[selinux-policy: 1376/3172] add concept of executables, and update policies which really want this intead of entrypoints
Daniel J Walsh
dwalsh at fedoraproject.org
Thu Oct 7 21:04:24 UTC 2010
commit fb63d0b5376e4641f575687e3de699729e4c1fa0
Author: Chris PeBenito <cpebenito at tresys.com>
Date: Wed Apr 19 21:43:02 2006 +0000
add concept of executables, and update policies which really want this intead of entrypoints
refpolicy/policy/modules/admin/amanda.te | 12 +--
refpolicy/policy/modules/admin/bootloader.te | 7 +-
refpolicy/policy/modules/admin/dpkg.te | 10 +--
refpolicy/policy/modules/admin/firstboot.te | 7 +-
refpolicy/policy/modules/admin/kudzu.te | 6 +-
refpolicy/policy/modules/admin/portage.if | 4 +-
refpolicy/policy/modules/admin/portage.te | 2 +-
refpolicy/policy/modules/admin/prelink.te | 15 +---
refpolicy/policy/modules/admin/rpm.te | 11 +--
refpolicy/policy/modules/admin/vpn.te | 8 +--
refpolicy/policy/modules/apps/cdrecord.te | 6 +-
refpolicy/policy/modules/apps/ethereal.te | 4 +-
refpolicy/policy/modules/apps/evolution.if | 4 +
refpolicy/policy/modules/apps/evolution.te | 12 ++--
refpolicy/policy/modules/apps/gpg.te | 15 +--
refpolicy/policy/modules/apps/irc.te | 4 +-
refpolicy/policy/modules/apps/lockdev.te | 4 +-
refpolicy/policy/modules/apps/mozilla.te | 4 +-
refpolicy/policy/modules/apps/mplayer.te | 6 +-
refpolicy/policy/modules/apps/screen.te | 4 +-
refpolicy/policy/modules/apps/thunderbird.te | 4 +-
refpolicy/policy/modules/apps/tvtime.te | 4 +-
refpolicy/policy/modules/apps/uml.te | 4 +-
refpolicy/policy/modules/apps/userhelper.te | 4 +-
refpolicy/policy/modules/kernel/corecommands.if | 99 +++++++++++++++++++++
refpolicy/policy/modules/kernel/corecommands.te | 20 +++--
refpolicy/policy/modules/kernel/domain.if | 8 +-
refpolicy/policy/modules/kernel/domain.te | 2 +-
refpolicy/policy/modules/services/apache.if | 5 +-
refpolicy/policy/modules/services/apache.te | 2 +-
refpolicy/policy/modules/services/apm.te | 7 +-
refpolicy/policy/modules/services/cron.if | 6 +-
refpolicy/policy/modules/services/cron.te | 12 +--
refpolicy/policy/modules/services/hal.te | 7 +-
refpolicy/policy/modules/services/lpd.te | 4 +-
refpolicy/policy/modules/services/mailman.if | 5 +-
refpolicy/policy/modules/services/mailman.te | 2 +-
refpolicy/policy/modules/services/mta.te | 7 +-
refpolicy/policy/modules/services/postfix.te | 7 +-
refpolicy/policy/modules/services/smartmon.te | 6 +-
refpolicy/policy/modules/services/spamassassin.te | 6 +-
refpolicy/policy/modules/services/ssh.te | 13 +--
refpolicy/policy/modules/services/xserver.if | 2 +
refpolicy/policy/modules/services/xserver.te | 10 +-
refpolicy/policy/modules/system/init.te | 8 +--
refpolicy/policy/modules/system/pcmcia.te | 7 +-
refpolicy/policy/modules/system/udev.te | 7 +-
refpolicy/policy/modules/system/userdomain.if | 7 +-
refpolicy/policy/modules/system/userdomain.te | 2 +-
49 files changed, 225 insertions(+), 197 deletions(-)
---
diff --git a/refpolicy/policy/modules/admin/amanda.te b/refpolicy/policy/modules/admin/amanda.te
index 8b3c531..1816551 100644
--- a/refpolicy/policy/modules/admin/amanda.te
+++ b/refpolicy/policy/modules/admin/amanda.te
@@ -1,5 +1,5 @@
-policy_module(amanda,1.3.1)
+policy_module(amanda,1.3.2)
#######################################
#
@@ -35,17 +35,11 @@ files_type(amanda_gnutarlists_t)
# type for user startable files
type amanda_user_exec_t;
-files_type(amanda_user_exec_t)
-
-# temp:
-typeattribute amanda_user_exec_t entry_type;
+corecmd_executable_file(amanda_user_exec_t)
# type for same awk and other scripts
type amanda_script_exec_t;
-files_type(amanda_script_exec_t)
-
-# temp:
-typeattribute amanda_script_exec_t entry_type;
+corecmd_executable_file(amanda_script_exec_t)
# type for the shell configuration files
type amanda_shellconfig_t;
diff --git a/refpolicy/policy/modules/admin/bootloader.te b/refpolicy/policy/modules/admin/bootloader.te
index 6c9261d..0bec93a 100644
--- a/refpolicy/policy/modules/admin/bootloader.te
+++ b/refpolicy/policy/modules/admin/bootloader.te
@@ -1,5 +1,5 @@
-policy_module(bootloader,1.2.2)
+policy_module(bootloader,1.2.3)
########################################
#
@@ -93,11 +93,8 @@ mls_file_read_up(bootloader_t)
term_getattr_all_user_ttys(bootloader_t)
term_dontaudit_manage_pty_dirs(bootloader_t)
-corecmd_exec_bin(bootloader_t)
-corecmd_exec_sbin(bootloader_t)
-corecmd_exec_shell(bootloader_t)
+corecmd_exec_all_executables(bootloader_t)
-domain_exec_all_entry_files(bootloader_t)
domain_use_interactive_fds(bootloader_t)
files_create_boot_dirs(bootloader_t)
diff --git a/refpolicy/policy/modules/admin/dpkg.te b/refpolicy/policy/modules/admin/dpkg.te
index 220ed1c..98a6732 100644
--- a/refpolicy/policy/modules/admin/dpkg.te
+++ b/refpolicy/policy/modules/admin/dpkg.te
@@ -1,5 +1,5 @@
-policy_module(dpkg,1.0.0)
+policy_module(dpkg,1.0.1)
########################################
#
@@ -88,8 +88,7 @@ files_var_lib_filetrans(dpkg_t,dpkg_var_lib_t,dir)
kernel_read_system_state(dpkg_t)
kernel_read_kernel_sysctls(dpkg_t)
-corecmd_exec_bin(dpkg_t)
-corecmd_exec_sbin(dpkg_t)
+corecmd_exec_all_executables(dpkg_t)
# TODO: do we really need all networking?
corenet_tcp_sendrecv_all_if(dpkg_t)
@@ -110,7 +109,6 @@ dev_list_usbfs(dpkg_t)
dev_read_urand(dpkg_t)
#devices_manage_all_device_types(dpkg_t)
-domain_exec_all_entry_files(dpkg_t)
domain_read_all_domains_state(dpkg_t)
domain_getattr_all_domains(dpkg_t)
domain_dontaudit_ptrace_all_domains(dpkg_t)
@@ -247,8 +245,7 @@ fs_tmpfs_filetrans(dpkg_script_t,dpkg_script_tmpfs_t,{ dir file lnk_file sock_fi
kernel_read_kernel_sysctls(dpkg_script_t)
kernel_read_system_state(dpkg_script_t)
-corecmd_exec_bin(dpkg_script_t)
-corecmd_exec_sbin(dpkg_script_t)
+corecmd_exec_all_executables(dpkg_script_t)
dev_list_sysfs(dpkg_script_t)
# ideally we would not need this
@@ -261,7 +258,6 @@ domain_read_all_domains_state(dpkg_script_t)
domain_getattr_all_domains(dpkg_script_t)
domain_dontaudit_ptrace_all_domains(dpkg_script_t)
domain_use_interactive_fds(dpkg_script_t)
-domain_exec_all_entry_files(dpkg_script_t)
domain_signal_all_domains(dpkg_script_t)
domain_signull_all_domains(dpkg_script_t)
diff --git a/refpolicy/policy/modules/admin/firstboot.te b/refpolicy/policy/modules/admin/firstboot.te
index e8b10b1..f606dbe 100644
--- a/refpolicy/policy/modules/admin/firstboot.te
+++ b/refpolicy/policy/modules/admin/firstboot.te
@@ -1,5 +1,5 @@
-policy_module(firstboot,1.1.0)
+policy_module(firstboot,1.1.1)
gen_require(`
class passwd rootok;
@@ -67,10 +67,7 @@ selinux_compute_user_contexts(firstboot_t)
auth_dontaudit_getattr_shadow(firstboot_t)
-corecmd_exec_bin(firstboot_t)
-corecmd_exec_sbin(firstboot_t)
-
-domain_exec_all_entry_files(firstboot_t)
+corecmd_exec_all_executables(firstboot_t)
files_exec_etc_files(firstboot_t)
files_manage_etc_files(firstboot_t)
diff --git a/refpolicy/policy/modules/admin/kudzu.te b/refpolicy/policy/modules/admin/kudzu.te
index 303d6d1..6615973 100644
--- a/refpolicy/policy/modules/admin/kudzu.te
+++ b/refpolicy/policy/modules/admin/kudzu.te
@@ -1,5 +1,5 @@
-policy_module(kudzu,1.2.0)
+policy_module(kudzu,1.2.1)
########################################
#
@@ -80,10 +80,8 @@ term_dontaudit_use_console(kudzu_t)
# so it can write messages to the console
term_use_unallocated_ttys(kudzu_t)
-corecmd_exec_sbin(kudzu_t)
-corecmd_exec_bin(kudzu_t)
+corecmd_exec_all_executables(kudzu_t)
-domain_exec_all_entry_files(kudzu_t)
domain_use_interactive_fds(kudzu_t)
files_search_var(kudzu_t)
diff --git a/refpolicy/policy/modules/admin/portage.if b/refpolicy/policy/modules/admin/portage.if
index 86f8567..efddda5 100644
--- a/refpolicy/policy/modules/admin/portage.if
+++ b/refpolicy/policy/modules/admin/portage.if
@@ -149,8 +149,7 @@ template(`portage_compile_domain_template',`
kernel_getattr_message_if($1_t)
kernel_read_kernel_sysctls($1_t)
- corecmd_exec_bin($1_t)
- corecmd_exec_sbin($1_t)
+ corecmd_exec_all_executables($1_t)
# really shouldnt need this
corenet_non_ipsec_sendrecv($1_t)
@@ -169,7 +168,6 @@ template(`portage_compile_domain_template',`
dev_read_rand($1_t)
dev_read_urand($1_t)
- domain_exec_all_entry_files($1_t)
domain_use_interactive_fds($1_t)
files_exec_etc_files($1_t)
diff --git a/refpolicy/policy/modules/admin/portage.te b/refpolicy/policy/modules/admin/portage.te
index 4f6adbc..8cfa6de 100644
--- a/refpolicy/policy/modules/admin/portage.te
+++ b/refpolicy/policy/modules/admin/portage.te
@@ -1,5 +1,5 @@
-policy_module(portage,1.0.0)
+policy_module(portage,1.0.1)
########################################
#
diff --git a/refpolicy/policy/modules/admin/prelink.te b/refpolicy/policy/modules/admin/prelink.te
index 267813e..59678e0 100644
--- a/refpolicy/policy/modules/admin/prelink.te
+++ b/refpolicy/policy/modules/admin/prelink.te
@@ -1,5 +1,5 @@
-policy_module(prelink,1.1.0)
+policy_module(prelink,1.1.1)
########################################
#
@@ -43,19 +43,12 @@ kernel_read_system_state(prelink_t)
kernel_dontaudit_search_kernel_sysctl(prelink_t)
kernel_dontaudit_search_sysctl(prelink_t)
-corecmd_manage_bin_files(prelink_t)
-corecmd_relabel_bin_files(prelink_t)
-corecmd_mmap_bin_files(prelink_t)
-corecmd_manage_sbin_files(prelink_t)
-corecmd_relabel_sbin_files(prelink_t)
-corecmd_mmap_sbin_files(prelink_t)
+corecmd_manage_all_executables(prelink_t)
+corecmd_relabel_all_executables(prelink_t)
+corecmd_mmap_all_executables(prelink_t)
dev_read_urand(prelink_t)
-domain_manage_all_entry_files(prelink_t)
-domain_relabel_all_entry_files(prelink_t)
-domain_mmap_all_entry_files(prelink_t)
-
files_list_all(prelink_t)
files_getattr_all_files(prelink_t)
files_write_non_security_dirs(prelink_t)
diff --git a/refpolicy/policy/modules/admin/rpm.te b/refpolicy/policy/modules/admin/rpm.te
index 99e484c..22682ec 100644
--- a/refpolicy/policy/modules/admin/rpm.te
+++ b/refpolicy/policy/modules/admin/rpm.te
@@ -1,5 +1,5 @@
-policy_module(rpm,1.3.4)
+policy_module(rpm,1.3.5)
########################################
#
@@ -90,6 +90,8 @@ files_var_lib_filetrans(rpm_t,rpm_var_lib_t,dir)
kernel_read_system_state(rpm_t)
kernel_read_kernel_sysctls(rpm_t)
+corecmd_exec_all_executables(rpm_t)
+
corenet_tcp_sendrecv_all_if(rpm_t)
corenet_raw_sendrecv_all_if(rpm_t)
corenet_udp_sendrecv_all_if(rpm_t)
@@ -136,12 +138,9 @@ auth_relabel_all_files_except_shadow(rpm_t)
auth_manage_all_files_except_shadow(rpm_t)
auth_dontaudit_read_shadow(rpm_t)
-corecmd_exec_bin(rpm_t)
-corecmd_exec_sbin(rpm_t)
# transition to rpm script:
rpm_domtrans_script(rpm_t)
-domain_exec_all_entry_files(rpm_t)
domain_read_all_domains_state(rpm_t)
domain_getattr_all_domains(rpm_t)
domain_dontaudit_ptrace_all_domains(rpm_t)
@@ -295,14 +294,12 @@ auth_dontaudit_getattr_shadow(rpm_script_t)
# ideally we would not need this
auth_manage_all_files_except_shadow(rpm_script_t)
-corecmd_exec_bin(rpm_script_t)
-corecmd_exec_sbin(rpm_script_t)
+corecmd_exec_all_executables(rpm_script_t)
domain_read_all_domains_state(rpm_script_t)
domain_getattr_all_domains(rpm_script_t)
domain_dontaudit_ptrace_all_domains(rpm_script_t)
domain_use_interactive_fds(rpm_script_t)
-domain_exec_all_entry_files(rpm_script_t)
domain_signal_all_domains(rpm_script_t)
domain_signull_all_domains(rpm_script_t)
diff --git a/refpolicy/policy/modules/admin/vpn.te b/refpolicy/policy/modules/admin/vpn.te
index 865b0b2..6b04a1e 100644
--- a/refpolicy/policy/modules/admin/vpn.te
+++ b/refpolicy/policy/modules/admin/vpn.te
@@ -1,5 +1,5 @@
-policy_module(vpn,1.2.0)
+policy_module(vpn,1.2.1)
########################################
#
@@ -75,11 +75,7 @@ fs_getattr_tmpfs(vpnc_t)
term_use_all_user_ptys(vpnc_t)
term_use_all_user_ttys(vpnc_t)
-corecmd_exec_bin(vpnc_t)
-corecmd_exec_sbin(vpnc_t)
-corecmd_exec_shell(vpnc_t)
-
-domain_exec_all_entry_files(vpnc_t)
+corecmd_exec_all_executables(vpnc_t)
files_exec_etc_files(vpnc_t)
files_read_etc_runtime_files(vpnc_t)
diff --git a/refpolicy/policy/modules/apps/cdrecord.te b/refpolicy/policy/modules/apps/cdrecord.te
index d78c592..24ed72c 100644
--- a/refpolicy/policy/modules/apps/cdrecord.te
+++ b/refpolicy/policy/modules/apps/cdrecord.te
@@ -1,12 +1,10 @@
-policy_module(cdrecord,1.0.1)
+policy_module(cdrecord,1.0.2)
########################################
#
# Declarations
#
-type cdrecord_t;
type cdrecord_exec_t;
-domain_entry_file(cdrecord_t, cdrecord_exec_t)
-
+corecmd_executable_file(cdrecord_exec_t)
diff --git a/refpolicy/policy/modules/apps/ethereal.te b/refpolicy/policy/modules/apps/ethereal.te
index 8451069..6b8b6dd 100644
--- a/refpolicy/policy/modules/apps/ethereal.te
+++ b/refpolicy/policy/modules/apps/ethereal.te
@@ -1,5 +1,5 @@
-policy_module(ethereal,1.0.0)
+policy_module(ethereal,1.0.1)
########################################
#
@@ -7,7 +7,7 @@ policy_module(ethereal,1.0.0)
#
type ethereal_exec_t;
-files_type(ethereal_exec_t)
+corecmd_executable_file(ethereal_exec_t)
type tethereal_t;
type tethereal_exec_t;
diff --git a/refpolicy/policy/modules/apps/evolution.if b/refpolicy/policy/modules/apps/evolution.if
index 497deb0..22b4231 100644
--- a/refpolicy/policy/modules/apps/evolution.if
+++ b/refpolicy/policy/modules/apps/evolution.if
@@ -57,6 +57,7 @@ template(`evolution_per_userdomain_template',`
type $1_evolution_alarm_t;
domain_type($1_evolution_alarm_t)
+ domain_entry_file($1_evolution_alarm_t,evolution_alarm_exec_t)
role $3 types $1_evolution_alarm_t;
type $1_evolution_alarm_tmpfs_t;
@@ -67,6 +68,7 @@ template(`evolution_per_userdomain_template',`
type $1_evolution_exchange_t;
domain_type($1_evolution_exchange_t)
+ domain_entry_file($1_evolution_exchange_t,evolution_exchange_exec_t)
role $3 types $1_evolution_exchange_t;
type $1_evolution_exchange_tmpfs_t;
@@ -80,6 +82,7 @@ template(`evolution_per_userdomain_template',`
type $1_evolution_server_t;
domain_type($1_evolution_server_t)
+ domain_entry_file($1_evolution_server_t,evolution_server_exec_t)
role $3 types $1_evolution_server_t;
type $1_evolution_server_orbit_tmp_t;
@@ -87,6 +90,7 @@ template(`evolution_per_userdomain_template',`
type $1_evolution_webcal_t;
domain_type($1_evolution_webcal_t)
+ domain_entry_file($1_evolution_webcal_t,evolution_webcal_exec_t)
role $3 types $1_evolution_webcal_t;
type $1_evolution_webcal_tmpfs_t;
diff --git a/refpolicy/policy/modules/apps/evolution.te b/refpolicy/policy/modules/apps/evolution.te
index 3b6950d..9aa32cf 100644
--- a/refpolicy/policy/modules/apps/evolution.te
+++ b/refpolicy/policy/modules/apps/evolution.te
@@ -1,5 +1,5 @@
-policy_module(evolution,1.0.0)
+policy_module(evolution,1.0.1)
########################################
#
@@ -7,16 +7,16 @@ policy_module(evolution,1.0.0)
#
type evolution_exec_t;
-files_type(evolution_exec_t)
+corecmd_executable_file(evolution_exec_t)
type evolution_alarm_exec_t;
-files_type(evolution_alarm_exec_t)
+corecmd_executable_file(evolution_alarm_exec_t)
type evolution_exchange_exec_t;
-files_type(evolution_exchange_exec_t)
+corecmd_executable_file(evolution_exchange_exec_t)
type evolution_server_exec_t;
-files_type(evolution_server_exec_t)
+corecmd_executable_file(evolution_server_exec_t)
type evolution_webcal_exec_t;
-files_type(evolution_webcal_exec_t)
+corecmd_executable_file(evolution_webcal_exec_t)
diff --git a/refpolicy/policy/modules/apps/gpg.te b/refpolicy/policy/modules/apps/gpg.te
index 22fb375..830326e 100644
--- a/refpolicy/policy/modules/apps/gpg.te
+++ b/refpolicy/policy/modules/apps/gpg.te
@@ -1,5 +1,5 @@
-policy_module(gpg, 1.0.2)
+policy_module(gpg, 1.0.3)
########################################
#
@@ -9,18 +9,13 @@ policy_module(gpg, 1.0.2)
# Type for gpg or pgp executables.
type gpg_exec_t;
type gpg_helper_exec_t;
-files_type(gpg_exec_t)
-files_type(gpg_helper_exec_t)
+corecmd_executable_file(gpg_exec_t)
+corecmd_executable_file(gpg_helper_exec_t)
# Type for the gpg-agent executable.
type gpg_agent_exec_t;
-files_type(gpg_agent_exec_t)
+corecmd_executable_file(gpg_agent_exec_t)
# type for the pinentry executable
type pinentry_exec_t;
-files_type(pinentry_exec_t)
-
-ifdef(`TODO',`
-allow sysadm_gpg_t { home_root_t user_home_dir_type }:dir search;
-allow sysadm_gpg_t ptyfile:chr_file rw_file_perms;
-')
+corecmd_executable_file(pinentry_exec_t)
diff --git a/refpolicy/policy/modules/apps/irc.te b/refpolicy/policy/modules/apps/irc.te
index 01fcbeb..90753c0 100644
--- a/refpolicy/policy/modules/apps/irc.te
+++ b/refpolicy/policy/modules/apps/irc.te
@@ -1,5 +1,5 @@
-policy_module(irc,1.0.0)
+policy_module(irc,1.0.1)
########################################
#
@@ -7,4 +7,4 @@ policy_module(irc,1.0.0)
#
type irc_exec_t;
-files_type(irc_exec_t)
+corecmd_executable_file(irc_exec_t)
diff --git a/refpolicy/policy/modules/apps/lockdev.te b/refpolicy/policy/modules/apps/lockdev.te
index 06eae58..7c08bba 100644
--- a/refpolicy/policy/modules/apps/lockdev.te
+++ b/refpolicy/policy/modules/apps/lockdev.te
@@ -1,5 +1,5 @@
-policy_module(lockdev,1.0.0)
+policy_module(lockdev,1.0.1)
########################################
#
@@ -7,4 +7,4 @@ policy_module(lockdev,1.0.0)
#
type lockdev_exec_t;
-files_type(lockdev_exec_t)
+corecmd_executable_file(lockdev_exec_t)
diff --git a/refpolicy/policy/modules/apps/mozilla.te b/refpolicy/policy/modules/apps/mozilla.te
index 3afc2c0..7d7e7ef 100644
--- a/refpolicy/policy/modules/apps/mozilla.te
+++ b/refpolicy/policy/modules/apps/mozilla.te
@@ -1,5 +1,5 @@
-policy_module(mozilla,1.0.0)
+policy_module(mozilla,1.0.1)
########################################
#
@@ -10,4 +10,4 @@ type mozilla_conf_t;
files_config_file(mozilla_conf_t)
type mozilla_exec_t;
-files_type(mozilla_exec_t)
+corecmd_executable_file(mozilla_exec_t)
diff --git a/refpolicy/policy/modules/apps/mplayer.te b/refpolicy/policy/modules/apps/mplayer.te
index 0d0556a..a1b79d5 100644
--- a/refpolicy/policy/modules/apps/mplayer.te
+++ b/refpolicy/policy/modules/apps/mplayer.te
@@ -1,5 +1,5 @@
-policy_module(mplayer,1.0.0)
+policy_module(mplayer,1.0.1)
########################################
#
@@ -7,10 +7,10 @@ policy_module(mplayer,1.0.0)
#
type mplayer_exec_t;
-files_type(mplayer_exec_t)
+corecmd_executable_file(mplayer_exec_t)
type mencoder_exec_t;
-files_type(mencoder_exec_t)
+corecmd_executable_file(mencoder_exec_t)
type mplayer_etc_t;
files_config_file(mplayer_etc_t)
diff --git a/refpolicy/policy/modules/apps/screen.te b/refpolicy/policy/modules/apps/screen.te
index 0cfaf56..ffec7ab 100644
--- a/refpolicy/policy/modules/apps/screen.te
+++ b/refpolicy/policy/modules/apps/screen.te
@@ -1,5 +1,5 @@
-policy_module(screen,1.0.0)
+policy_module(screen,1.0.1)
########################################
#
@@ -10,4 +10,4 @@ type screen_dir_t;
files_pid_file(screen_dir_t)
type screen_exec_t;
-files_type(screen_exec_t)
+corecmd_executable_file(screen_exec_t)
diff --git a/refpolicy/policy/modules/apps/thunderbird.te b/refpolicy/policy/modules/apps/thunderbird.te
index 60f093d..917a627 100644
--- a/refpolicy/policy/modules/apps/thunderbird.te
+++ b/refpolicy/policy/modules/apps/thunderbird.te
@@ -1,5 +1,5 @@
-policy_module(thunderbird,1.0.0)
+policy_module(thunderbird,1.0.1)
########################################
#
@@ -7,4 +7,4 @@ policy_module(thunderbird,1.0.0)
#
type thunderbird_exec_t;
-files_type(thunderbird_exec_t)
+corecmd_executable_file(thunderbird_exec_t)
diff --git a/refpolicy/policy/modules/apps/tvtime.te b/refpolicy/policy/modules/apps/tvtime.te
index 0f557d2..407a6a5 100644
--- a/refpolicy/policy/modules/apps/tvtime.te
+++ b/refpolicy/policy/modules/apps/tvtime.te
@@ -1,5 +1,5 @@
-policy_module(tvtime,1.0.0)
+policy_module(tvtime,1.0.1)
########################################
#
@@ -7,7 +7,7 @@ policy_module(tvtime,1.0.0)
#
type tvtime_exec_t;
-files_type(tvtime_exec_t)
+corecmd_executable_file(tvtime_exec_t)
type tvtime_dir_t;
files_pid_file(tvtime_dir_t)
diff --git a/refpolicy/policy/modules/apps/uml.te b/refpolicy/policy/modules/apps/uml.te
index e04c6b1..938d4d2 100644
--- a/refpolicy/policy/modules/apps/uml.te
+++ b/refpolicy/policy/modules/apps/uml.te
@@ -1,5 +1,5 @@
-policy_module(uml,1.0.0)
+policy_module(uml,1.0.1)
########################################
#
@@ -7,7 +7,7 @@ policy_module(uml,1.0.0)
#
type uml_exec_t;
-files_type(uml_exec_t)
+corecmd_executable_file(uml_exec_t)
type uml_ro_t;
files_type(uml_ro_t)
diff --git a/refpolicy/policy/modules/apps/userhelper.te b/refpolicy/policy/modules/apps/userhelper.te
index 2b057b0..140e6f1 100644
--- a/refpolicy/policy/modules/apps/userhelper.te
+++ b/refpolicy/policy/modules/apps/userhelper.te
@@ -1,5 +1,5 @@
-policy_module(userhelper,1.0.2)
+policy_module(userhelper,1.0.3)
########################################
#
@@ -10,4 +10,4 @@ type userhelper_conf_t;
files_type(userhelper_conf_t)
type userhelper_exec_t;
-files_type(userhelper_exec_t)
+corecmd_executable_file(userhelper_exec_t)
diff --git a/refpolicy/policy/modules/kernel/corecommands.if b/refpolicy/policy/modules/kernel/corecommands.if
index e129415..93d38c3 100644
--- a/refpolicy/policy/modules/kernel/corecommands.if
+++ b/refpolicy/policy/modules/kernel/corecommands.if
@@ -10,6 +10,28 @@
########################################
## <summary>
+## Make the specified type usable for files
+## that are exectuables, such as binary programs.
+## This does not include shared libraries.
+## </summary>
+## <param name="type">
+## <summary>
+## Type to be used for files.
+## </summary>
+## </param>
+#
+interface(`corecmd_executable_file',`
+ gen_require(`
+ attribute exec_type;
+ ')
+
+ typeattribute $1 exec_type;
+
+ files_type($1)
+')
+
+########################################
+## <summary>
## Create a aliased type to generic bin files.
## </summary>
## <desc>
@@ -815,3 +837,80 @@ interface(`corecmd_exec_chroot',`
can_exec($1,chroot_exec_t)
allow $1 self:capability sys_chroot;
')
+
+########################################
+## <summary>
+## Execute all executable files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`corecmd_exec_all_executables',`
+ gen_require(`
+ attribute exec_type;
+ type bin_t, sbin_t;
+ ')
+
+ can_exec($1,exec_type)
+ allow $1 { bin_t sbin_t }:dir list_dir_perms;
+ allow $1 { bin_t sbin_t }:lnk_file read_file_perms;
+')
+
+########################################
+## <summary>
+## Create, read, write, and all executable files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`corecmd_manage_all_executables',`
+ gen_require(`
+ attribute exec_type;
+ type bin_t, sbin_t;
+ ')
+
+ allow $1 exec_type:file manage_file_perms;
+ allow $1 { bin_t sbin_t }:dir rw_dir_perms;
+')
+
+########################################
+## <summary>
+## Relabel to and from the bin type.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`corecmd_relabel_all_executables',`
+ gen_require(`
+ attribute exec_type;
+ ')
+
+ allow $1 exec_type:file { relabelfrom relabelto };
+')
+
+########################################
+## <summary>
+## Mmap all executables as executable.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`corecmd_mmap_all_executables',`
+ gen_require(`
+ attribute exec_type;
+ ')
+
+ allow $1 exec_type:file { getattr read execute };
+')
diff --git a/refpolicy/policy/modules/kernel/corecommands.te b/refpolicy/policy/modules/kernel/corecommands.te
index 675b909..43d0a2e 100644
--- a/refpolicy/policy/modules/kernel/corecommands.te
+++ b/refpolicy/policy/modules/kernel/corecommands.te
@@ -1,5 +1,5 @@
-policy_module(corecommands,1.3.8)
+policy_module(corecommands,1.3.9)
########################################
#
@@ -7,31 +7,33 @@ policy_module(corecommands,1.3.8)
#
#
+# Types with the exec_type attribute are executable files.
+#
+attribute exec_type;
+
+#
# bin_t is the type of files in the system bin directories.
#
type bin_t;
-files_type(bin_t)
+corecmd_executable_file(bin_t)
#
# sbin_t is the type of files in the system sbin directories.
#
type sbin_t;
-files_type(sbin_t)
+corecmd_executable_file(sbin_t)
#
# ls_exec_t is the type of the ls program.
#
type ls_exec_t;
-files_type(ls_exec_t)
-
-#cjp: temp
-typeattribute ls_exec_t entry_type;
+corecmd_executable_file(ls_exec_t)
#
# shell_exec_t is the type of user shells such as /bin/bash.
#
type shell_exec_t;
-files_type(shell_exec_t)
+corecmd_executable_file(shell_exec_t)
type chroot_exec_t;
-files_type(chroot_exec_t)
+corecmd_executable_file(chroot_exec_t)
diff --git a/refpolicy/policy/modules/kernel/domain.if b/refpolicy/policy/modules/kernel/domain.if
index 341eb91..8c3b719 100644
--- a/refpolicy/policy/modules/kernel/domain.if
+++ b/refpolicy/policy/modules/kernel/domain.if
@@ -99,12 +99,12 @@ interface(`domain_entry_file',`
attribute entry_type;
')
- files_type($2)
-
allow $1 $2:file entrypoint;
allow $1 $2:file rx_file_perms;
typeattribute $2 entry_type;
+
+ corecmd_executable_file($2)
')
########################################
@@ -1107,11 +1107,11 @@ interface(`domain_mmap_all_entry_files',`
########################################
## <summary>
-## Execute an entry_type in the specified domain.
+## Execute an entry_type in the specified domain.
## </summary>
## <param name="domain">
## <summary>
-## The type of the process performing this action.
+## The type of the process performing this action.
## </summary>
## </param>
#
diff --git a/refpolicy/policy/modules/kernel/domain.te b/refpolicy/policy/modules/kernel/domain.te
index bde89e0..8c6ea33 100644
--- a/refpolicy/policy/modules/kernel/domain.te
+++ b/refpolicy/policy/modules/kernel/domain.te
@@ -1,5 +1,5 @@
-policy_module(domain,1.1.1)
+policy_module(domain,1.1.2)
########################################
#
diff --git a/refpolicy/policy/modules/services/apache.if b/refpolicy/policy/modules/services/apache.if
index b0d39e5..6228049 100644
--- a/refpolicy/policy/modules/services/apache.if
+++ b/refpolicy/policy/modules/services/apache.if
@@ -98,10 +98,7 @@ template(`apache_content_template',`
dev_read_rand(httpd_$1_script_t)
dev_read_urand(httpd_$1_script_t)
- corecmd_exec_bin(httpd_$1_script_t)
- corecmd_exec_sbin(httpd_$1_script_t)
-
- domain_exec_all_entry_files(httpd_$1_script_t)
+ corecmd_exec_all_executables(httpd_$1_script_t)
files_exec_etc_files(httpd_$1_script_t)
files_read_etc_files(httpd_$1_script_t)
diff --git a/refpolicy/policy/modules/services/apache.te b/refpolicy/policy/modules/services/apache.te
index 148da51..e4d9dbe 100644
--- a/refpolicy/policy/modules/services/apache.te
+++ b/refpolicy/policy/modules/services/apache.te
@@ -1,5 +1,5 @@
-policy_module(apache,1.3.6)
+policy_module(apache,1.3.7)
#
# NOTES:
diff --git a/refpolicy/policy/modules/services/apm.te b/refpolicy/policy/modules/services/apm.te
index 48ad02e..5f47a78 100644
--- a/refpolicy/policy/modules/services/apm.te
+++ b/refpolicy/policy/modules/services/apm.te
@@ -1,5 +1,5 @@
-policy_module(apm,1.2.3)
+policy_module(apm,1.2.4)
########################################
#
@@ -107,11 +107,8 @@ selinux_search_fs(apmd_t)
term_dontaudit_use_console(apmd_t)
-corecmd_exec_bin(apmd_t)
-corecmd_exec_sbin(apmd_t)
-corecmd_exec_ls(apmd_t)
+corecmd_exec_all_executables(apmd_t)
-domain_exec_all_entry_files(apmd_t)
domain_read_all_domains_state(apmd_t)
domain_use_interactive_fds(apmd_t)
domain_dontaudit_getattr_all_sockets(apmd_t)
diff --git a/refpolicy/policy/modules/services/cron.if b/refpolicy/policy/modules/services/cron.if
index 871f458..406af37 100644
--- a/refpolicy/policy/modules/services/cron.if
+++ b/refpolicy/policy/modules/services/cron.if
@@ -108,7 +108,8 @@ template(`cron_per_userdomain_template',`
fs_getattr_all_fs($1_crond_t)
- domain_exec_all_entry_files($1_crond_t)
+ corecmd_exec_all_executables($1_crond_t)
+
# quiet other ps operations
domain_dontaudit_read_all_domains_state($1_crond_t)
domain_dontaudit_getattr_all_domains($1_crond_t)
@@ -118,9 +119,6 @@ template(`cron_per_userdomain_template',`
# for nscd:
files_dontaudit_search_pids($1_crond_t)
- corecmd_exec_bin($1_crond_t)
- corecmd_exec_sbin($1_crond_t)
-
libs_use_ld_so($1_crond_t)
libs_use_shared_libs($1_crond_t)
libs_exec_lib_files($1_crond_t)
diff --git a/refpolicy/policy/modules/services/cron.te b/refpolicy/policy/modules/services/cron.te
index d5bc52e..b311aeb 100644
--- a/refpolicy/policy/modules/services/cron.te
+++ b/refpolicy/policy/modules/services/cron.te
@@ -1,5 +1,5 @@
-policy_module(cron,1.3.3)
+policy_module(cron,1.3.4)
gen_require(`
class passwd rootok;
@@ -12,7 +12,7 @@ gen_require(`
attribute cron_spool_type;
type anacron_exec_t;
-files_type(anacron_exec_t)
+corecmd_executable_file(anacron_exec_t)
type cron_spool_t;
files_type(cron_spool_t)
@@ -34,7 +34,7 @@ type crond_var_run_t;
files_pid_file(crond_var_run_t)
type crontab_exec_t;
-files_type(crontab_exec_t)
+corecmd_executable_file(crontab_exec_t)
type system_cron_spool_t, cron_spool_type;
files_type(system_cron_spool_t)
@@ -276,6 +276,8 @@ ifdef(`targeted_policy',`
# ps does not need to access /boot when run from cron
files_dontaudit_search_boot(system_crond_t)
+ corecmd_exec_all_executables(system_crond_t)
+
corenet_tcp_sendrecv_all_if(system_crond_t)
corenet_raw_sendrecv_all_if(system_crond_t)
corenet_udp_sendrecv_all_if(system_crond_t)
@@ -298,10 +300,6 @@ ifdef(`targeted_policy',`
fs_getattr_all_pipes(system_crond_t)
fs_getattr_all_sockets(system_crond_t)
- corecmd_exec_bin(system_crond_t)
- corecmd_exec_sbin(system_crond_t)
-
- domain_exec_all_entry_files(system_crond_t)
# quiet other ps operations
domain_dontaudit_read_all_domains_state(system_crond_t)
diff --git a/refpolicy/policy/modules/services/hal.te b/refpolicy/policy/modules/services/hal.te
index e8e94fc..dfd67d4 100644
--- a/refpolicy/policy/modules/services/hal.te
+++ b/refpolicy/policy/modules/services/hal.te
@@ -1,5 +1,5 @@
-policy_module(hal,1.3.5)
+policy_module(hal,1.3.6)
########################################
#
@@ -56,8 +56,7 @@ files_getattr_home_dir(hald_t)
auth_read_pam_console_data(hald_t)
-corecmd_exec_bin(hald_t)
-corecmd_exec_sbin(hald_t)
+corecmd_exec_all_executables(hald_t)
corenet_tcp_sendrecv_all_if(hald_t)
corenet_udp_sendrecv_all_if(hald_t)
@@ -82,12 +81,10 @@ dev_manage_generic_chr_files(hald_t)
dev_rw_generic_usb_dev(hald_t)
dev_setattr_generic_usb_dev(hald_t)
dev_setattr_usbfs_files(hald_t)
-
# hal is now execing pm-suspend
dev_rw_sysfs(hald_t)
domain_use_interactive_fds(hald_t)
-domain_exec_all_entry_files(hald_t)
files_exec_etc_files(hald_t)
files_read_etc_files(hald_t)
diff --git a/refpolicy/policy/modules/services/lpd.te b/refpolicy/policy/modules/services/lpd.te
index e9516cb..6139501 100644
--- a/refpolicy/policy/modules/services/lpd.te
+++ b/refpolicy/policy/modules/services/lpd.te
@@ -1,5 +1,5 @@
-policy_module(lpd,1.2.1)
+policy_module(lpd,1.2.2)
########################################
#
@@ -25,7 +25,7 @@ type lpd_var_run_t;
files_pid_file(lpd_var_run_t)
type lpr_exec_t;
-files_type(lpr_exec_t)
+corecmd_executable_file(lpr_exec_t)
type print_spool_t;
files_tmp_file(print_spool_t)
diff --git a/refpolicy/policy/modules/services/mailman.if b/refpolicy/policy/modules/services/mailman.if
index 497536d..d95f0ac 100644
--- a/refpolicy/policy/modules/services/mailman.if
+++ b/refpolicy/policy/modules/services/mailman.if
@@ -65,10 +65,7 @@ template(`mailman_domain_template', `
fs_getattr_xattr_fs(mailman_$1_t)
- corecmd_exec_bin(mailman_$1_t)
- corecmd_exec_sbin(mailman_$1_t)
-
- domain_exec_all_entry_files(mailman_$1_t)
+ corecmd_exec_all_executables(mailman_$1_t)
files_exec_etc_files(mailman_$1_t)
files_list_usr(mailman_$1_t)
diff --git a/refpolicy/policy/modules/services/mailman.te b/refpolicy/policy/modules/services/mailman.te
index 584ee4b..4c29812 100644
--- a/refpolicy/policy/modules/services/mailman.te
+++ b/refpolicy/policy/modules/services/mailman.te
@@ -1,5 +1,5 @@
-policy_module(mailman,1.1.2)
+policy_module(mailman,1.1.3)
########################################
#
diff --git a/refpolicy/policy/modules/services/mta.te b/refpolicy/policy/modules/services/mta.te
index b5f7e91..0fef637 100644
--- a/refpolicy/policy/modules/services/mta.te
+++ b/refpolicy/policy/modules/services/mta.te
@@ -1,5 +1,5 @@
-policy_module(mta,1.3.2)
+policy_module(mta,1.3.3)
########################################
#
@@ -86,10 +86,7 @@ ifdef(`targeted_policy',`
# cjp: another require-in-else to resolve
# optional_policy(`',`
- corecmd_exec_bin(system_mail_t)
- corecmd_exec_sbin(system_mail_t)
-
- domain_exec_all_entry_files(system_mail_t)
+ corecmd_exec_all_executables(system_mail_t)
files_exec_etc_files(system_mail_t)
diff --git a/refpolicy/policy/modules/services/postfix.te b/refpolicy/policy/modules/services/postfix.te
index a81220b..ec3a724 100644
--- a/refpolicy/policy/modules/services/postfix.te
+++ b/refpolicy/policy/modules/services/postfix.te
@@ -1,5 +1,5 @@
-policy_module(postfix,1.2.2)
+policy_module(postfix,1.2.3)
########################################
#
@@ -22,10 +22,7 @@ type postfix_etc_t;
files_type(postfix_etc_t)
type postfix_exec_t;
-files_type(postfix_exec_t)
-
-# temp:
-typeattribute postfix_exec_t entry_type;
+corecmd_executable_file(postfix_exec_t)
postfix_server_domain_template(local)
mta_mailserver_delivery(postfix_local_t)
diff --git a/refpolicy/policy/modules/services/smartmon.te b/refpolicy/policy/modules/services/smartmon.te
index 876d839..47debff 100644
--- a/refpolicy/policy/modules/services/smartmon.te
+++ b/refpolicy/policy/modules/services/smartmon.te
@@ -1,5 +1,5 @@
-policy_module(smartmon,1.0.0)
+policy_module(smartmon,1.0.1)
########################################
#
@@ -41,8 +41,7 @@ kernel_read_kernel_sysctls(fsdaemon_t)
kernel_read_software_raid_state(fsdaemon_t)
kernel_read_system_state(fsdaemon_t)
-corecmd_exec_bin(fsdaemon_t)
-corecmd_exec_sbin(fsdaemon_t)
+corecmd_exec_all_executables(fsdaemon_t)
corenet_non_ipsec_sendrecv(fsdaemon_t)
corenet_udp_sendrecv_generic_if(fsdaemon_t)
@@ -54,7 +53,6 @@ corenet_udp_bind_all_nodes(fsdaemon_t)
dev_read_sysfs(fsdaemon_t)
-domain_exec_all_entry_files(fsdaemon_t)
domain_use_interactive_fds(fsdaemon_t)
files_exec_etc_files(fsdaemon_t)
diff --git a/refpolicy/policy/modules/services/spamassassin.te b/refpolicy/policy/modules/services/spamassassin.te
index ed2062a..e8c4a39 100644
--- a/refpolicy/policy/modules/services/spamassassin.te
+++ b/refpolicy/policy/modules/services/spamassassin.te
@@ -1,5 +1,5 @@
-policy_module(spamassassin,1.3.2)
+policy_module(spamassassin,1.3.3)
########################################
#
@@ -8,7 +8,7 @@ policy_module(spamassassin,1.3.2)
# spamassassin client executable
type spamc_exec_t;
-files_type(spamc_exec_t)
+corecmd_executable_file(spamc_exec_t)
type spamd_t;
type spamd_exec_t;
@@ -21,7 +21,7 @@ type spamd_var_run_t;
files_pid_file(spamd_var_run_t)
type spamassassin_exec_t;
-files_type(spamassassin_exec_t)
+corecmd_executable_file(spamassassin_exec_t)
########################################
#
diff --git a/refpolicy/policy/modules/services/ssh.te b/refpolicy/policy/modules/services/ssh.te
index 546f8d7..8254d66 100644
--- a/refpolicy/policy/modules/services/ssh.te
+++ b/refpolicy/policy/modules/services/ssh.te
@@ -1,5 +1,5 @@
-policy_module(ssh,1.3.0)
+policy_module(ssh,1.3.1)
########################################
#
@@ -10,10 +10,10 @@ attribute ssh_server;
# ssh client executable.
type ssh_exec_t;
-files_type(ssh_exec_t)
+corecmd_executable_file(ssh_exec_t)
type ssh_keygen_exec_t;
-files_type(ssh_keygen_exec_t)
+corecmd_executable_file(ssh_keygen_exec_t)
type ssh_keysign_exec_t;
files_type(ssh_keysign_exec_t)
@@ -23,7 +23,7 @@ files_type(ssh_keysign_exec_t)
gen_require(`
type sshd_exec_t;
')
-files_type(sshd_exec_t)
+corecmd_executable_file(sshd_exec_t)
type sshd_key_t;
files_type(sshd_key_t)
@@ -34,11 +34,6 @@ ifdef(`targeted_policy',`
type sshd_var_run_t;
files_type(sshd_var_run_t)
-
- # FIXME
- typeattribute ssh_exec_t entry_type;
- typeattribute ssh_keygen_exec_t entry_type;
- typeattribute ssh_keysign_exec_t entry_type;
',`
# Type for the ssh-agent executable.
type ssh_agent_exec_t;
diff --git a/refpolicy/policy/modules/services/xserver.if b/refpolicy/policy/modules/services/xserver.if
index ec410cd..76227fa 100644
--- a/refpolicy/policy/modules/services/xserver.if
+++ b/refpolicy/policy/modules/services/xserver.if
@@ -240,6 +240,7 @@ template(`xserver_per_userdomain_template',`
type $1_iceauth_t;
domain_type($1_iceauth_t)
+ domain_entry_file($1_iceauth_t,iceauth_exec_t)
role $3 types $1_iceauth_t;
type $1_iceauth_home_t alias $1_iceauth_rw_t;
@@ -248,6 +249,7 @@ template(`xserver_per_userdomain_template',`
type $1_xauth_t;
domain_type($1_xauth_t)
+ domain_entry_file($1_xauth_t,xauth_exec_t)
role $3 types $1_xauth_t;
type $1_xauth_home_t alias $1_xauth_rw_t;
diff --git a/refpolicy/policy/modules/services/xserver.te b/refpolicy/policy/modules/services/xserver.te
index b39f586..e373e84 100644
--- a/refpolicy/policy/modules/services/xserver.te
+++ b/refpolicy/policy/modules/services/xserver.te
@@ -1,5 +1,5 @@
-policy_module(xserver,1.1.5)
+policy_module(xserver,1.1.6)
########################################
#
@@ -14,10 +14,10 @@ type ice_tmp_t;
files_tmp_file(ice_tmp_t)
type iceauth_exec_t;
-files_type(iceauth_exec_t)
+corecmd_executable_file(iceauth_exec_t)
type xauth_exec_t;
-files_type(xauth_exec_t)
+corecmd_executable_file(xauth_exec_t)
# this is not actually a device, its a pipe
type xconsole_device_t;
@@ -58,10 +58,10 @@ files_config_file(xkb_var_lib_t)
# Type for the executable used to start the X server, e.g. Xwrapper.
type xserver_exec_t;
-files_type(xserver_exec_t)
+corecmd_executable_file(xserver_exec_t)
type xsession_exec_t;
-files_type(xsession_exec_t)
+corecmd_executable_file(xsession_exec_t)
# Type for the X server log file.
type xserver_log_t;
diff --git a/refpolicy/policy/modules/system/init.te b/refpolicy/policy/modules/system/init.te
index 49c5ec4..713acf5 100644
--- a/refpolicy/policy/modules/system/init.te
+++ b/refpolicy/policy/modules/system/init.te
@@ -1,5 +1,5 @@
-policy_module(init,1.3.8)
+policy_module(init,1.3.9)
gen_require(`
class passwd rootok;
@@ -306,10 +306,7 @@ auth_read_pam_pid(initrc_t)
auth_delete_pam_pid(initrc_t)
auth_delete_pam_console_data(initrc_t)
-corecmd_exec_bin(initrc_t)
-corecmd_exec_sbin(initrc_t)
-corecmd_exec_shell(initrc_t)
-corecmd_exec_ls(initrc_t)
+corecmd_exec_all_executables(initrc_t)
domain_kill_all_domains(initrc_t)
domain_signal_all_domains(initrc_t)
@@ -322,7 +319,6 @@ domain_getattr_all_domains(initrc_t)
domain_dontaudit_ptrace_all_domains(initrc_t)
domain_getsession_all_domains(initrc_t)
domain_use_interactive_fds(initrc_t)
-domain_exec_all_entry_files(initrc_t)
# for lsof which is used by alsa shutdown:
domain_dontaudit_getattr_all_udp_sockets(initrc_t)
domain_dontaudit_getattr_all_tcp_sockets(initrc_t)
diff --git a/refpolicy/policy/modules/system/pcmcia.te b/refpolicy/policy/modules/system/pcmcia.te
index e857127..e2d419f 100644
--- a/refpolicy/policy/modules/system/pcmcia.te
+++ b/refpolicy/policy/modules/system/pcmcia.te
@@ -1,5 +1,5 @@
-policy_module(pcmcia,1.0.0)
+policy_module(pcmcia,1.0.1)
########################################
#
@@ -70,12 +70,9 @@ term_getattr_all_user_ttys(cardmgr_t)
term_dontaudit_use_console(cardmgr_t)
term_dontaudit_getattr_all_user_ptys(cardmgr_t)
-corecmd_exec_bin(cardmgr_t)
-corecmd_exec_sbin(cardmgr_t)
-corecmd_exec_ls(cardmgr_t)
+corecmd_exec_all_executables(cardmgr_t)
domain_use_interactive_fds(cardmgr_t)
-domain_exec_all_entry_files(cardmgr_t)
# Read /proc/PID directories for all domains (for fuser).
domain_read_confined_domains_state(cardmgr_t)
domain_getattr_confined_domains(cardmgr_t)
diff --git a/refpolicy/policy/modules/system/udev.te b/refpolicy/policy/modules/system/udev.te
index f27e29d..06dec28 100644
--- a/refpolicy/policy/modules/system/udev.te
+++ b/refpolicy/policy/modules/system/udev.te
@@ -1,5 +1,5 @@
-policy_module(udev,1.3.2)
+policy_module(udev,1.3.3)
########################################
#
@@ -101,11 +101,8 @@ selinux_compute_user_contexts(udev_t)
auth_use_nsswitch(udev_t)
-corecmd_exec_bin(udev_t)
-corecmd_exec_sbin(udev_t)
-corecmd_exec_shell(udev_t)
+corecmd_exec_all_executables(udev_t)
-domain_exec_all_entry_files(udev_t)
domain_read_all_domains_state(udev_t)
files_read_etc_runtime_files(udev_t)
diff --git a/refpolicy/policy/modules/system/userdomain.if b/refpolicy/policy/modules/system/userdomain.if
index 4bdf8f0..59b57b6 100644
--- a/refpolicy/policy/modules/system/userdomain.if
+++ b/refpolicy/policy/modules/system/userdomain.if
@@ -527,7 +527,6 @@ template(`unpriv_user_template', `
typeattribute $1_t unpriv_userdomain;
domain_interactive_fd($1_t)
- domain_exec_all_entry_files($1_t)
typeattribute $1_devpts_t user_ptynode;
@@ -562,10 +561,10 @@ template(`unpriv_user_template', `
kernel_read_system_state($1_t)
kernel_read_network_state($1_t)
+
dev_read_sysfs($1_t)
- # cjp: why?
- files_read_kernel_symbol_table($1_t)
+ corecmd_exec_all_executables($1_t)
# port access is audited even if dac would not have allowed it, so dontaudit it here
corenet_dontaudit_tcp_bind_all_reserved_ports($1_t)
@@ -582,6 +581,8 @@ template(`unpriv_user_template', `
files_read_world_readable_symlinks($1_t)
files_read_world_readable_pipes($1_t)
files_read_world_readable_sockets($1_t)
+ # cjp: why?
+ files_read_kernel_symbol_table($1_t)
init_read_utmp($1_t)
# The library functions always try to open read-write first,
diff --git a/refpolicy/policy/modules/system/userdomain.te b/refpolicy/policy/modules/system/userdomain.te
index 1d5ea22..d1e4a33 100644
--- a/refpolicy/policy/modules/system/userdomain.te
+++ b/refpolicy/policy/modules/system/userdomain.te
@@ -1,5 +1,5 @@
-policy_module(userdomain,1.3.15)
+policy_module(userdomain,1.3.16)
gen_require(`
role sysadm_r, staff_r, user_r;
More information about the scm-commits
mailing list