[selinux-policy: 973/3172] clean up some hacks
Daniel J Walsh
dwalsh at fedoraproject.org
Thu Oct 7 20:29:06 UTC 2010
commit c6d4c8f186a9f000fc90b78edcc27935110c19e6
Author: Chris PeBenito <cpebenito at tresys.com>
Date: Tue Nov 15 18:47:20 2005 +0000
clean up some hacks
refpolicy/policy/modules/services/apache.if | 17 ++++++++++++++++
refpolicy/policy/modules/services/apache.te | 2 +-
refpolicy/policy/modules/services/xdm.te | 6 ++++-
refpolicy/policy/modules/system/corecommands.if | 24 ++++++++++++++++++----
refpolicy/policy/modules/system/corecommands.te | 2 +-
refpolicy/policy/modules/system/init.te | 1 -
refpolicy/policy/modules/system/libraries.te | 10 ++++----
refpolicy/policy/modules/system/locallogin.te | 5 ----
refpolicy/policy/modules/system/selinuxutil.te | 2 +-
refpolicy/policy/modules/system/unconfined.if | 15 +++++++++----
refpolicy/policy/modules/system/unconfined.te | 6 +----
refpolicy/policy/modules/system/userdomain.te | 7 +++++-
refpolicy/policy/support/misc_macros.spt | 10 +++++++++
13 files changed, 76 insertions(+), 31 deletions(-)
---
diff --git a/refpolicy/policy/modules/services/apache.if b/refpolicy/policy/modules/services/apache.if
index b836c9c..601edbf 100644
--- a/refpolicy/policy/modules/services/apache.if
+++ b/refpolicy/policy/modules/services/apache.if
@@ -531,6 +531,23 @@ interface(`apache_dontaudit_append_log',`
########################################
## <summary>
+## Do not audit attempts to search Apache
+## module directories.
+## </summary>
+## <param name="domain">
+## Domain to not audit.
+## </param>
+#
+interface(`apache_dontaudit_search_modules',`
+ gen_require(`
+ type httpd_modules_t;
+ ')
+
+ allow $1 httpd_modules_t:dir r_dir_perms;
+')
+
+########################################
+## <summary>
## Allow the specified domain to list
## the contents of the apache modules
## directory.
diff --git a/refpolicy/policy/modules/services/apache.te b/refpolicy/policy/modules/services/apache.te
index 9cc5489..84b8bef 100644
--- a/refpolicy/policy/modules/services/apache.te
+++ b/refpolicy/policy/modules/services/apache.te
@@ -1,5 +1,5 @@
-policy_module(apache,1.0)
+policy_module(apache,1.0.1)
#
# NOTES:
diff --git a/refpolicy/policy/modules/services/xdm.te b/refpolicy/policy/modules/services/xdm.te
index ef63398..d369ae8 100644
--- a/refpolicy/policy/modules/services/xdm.te
+++ b/refpolicy/policy/modules/services/xdm.te
@@ -1,5 +1,5 @@
-policy_module(xdm,1.0)
+policy_module(xdm,1.0.1)
########################################
#
@@ -100,6 +100,10 @@ ifdef(`targeted_policy',`
files_create_var_lib(xdm_t,xdm_var_lib_t)
')
+optional_policy(`locallogin.te',`
+ locallogin_signull(xdm_t)
+')
+
ifdef(`TODO',`
# cjp: TODO: integrate strict policy:
daemon_domain(xdm, `, privuser, privrole, auth_chkpwd, privowner, privmem, nscd_client_domain')
diff --git a/refpolicy/policy/modules/system/corecommands.if b/refpolicy/policy/modules/system/corecommands.if
index 9301bf2..087902e 100644
--- a/refpolicy/policy/modules/system/corecommands.if
+++ b/refpolicy/policy/modules/system/corecommands.if
@@ -10,17 +10,31 @@
########################################
## <summary>
-## Create a aliased type to bin_t.
+## Create a aliased type to generic bin files.
## </summary>
+## <desc>
+## <p>
+## Create a aliased type to generic bin files.
+## </p>
+## <p>
+## This is added to support targeted policy. Its
+## use should be limited. It has no effect
+## on the strict policy.
+## </p>
+## </desc>
## <param name="domain">
## Alias type for bin_t.
## </param>
interface(`corecmd_bin_alias',`
- gen_require(`
- type bin_t;
+ ifdef(`targeted_policy',`
+ gen_require(`
+ type bin_t;
+ ')
+
+ typealias bin_t alias $1;
+ ',`
+ errprint(`Warning: $0($1) has no effect in strict policy.'__endline__)
')
-
- typealias bin_t alias $1;
')
########################################
diff --git a/refpolicy/policy/modules/system/corecommands.te b/refpolicy/policy/modules/system/corecommands.te
index 9aaca9f..83ee798 100644
--- a/refpolicy/policy/modules/system/corecommands.te
+++ b/refpolicy/policy/modules/system/corecommands.te
@@ -1,5 +1,5 @@
-policy_module(corecommands,1.0)
+policy_module(corecommands,1.0.1)
########################################
#
diff --git a/refpolicy/policy/modules/system/init.te b/refpolicy/policy/modules/system/init.te
index 5757900..cb78de2 100644
--- a/refpolicy/policy/modules/system/init.te
+++ b/refpolicy/policy/modules/system/init.te
@@ -499,7 +499,6 @@ optional_policy(`dbus.te',`
dbus_send_system_bus_msg(initrc_t)
# FIXME
- allow initrc_t system_dbusd_t:dbus { send_msg acquire_svc };
allow initrc_t system_dbusd_t:unix_stream_socket connectto;
allow initrc_t system_dbusd_var_run_t:sock_file write;
diff --git a/refpolicy/policy/modules/system/libraries.te b/refpolicy/policy/modules/system/libraries.te
index b0ab6c1..a05b81f 100644
--- a/refpolicy/policy/modules/system/libraries.te
+++ b/refpolicy/policy/modules/system/libraries.te
@@ -1,5 +1,5 @@
-policy_module(libraries,1.0)
+policy_module(libraries,1.0.1)
########################################
#
@@ -24,6 +24,9 @@ files_type(ld_so_t)
type lib_t;
files_type(lib_t)
+kernel_use_ld_so_from(lib_t,ld_so_t,ld_so_cache_t)
+kernel_use_shared_libs_from(lib_t,{ shlib_t texrel_shlib_t })
+
#
# shlib_t is the type of shared objects in the system lib
# directories.
@@ -46,9 +49,6 @@ ifdef(`targeted_policy',`
files_type(texrel_shlib_t)
')
-kernel_use_ld_so_from(lib_t,ld_so_t,ld_so_cache_t)
-kernel_use_shared_libs_from(lib_t,{ shlib_t texrel_shlib_t })
-
########################################
#
# ldconfig local policy
@@ -100,5 +100,5 @@ ifdef(`targeted_policy',`
optional_policy(`apache.te',`
# dontaudit access to /usr/lib/apache, normal programs cannot read these libs anyway
- dontaudit ldconfig_t httpd_modules_t:dir search;
+ apache_dontaudit_search_modules(ldconfig_t)
')
diff --git a/refpolicy/policy/modules/system/locallogin.te b/refpolicy/policy/modules/system/locallogin.te
index 075a824..2349d05 100644
--- a/refpolicy/policy/modules/system/locallogin.te
+++ b/refpolicy/policy/modules/system/locallogin.te
@@ -216,11 +216,6 @@ optional_policy(`usermanage.te',`
')
ifdef(`TODO',`
-# this goes to xdm:
-optional_policy(`locallogin.te',`
- # FIXME: what is this for?
- locallogin_signull(xdm_t)
-')
# Login can polyinstantiate
polyinstantiater(local_login_t)
diff --git a/refpolicy/policy/modules/system/selinuxutil.te b/refpolicy/policy/modules/system/selinuxutil.te
index 1b3e9c3..a076936 100644
--- a/refpolicy/policy/modules/system/selinuxutil.te
+++ b/refpolicy/policy/modules/system/selinuxutil.te
@@ -195,7 +195,7 @@ ifdef(`targeted_policy', `
# cjp: temporary hack to cover
# up stray file descriptors.
dontaudit load_policy_t selinux_config_t:file write;
-dontaudit load_policy_t unconfined_t:fifo_file read;
+unconfined_dontaudit_read_pipe(load_policy_t)
########################################
#
diff --git a/refpolicy/policy/modules/system/unconfined.if b/refpolicy/policy/modules/system/unconfined.if
index 6e12ad1..19f21b0 100644
--- a/refpolicy/policy/modules/system/unconfined.if
+++ b/refpolicy/policy/modules/system/unconfined.if
@@ -256,7 +256,8 @@ interface(`unconfined_dontaudit_rw_tcp_socket',`
## </p>
## <p>
## This is added to support targeted policy. Its
-## use should be very limited.
+## use should be limited. It has no effect
+## on the strict policy.
## </p>
## </desc>
## <param name="domain">
@@ -264,9 +265,13 @@ interface(`unconfined_dontaudit_rw_tcp_socket',`
## </param>
#
interface(`unconfined_alias_domain',`
- gen_require(`
- type unconfined_t;
- ')
+ ifdef(`targeted_policy',`
+ gen_require(`
+ type unconfined_t;
+ ')
- typealias unconfined_t alias $1;
+ typealias unconfined_t alias $1;
+ ',`
+ errprint(`Warning: $0($1) has no effect in strict policy.'__endline__)
+ ')
')
diff --git a/refpolicy/policy/modules/system/unconfined.te b/refpolicy/policy/modules/system/unconfined.te
index 4a2fdc0..4b660ff 100644
--- a/refpolicy/policy/modules/system/unconfined.te
+++ b/refpolicy/policy/modules/system/unconfined.te
@@ -1,5 +1,5 @@
-policy_module(unconfined,1.0)
+policy_module(unconfined,1.0.1)
########################################
#
@@ -28,10 +28,6 @@ ifdef(`targeted_policy',`
allow unconfined_t self:system syslog_read;
dontaudit unconfined_t self:capability sys_module;
- # Define some type aliases to help with compatibility with
- # macros and domains from the "strict" policy.
- typealias unconfined_t alias { secadm_t sysadm_t };
-
files_create_boot_flag(unconfined_t)
init_domtrans_script(unconfined_t)
diff --git a/refpolicy/policy/modules/system/userdomain.te b/refpolicy/policy/modules/system/userdomain.te
index d56c649..fbdc5e6 100644
--- a/refpolicy/policy/modules/system/userdomain.te
+++ b/refpolicy/policy/modules/system/userdomain.te
@@ -1,5 +1,5 @@
-policy_module(userdomain,1.0)
+policy_module(userdomain,1.0.1)
########################################
#
@@ -53,6 +53,11 @@ define(`role_change',`
')
ifdef(`targeted_policy',`
+ # Define some type aliases to help with compatibility with
+ # macros and domains from the "strict" policy.
+ unconfined_alias_domain(secadm_t)
+ unconfined_alias_domain(sysadm_t)
+
# User home directory type.
type user_home_t alias { staff_home_t sysadm_home_t }, home_type;
files_type(user_home_t)
diff --git a/refpolicy/policy/support/misc_macros.spt b/refpolicy/policy/support/misc_macros.spt
index 25ca305..f854137 100644
--- a/refpolicy/policy/support/misc_macros.spt
+++ b/refpolicy/policy/support/misc_macros.spt
@@ -11,6 +11,16 @@
#
define(`shiftn',`ifelse($1,0,`shift($*)',`shiftn(decr($1),shift(shift($*)))')')
+#
+# __endline__
+#
+# dummy macro to insert a newline. used for
+# errprint, so the close parentheses can be
+# indented correctly.
+#
+define(`__endline__',`
+')
+
########################################
#
# gen_user(username, role_set, mls_defaultlevel, mls_range, [mcs_categories])
More information about the scm-commits
mailing list