[selinux-policy: 1408/3172] fix up entrypoints

Thu Oct 7 21:07:06 UTC 2010

commit d40c0ecf7acd6745f32017a378b8cba953e78605
Author: Chris PeBenito <cpebenito at tresys.com>
Date:   Mon May 1 19:11:54 2006 +0000

    fix up entrypoints

 refpolicy/policy/modules/apps/games.if        |    1 +
 refpolicy/policy/modules/apps/java.if         |    1 +
 refpolicy/policy/modules/services/dbus.if     |    6 +-----
 refpolicy/policy/modules/system/ipsec.te      |    1 +
 refpolicy/policy/modules/system/userdomain.if |    4 +++-
 5 files changed, 7 insertions(+), 6 deletions(-)
---

diff --git a/refpolicy/policy/modules/apps/games.if b/refpolicy/policy/modules/apps/games.if
index 1e88bbd..319a707 100644
--- a/refpolicy/policy/modules/apps/games.if
+++ b/refpolicy/policy/modules/apps/games.if
@@ -41,6 +41,7 @@ template(`games_per_userdomain_template',`
 
 	type $1_games_t;
 	domain_type($1_games_t)
+	domain_entry_file($1_games_t,games_exec_t)
 	role $3 types $1_games_t;
 
 	type $1_games_devpts_t;
diff --git a/refpolicy/policy/modules/apps/java.if b/refpolicy/policy/modules/apps/java.if
index 0c950ec..cd3d01a 100644
--- a/refpolicy/policy/modules/apps/java.if
+++ b/refpolicy/policy/modules/apps/java.if
@@ -44,6 +44,7 @@ template(`java_per_userdomain_template',`
 
 	type $1_javaplugin_t;
 	domain_type($1_javaplugin_t)
+	domain_entry_file($1_javaplugin_t,java_exec_t)
 	role $3 types $1_javaplugin_t;
 	
 	type $1_javaplugin_tmp_t;
diff --git a/refpolicy/policy/modules/services/dbus.if b/refpolicy/policy/modules/services/dbus.if
index a0f6b56..36877e6 100644
--- a/refpolicy/policy/modules/services/dbus.if
+++ b/refpolicy/policy/modules/services/dbus.if
@@ -49,11 +49,6 @@ interface(`dbus_stub',`
 ## </param>
 #
 template(`dbus_per_userdomain_template',`
-	gen_require(`
-		type system_dbusd_t, dbusd_etc_t;
-		type system_dbusd_exec_t;
-		class dbus { send_msg acquire_svc };
-	')
 
 	##############################
 	#
@@ -61,6 +56,7 @@ template(`dbus_per_userdomain_template',`
 	#
 	type $1_dbusd_t;
 	domain_type($1_dbusd_t)
+	domain_entry_file($1_dbusd_t,system_dbusd_exec_t)
 	role $3 types $1_dbusd_t;
 
 	type $1_dbusd_$1_t;
diff --git a/refpolicy/policy/modules/system/ipsec.te b/refpolicy/policy/modules/system/ipsec.te
index 4b618ef..bf5a5df 100644
--- a/refpolicy/policy/modules/system/ipsec.te
+++ b/refpolicy/policy/modules/system/ipsec.te
@@ -26,6 +26,7 @@ files_pid_file(ipsec_var_run_t)
 type ipsec_mgmt_t;
 type ipsec_mgmt_exec_t;
 init_system_domain(ipsec_mgmt_t,ipsec_mgmt_exec_t)
+corecmd_shell_entry_type(ipsec_mgmt_t)
 role system_r types ipsec_mgmt_t;
 
 type ipsec_mgmt_lock_t;
diff --git a/refpolicy/policy/modules/system/userdomain.if b/refpolicy/policy/modules/system/userdomain.if
index 886b035..d0e7c92 100644
--- a/refpolicy/policy/modules/system/userdomain.if
+++ b/refpolicy/policy/modules/system/userdomain.if
@@ -31,6 +31,8 @@ template(`base_user_template',`
 	type $1_t, userdomain;
 	domain_type($1_t)
 	corecmd_shell_entry_type($1_t)
+	corecmd_bin_entry_type($1_t)
+	corecmd_sbin_entry_type($1_t)
 	domain_user_exemption_target($1_t)
 	role $1_r types $1_t;
 	allow system_r $1_r;
@@ -105,7 +107,7 @@ template(`base_user_template',`
 	can_exec($1_t,$1_home_t)
 
 	# full control of the home directory
-	allow $1_t $1_home_t:file { create_file_perms relabelfrom relabelto };
+	allow $1_t $1_home_t:file { create_file_perms relabelfrom relabelto entrypoint };
 	allow $1_t $1_home_t:lnk_file { create_lnk_perms relabelfrom relabelto };
 	allow $1_t $1_home_t:dir { create_dir_perms relabelfrom relabelto };
 	allow $1_t $1_home_t:sock_file { create_file_perms relabelfrom relabelto };
