[selinux-policy: 1303/3172] clean up to make files use its own interfaces.
Daniel J Walsh
dwalsh at fedoraproject.org
Thu Oct 7 20:57:57 UTC 2010
commit a65611d2e2401252e42451f0edcbc7e73be0dd86
Author: Chris PeBenito <cpebenito at tresys.com>
Date: Tue Mar 28 19:54:07 2006 +0000
clean up to make files use its own interfaces.
refpolicy/Changelog | 1 +
refpolicy/policy/modules/kernel/files.if | 5 -
refpolicy/policy/modules/kernel/files.te | 128 ++++++++++++++++--------------
3 files changed, 68 insertions(+), 66 deletions(-)
---
diff --git a/refpolicy/Changelog b/refpolicy/Changelog
index f78c716..b5813c1 100644
--- a/refpolicy/Changelog
+++ b/refpolicy/Changelog
@@ -1,3 +1,4 @@
+- Change files module to use its own interfaces to simplify the module.
- Add user fonts to xserver.
- Additional interfaces in corecommands, miscfiles, and userdomain
from Joy Latten.
diff --git a/refpolicy/policy/modules/kernel/files.if b/refpolicy/policy/modules/kernel/files.if
index 9474c11..b84c359 100644
--- a/refpolicy/policy/modules/kernel/files.if
+++ b/refpolicy/policy/modules/kernel/files.if
@@ -35,8 +35,6 @@ interface(`files_type',`
attribute file_type;
')
- fs_associate($1)
- fs_associate_noxattr($1)
typeattribute $1 file_type;
')
@@ -232,9 +230,7 @@ interface(`files_tmp_file',`
files_type($1)
files_poly_member($1)
- fs_associate_tmpfs($1)
typeattribute $1 tmpfile;
- allow $1 tmp_t:filesystem associate;
')
########################################
@@ -254,7 +250,6 @@ interface(`files_tmpfs_file',`
')
files_type($1)
- fs_associate_tmpfs($1)
typeattribute $1 tmpfsfile;
')
diff --git a/refpolicy/policy/modules/kernel/files.te b/refpolicy/policy/modules/kernel/files.te
index 1f69128..e5aabdf 100644
--- a/refpolicy/policy/modules/kernel/files.te
+++ b/refpolicy/policy/modules/kernel/files.te
@@ -1,5 +1,5 @@
-policy_module(files,1.2.2)
+policy_module(files,1.2.3)
########################################
#
@@ -7,10 +7,6 @@ policy_module(files,1.2.2)
#
attribute file_type;
-
-# cjp: should handle this different
-allow file_type self:filesystem associate;
-
attribute lockfile;
attribute mountpoint;
attribute pidfile;
@@ -18,9 +14,6 @@ attribute pidfile;
# For labeling types that are to be polyinstantiated
attribute polydir;
-# this is a hack and should be changed
-attribute usercanread;
-
# And for labeling the parent directories of those polyinstantiated directories
# This is necessary for remounting the original in the parent to give
# security aware apps access
@@ -36,44 +29,42 @@ attribute security_file_type;
attribute tmpfile;
attribute tmpfsfile;
+# this is a hack and should be changed
+attribute usercanread;
+
#
# boot_t is the type for files in /boot
#
type boot_t;
-files_type(boot_t)
files_mountpoint(boot_t)
# default_t is the default type for files that do not
# match any specification in the file_contexts configuration
# other than the generic /.* specification.
-type default_t, file_type, mountpoint;
-fs_associate(default_t)
-fs_associate_noxattr(default_t)
+type default_t;
+files_mountpoint(default_t)
#
# etc_t is the type of the system etc directories.
#
-type etc_t, file_type;
-fs_associate(etc_t)
-fs_associate_noxattr(etc_t)
+type etc_t;
+files_type(etc_t)
#
# etc_runtime_t is the type of various
# files in /etc that are automatically
# generated during initialization.
#
-type etc_runtime_t, file_type;
-fs_associate(etc_runtime_t)
-fs_associate_noxattr(etc_runtime_t)
+type etc_runtime_t;
+files_type(etc_runtime_t)
#
# file_t is the default type of a file that has not yet been
# assigned an extended attribute (EA) value (when using a filesystem
# that supports EAs).
#
-type file_t, file_type, mountpoint;
-fs_associate(file_t)
-fs_associate_noxattr(file_t)
+type file_t;
+files_mountpoint(file_t)
kernel_rootfs_mountpoint(file_t)
sid file gen_context(system_u:object_r:file_t,s0)
@@ -81,24 +72,21 @@ sid file gen_context(system_u:object_r:file_t,s0)
# home_root_t is the type for the directory where user home directories
# are created
#
-type home_root_t, file_type, mountpoint;
-fs_associate(home_root_t)
-fs_associate_noxattr(home_root_t)
+type home_root_t;
+files_mountpoint(home_root_t)
files_poly_parent(home_root_t)
#
# lost_found_t is the type for the lost+found directories.
#
-type lost_found_t, file_type;
-fs_associate(lost_found_t)
-fs_associate_noxattr(lost_found_t)
+type lost_found_t;
+files_type(lost_found_t)
#
# mnt_t is the type for mount points such as /mnt/cdrom
#
-type mnt_t, file_type, mountpoint;
-fs_associate(mnt_t)
-fs_associate_noxattr(mnt_t)
+type mnt_t;
+files_mountpoint(mnt_t)
#
# modules_object_t is the type for kernel modules
@@ -106,24 +94,20 @@ fs_associate_noxattr(mnt_t)
type modules_object_t;
files_type(modules_object_t)
-type no_access_t, file_type;
-fs_associate(no_access_t)
-fs_associate_noxattr(no_access_t)
+type no_access_t;
+files_type(no_access_t)
-type poly_t, file_type;
-fs_associate(poly_t)
-fs_associate_noxattr(poly_t)
+type poly_t;
+files_type(poly_t)
-type readable_t, file_type;
-fs_associate(readable_t)
-fs_associate_noxattr(readable_t)
+type readable_t;
+files_type(readable_t)
#
# root_t is the type for rootfs and the root directory.
#
-type root_t, file_type, mountpoint;
-fs_associate(root_t)
-fs_associate_noxattr(root_t)
+type root_t;
+files_mountpoint(root_t)
files_poly_parent(root_t)
kernel_rootfs_mountpoint(root_t)
genfscon rootfs / gen_context(system_u:object_r:root_t,s0)
@@ -131,9 +115,8 @@ genfscon rootfs / gen_context(system_u:object_r:root_t,s0)
#
# src_t is the type of files in the system src directories.
#
-type src_t, file_type, mountpoint;
-fs_associate(src_t)
-fs_associate_noxattr(src_t)
+type src_t;
+files_mountpoint(src_t)
#
# system_map_t is for the system.map files in /boot
@@ -144,48 +127,71 @@ files_type(system_map_t)
#
# tmp_t is the type of the temporary directories
#
-type tmp_t, mountpoint; #, polydir
+type tmp_t;
files_tmp_file(tmp_t)
+files_mountpoint(tmp_t)
+files_poly(tmp_t)
files_poly_parent(tmp_t)
#
# usr_t is the type for /usr.
#
-type usr_t, file_type, mountpoint;
-fs_associate(usr_t)
-fs_associate_noxattr(usr_t)
+type usr_t;
+files_mountpoint(usr_t)
#
# var_t is the type of /var
#
-type var_t, file_type, mountpoint;
-fs_associate(var_t)
-fs_associate_noxattr(var_t)
+type var_t;
+files_mountpoint(var_t)
#
# var_lib_t is the type of /var/lib
#
-type var_lib_t, file_type, mountpoint;
-fs_associate(var_lib_t)
-fs_associate_noxattr(var_lib_t)
+type var_lib_t;
+files_mountpoint(var_lib_t)
#
# var_lock_t is tye type of /var/lock
#
-type var_lock_t, file_type, lockfile;
-fs_associate(var_lock_t)
-fs_associate_noxattr(var_lock_t)
+type var_lock_t;
+files_lock_file(var_lock_t)
#
# var_run_t is the type of /var/run, usually
# used for pid and other runtime files.
#
-type var_run_t, file_type, pidfile;
-fs_associate(var_run_t)
-fs_associate_noxattr(var_run_t)
+type var_run_t;
+files_pid_file(var_run_t)
#
# var_spool_t is the type of /var/spool
#
type var_spool_t;
files_tmp_file(var_spool_t)
+
+########################################
+#
+# Rules for all file types
+#
+
+allow file_type self:filesystem associate;
+
+fs_associate(file_type)
+fs_associate_noxattr(file_type)
+
+########################################
+#
+# Rules for all tmp file types
+#
+
+allow tmpfile tmp_t:filesystem associate;
+
+fs_associate_tmpfs(tmpfile)
+
+########################################
+#
+# Rules for all tmpfs file types
+#
+
+fs_associate_tmpfs(tmpfsfile)
More information about the scm-commits
mailing list