec_t;
+	')
+
+	domain_auto_trans($1, udev_helper_exec_t, udev_t)
+
+	allow $1 udev_t:fd use;
+	allow udev_t $1:fd use;
+	allow udev_t $1:fifo_file rw_file_perms;
+	allow udev_t $1:process sigchld;
+')
+
+########################################
+## <summary>
 ##	Allow process to read udev process state.
 ## </summary>
 ## <param name="domain">
@@ -54,7 +72,6 @@ interface(`udev_read_state',`
 interface(`udev_dontaudit_use_fd',`
 	gen_require(`
 		type udev_t;
-		class fd use;
 	')
 
 	dontaudit $1 udev_t:fd use;
@@ -72,7 +89,6 @@ interface(`udev_dontaudit_use_fd',`
 interface(`udev_dontaudit_rw_unix_dgram_socket',`
 	gen_require(`
 		type udev_t;
-		class unix_dgram_socket { read write };
 	')
 
 	dontaudit $1 udev_t:unix_dgram_socket { read write };
@@ -89,7 +105,6 @@ interface(`udev_dontaudit_rw_unix_dgram_socket',`
 interface(`udev_read_db',`
 	gen_require(`
 		type udev_tdb_t;
-		class file r_file_perms;
 	')
 
 	dev_list_all_dev_nodes($1)
@@ -107,10 +122,8 @@ interface(`udev_read_db',`
 interface(`udev_rw_db',`
 	gen_require(`
 		type udev_tdb_t;
-		class file rw_file_perms;
 	')
 
 	dev_list_all_dev_nodes($1)
 	allow $1 udev_tdb_t:file rw_file_perms;
 ')
-

More information about the scm-commits mailing list