[selinux-policy: 1303/3172] clean up to make files use its own interfaces.

Daniel J Walsh dwalsh at fedoraproject.org
Thu Oct 7 20:57:57 UTC 2010 

commit a65611d2e2401252e42451f0edcbc7e73be0dd86
Author: Chris PeBenito <cpebenito at tresys.com>
Date:   Tue Mar 28 19:54:07 2006 +0000

    clean up to make files use its own interfaces.

 refpolicy/Changelog                      |    1 +
 refpolicy/policy/modules/kernel/files.if |    5 -
 refpolicy/policy/modules/kernel/files.te |  128 ++++++++++++++++--------------
 3 files changed, 68 insertions(+), 66 deletions(-)
---
diff --git a/refpolicy/Changelog b/refpolicy/Changelog
index f78c716..b5813c1 100644
--- a/refpolicy/Changelog
+++ b/refpolicy/Changelog
@@ -1,3 +1,4 @@
+- Change files module to use its own interfaces to simplify the module.
 - Add user fonts to xserver.
 - Additional interfaces in corecommands, miscfiles, and userdomain
   from Joy Latten.
diff --git a/refpolicy/policy/modules/kernel/files.if b/refpolicy/policy/modules/kernel/files.if
index 9474c11..b84c359 100644
--- a/refpolicy/policy/modules/kernel/files.if
+++ b/refpolicy/policy/modules/kernel/files.if
@@ -35,8 +35,6 @@ interface(`files_type',`
 		attribute file_type;
 	')
 
-	fs_associate($1)
-	fs_associate_noxattr($1)
 	typeattribute $1 file_type;
 ')
 
@@ -232,9 +230,7 @@ interface(`files_tmp_file',`
 
 	files_type($1)
 	files_poly_member($1)
-	fs_associate_tmpfs($1)
 	typeattribute $1 tmpfile;
-	allow $1 tmp_t:filesystem associate;
 ')
 
 ########################################
@@ -254,7 +250,6 @@ interface(`files_tmpfs_file',`
 	')
 
 	files_type($1)
-	fs_associate_tmpfs($1)
 	typeattribute $1 tmpfsfile;
 ')
 
diff --git a/refpolicy/policy/modules/kernel/files.te b/refpolicy/policy/modules/kernel/files.te
index 1f69128..e5aabdf 100644
--- a/refpolicy/policy/modules/kernel/files.te
+++ b/refpolicy/policy/modules/kernel/files.te
@@ -1,5 +1,5 @@
 
-policy_module(files,1.2.2)
+policy_module(files,1.2.3)
 
 ########################################
 #
@@ -7,10 +7,6 @@ policy_module(files,1.2.2)
 #
 
 attribute file_type;
-
-# cjp: should handle this different
-allow file_type self:filesystem associate;
-
 attribute lockfile;
 attribute mountpoint;
 attribute pidfile;
@@ -18,9 +14,6 @@ attribute pidfile;
 # For labeling types that are to be polyinstantiated
 attribute polydir;
 
-# this is a hack and should be changed
-attribute usercanread;
-
 # And for labeling the parent directories of those polyinstantiated directories
 # This is necessary for remounting the original in the parent to give
 # security aware apps access
@@ -36,44 +29,42 @@ attribute security_file_type;
 attribute tmpfile;
 attribute tmpfsfile;
 
+# this is a hack and should be changed
+attribute usercanread;
+
 #
 # boot_t is the type for files in /boot
 #
 type boot_t;
-files_type(boot_t)
 files_mountpoint(boot_t)
 
 # default_t is the default type for files that do not
 # match any specification in the file_contexts configuration
 # other than the generic /.* specification.
-type default_t, file_type, mountpoint;
-fs_associate(default_t)
-fs_associate_noxattr(default_t)
+type default_t;
+files_mountpoint(default_t)
 
 #
 # etc_t is the type of the system etc directories.
 #
-type etc_t, file_type;
-fs_associate(etc_t)
-fs_associate_noxattr(etc_t)
+type etc_t;
+files_type(etc_t)
 
 #
 # etc_runtime_t is the type of various
 # files in /etc that are automatically
 # generated during initialization.
 #
-type etc_runtime_t, file_type;
-fs_associate(etc_runtime_t)
-fs_associate_noxattr(etc_runtime_t)
+type etc_runtime_t;
+files_type(etc_runtime_t)
 
 #
 # file_t is the default type of a file that has not yet been
 # assigned an extended attribute (EA) value (when using a filesystem
 # that supports EAs).
 #
-type file_t, file_type, mountpoint;
-fs_associate(file_t)
-fs_associate_noxattr(file_t)
+type file_t;
+files_mountpoint(file_t)
 kernel_rootfs_mountpoint(file_t)
 sid file gen_context(system_u:object_r:file_t,s0)
 
@@ -81,24 +72,21 @@ sid file gen_context(system_u:object_r:file_t,s0)
 # home_root_t is the type for the directory where user home directories
 # are created
 #
-type home_root_t, file_type, mountpoint;
-fs_associate(home_root_t)
-fs_associate_noxattr(home_root_t)
+type home_root_t;
+files_mountpoint(home_root_t)
 files_poly_parent(home_root_t)
 
 #
 # lost_found_t is the type for the lost+found directories.
 #
-type lost_found_t, file_type;
-fs_associate(lost_found_t)
-fs_associate_noxattr(lost_found_t)
+type lost_found_t;
+files_type(lost_found_t)
 
 #
 # mnt_t is the type for mount points such as /mnt/cdrom
 #
-type mnt_t, file_type, mountpoint;
-fs_associate(mnt_t)
-fs_associate_noxattr(mnt_t)
+type mnt_t;
+files_mountpoint(mnt_t)
 
 #
 # modules_object_t is the type for kernel modules
@@ -106,24 +94,20 @@ fs_associate_noxattr(mnt_t)
 type modules_object_t;
 files_type(modules_object_t)
 
-type no_access_t, file_type;
-fs_associate(no_access_t)
-fs_associate_noxattr(no_access_t)
+type no_access_t;
+files_type(no_access_t)
 
-type poly_t, file_type;
-fs_associate(poly_t)
-fs_associate_noxattr(poly_t)
+type poly_t;
+files_type(poly_t)
 
-type readable_t, file_type;
-fs_associate(readable_t)
-fs_associate_noxattr(readable_t)
+type readable_t;
+files_type(readable_t)
 
 #
 # root_t is the type for rootfs and the root directory.
 #
-type root_t, file_type, mountpoint;
-fs_associate(root_t)
-fs_associate_noxattr(root_t)
+type root_t;
+files_mountpoint(root_t)
 files_poly_parent(root_t)
 kernel_rootfs_mountpoint(root_t)
 genfscon rootfs / gen_context(system_u:object_r:root_t,s0)
@@ -131,9 +115,8 @@ genfscon rootfs / gen_context(system_u:object_r:root_t,s0)
 #
 # src_t is the type of files in the system src directories.
 #
-type src_t, file_type, mountpoint;
-fs_associate(src_t)
-fs_associate_noxattr(src_t)
+type src_t;
+files_mountpoint(src_t)
 
 #
 # system_map_t is for the system.map files in /boot
@@ -144,48 +127,71 @@ files_type(system_map_t)
 #
 # tmp_t is the type of the temporary directories
 #
-type tmp_t, mountpoint; #, polydir
+type tmp_t;
 files_tmp_file(tmp_t)
+files_mountpoint(tmp_t)
+files_poly(tmp_t)
 files_poly_parent(tmp_t)
 
 #
 # usr_t is the type for /usr.
 #
-type usr_t, file_type, mountpoint;
-fs_associate(usr_t)
-fs_associate_noxattr(usr_t)
+type usr_t;
+files_mountpoint(usr_t)
 
 #
 # var_t is the type of /var
 #
-type var_t, file_type, mountpoint;
-fs_associate(var_t)
-fs_associate_noxattr(var_t)
+type var_t;
+files_mountpoint(var_t)
 
 #
 # var_lib_t is the type of /var/lib
 #
-type var_lib_t, file_type, mountpoint;
-fs_associate(var_lib_t)
-fs_associate_noxattr(var_lib_t)
+type var_lib_t;
+files_mountpoint(var_lib_t)
 
 #
 # var_lock_t is tye type of /var/lock
 #
-type var_lock_t, file_type, lockfile;
-fs_associate(var_lock_t)
-fs_associate_noxattr(var_lock_t)
+type var_lock_t;
+files_lock_file(var_lock_t)
 
 #
 # var_run_t is the type of /var/run, usually
 # used for pid and other runtime files.
 #
-type var_run_t, file_type, pidfile;
-fs_associate(var_run_t)
-fs_associate_noxattr(var_run_t)
+type var_run_t;
+files_pid_file(var_run_t)
 
 #
 # var_spool_t is the type of /var/spool
 #
 type var_spool_t;
 files_tmp_file(var_spool_t)
+
+########################################
+#
+# Rules for all file types
+#
+
+allow file_type self:filesystem associate;
+
+fs_associate(file_type)
+fs_associate_noxattr(file_type)
+
+########################################
+#
+# Rules for all tmp file types
+#
+
+allow tmpfile tmp_t:filesystem associate;
+
+fs_associate_tmpfs(tmpfile)
+
+########################################
+#
+# Rules for all tmpfs file types
+#
+
+fs_associate_tmpfs(tmpfsfile)

More information about the scm-commits mailing list