[selinux-policy: 1642/3172] fix dontaudit interface that was allowing instead of dontauditing; thanks to karl for pointing this
Daniel J Walsh
dwalsh at fedoraproject.org
Thu Oct 7 21:27:02 UTC 2010
commit bff907113d1978edab89dbf36db98b40070a57b7
Author: Chris PeBenito <cpebenito at tresys.com>
Date: Tue Nov 28 15:57:22 2006 +0000
fix dontaudit interface that was allowing instead of dontauditing; thanks to karl for pointing this out.
policy/modules/kernel/devices.if | 38 +++++++++++++++++-------------------
policy/modules/kernel/devices.te | 2 +-
policy/modules/kernel/terminal.if | 2 -
policy/modules/kernel/terminal.te | 2 +-
4 files changed, 20 insertions(+), 24 deletions(-)
---
diff --git a/policy/modules/kernel/devices.if b/policy/modules/kernel/devices.if
index e08e393..1fd7ed9 100644
--- a/policy/modules/kernel/devices.if
+++ b/policy/modules/kernel/devices.if
@@ -183,6 +183,24 @@ interface(`dev_relabel_generic_dev_dirs',`
########################################
## <summary>
+## dontaudit getattr generic files in /dev.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`dev_dontaudit_getattr_generic_files',`
+ gen_require(`
+ type device_t;
+ ')
+
+ dontaudit $1 device_t:file getattr;
+')
+
+########################################
+## <summary>
## Read and write generic files in /dev.
## </summary>
## <param name="domain">
@@ -3230,23 +3248,3 @@ interface(`dev_unconfined',`
typeattribute $1 devices_unconfined_type;
')
-
-########################################
-## <summary>
-## dontaudit getattr generic files in /dev.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain to not audit.
-## </summary>
-## </param>
-#
-interface(`dev_dontaudit_getattr_generic_files',`
- gen_require(`
- type device_t;
- ')
-
- allow $1 device_t:dir search;
- dontaudit $1 device_t:file getattr;
-')
-
diff --git a/policy/modules/kernel/devices.te b/policy/modules/kernel/devices.te
index d669577..dc5668f 100644
--- a/policy/modules/kernel/devices.te
+++ b/policy/modules/kernel/devices.te
@@ -1,5 +1,5 @@
-policy_module(devices,1.2.2)
+policy_module(devices,1.2.3)
########################################
#
diff --git a/policy/modules/kernel/terminal.if b/policy/modules/kernel/terminal.if
index 991d70d..a73376b 100644
--- a/policy/modules/kernel/terminal.if
+++ b/policy/modules/kernel/terminal.if
@@ -636,8 +636,6 @@ interface(`term_dontaudit_getattr_all_user_ptys',`
attribute ptynode;
')
- dev_list_all_dev_nodes($1)
- allow $1 devpts_t:dir r_dir_perms;
dontaudit $1 ptynode:chr_file getattr;
')
diff --git a/policy/modules/kernel/terminal.te b/policy/modules/kernel/terminal.te
index b4dbc4a..06cddf7 100644
--- a/policy/modules/kernel/terminal.te
+++ b/policy/modules/kernel/terminal.te
@@ -1,5 +1,5 @@
-policy_module(terminal,1.2.1)
+policy_module(terminal,1.2.2)
########################################
#
More information about the scm-commits
mailing list