[selinux-policy: 2030/3172] trunk: a pile of misc fixes.

Daniel J Walsh dwalsh at fedoraproject.org
Thu Oct 7 22:00:16 UTC 2010 

commit aa7c463e5d5399773d659c3d68902433a644b2b5
Author: Chris PeBenito <cpebenito at tresys.com>
Date:   Mon Oct 13 13:36:50 2008 +0000

    trunk: a pile of misc fixes.

 policy/modules/services/automount.if |    8 ++------
 policy/modules/services/bind.if      |   10 ++++++++++
 policy/modules/services/mta.if       |   20 ++++++++++++++++++++
 policy/modules/services/mta.te       |    2 +-
 policy/modules/services/ntp.if       |    2 +-
 policy/modules/services/oident.if    |   12 ++++++------
 policy/modules/services/oident.te    |    2 +-
 policy/modules/services/postfix.te   |   22 ++++++----------------
 policy/modules/services/sasl.if      |    5 +++++
 policy/modules/services/virt.if      |    4 ++--
 policy/modules/system/init.te        |    4 ----
 policy/modules/system/pcmcia.te      |    5 +++--
 12 files changed, 57 insertions(+), 39 deletions(-)
---
diff --git a/policy/modules/services/automount.if b/policy/modules/services/automount.if
index d4c517d..89bccaa 100644
--- a/policy/modules/services/automount.if
+++ b/policy/modules/services/automount.if
@@ -30,12 +30,8 @@ interface(`automount_domtrans',`
 ## </param>
 #
 interface(`automount_exec_config',`
-	gen_require(`
-		type automount_etc_t;
-	')
-
-	corecmd_search_bin($1)
-	can_exec($1, automount_etc_t)
+	refpolicywarn(`$0(): has been deprecated, please use files_exec_etc_files() instead.')
+	files_exec_etc_files($1)
 ')
 
 ########################################
diff --git a/policy/modules/services/bind.if b/policy/modules/services/bind.if
index 52f2d2c..0c67198 100644
--- a/policy/modules/services/bind.if
+++ b/policy/modules/services/bind.if
@@ -265,6 +265,16 @@ interface(`bind_udp_chat_named',`
 ##	Domain allowed access.
 ##	</summary>
 ## </param>
+## <param name="role">
+##	<summary>
+##	Role allowed access.
+##	</summary>
+## </param>
+## <param name="terminal">
+##	<summary>
+##	The type of the terminal.
+##	</summary>
+## </param>
 ## <rolecap/>
 #
 interface(`bind_admin',`
diff --git a/policy/modules/services/mta.if b/policy/modules/services/mta.if
index a47a55d..f5c6a87 100644
--- a/policy/modules/services/mta.if
+++ b/policy/modules/services/mta.if
@@ -586,6 +586,26 @@ interface(`mta_read_aliases',`
 
 ########################################
 ## <summary>
+##	Create, read, write, and delete mail address aliases.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`mta_manage_aliases',`
+	gen_require(`
+		type etc_aliases_t;
+	')
+
+	files_search_etc($1)
+	manage_files_pattern($1, etc_aliases_t, etc_aliases_t)
+	manage_lnk_files_pattern($1, etc_aliases_t, etc_aliases_t)
+')
+
+########################################
+## <summary>
 ##	Type transition files created in /etc
 ##	to the mail address aliases type.
 ## </summary>
diff --git a/policy/modules/services/mta.te b/policy/modules/services/mta.te
index a0f10f8..2c29ac0 100644
--- a/policy/modules/services/mta.te
+++ b/policy/modules/services/mta.te
@@ -1,5 +1,5 @@
 
-policy_module(mta, 1.10.1)
+policy_module(mta, 1.10.2)
 
 ########################################
 #
diff --git a/policy/modules/services/ntp.if b/policy/modules/services/ntp.if
index 87dbda3..d47ebff 100644
--- a/policy/modules/services/ntp.if
+++ b/policy/modules/services/ntp.if
@@ -74,7 +74,7 @@ interface(`ntp_domtrans_ntpdate',`
 interface(`ntp_admin',`
 	gen_require(`
 		type ntpd_t, ntpd_tmp_t, ntpd_log_t;
-		type ntpd_key_t, ntpd_var_lib_t, ntpd_var_run_t;
+		type ntpd_key_t, ntpd_var_run_t;
 		type ntpd_initrc_exec_t;
 	')
 
diff --git a/policy/modules/services/oident.if b/policy/modules/services/oident.if
index 7cff0d8..c9beafe 100644
--- a/policy/modules/services/oident.if
+++ b/policy/modules/services/oident.if
@@ -39,7 +39,7 @@
 ## 	</summary>
 ## </param>
 #
-template(`oidentd_per_role_template', `
+template(`oident_per_role_template', `
 
 	########################################
 	#
@@ -51,17 +51,17 @@ template(`oidentd_per_role_template', `
 	')
 
 	type $1_oidentd_home_t, oidentd_user_content_type;
-	userdom_user_home_content($1, oidentd_$1_content_t)
+	userdom_user_home_content($1, $1_oidentd_home_t)
 
-	typeattribute oidentd_$1_content_t oidentd_user_content_type;
+	typeattribute $1_oidentd_home_t oidentd_user_content_type;
 
 	########################################
 	#
 	#  Oident daemon shared policy
 	#
 
-	allow $2 oidentd_$1_content_t:file manage_file_perms; 
-	allow $2 oidentd_$1_content_t:file relabel_file_perms;
+	allow $2 $1_oidentd_home_t:file manage_file_perms; 
+	allow $2 $1_oidentd_home_t:file relabel_file_perms;
 ')
 
 ########################################
@@ -75,7 +75,7 @@ template(`oidentd_per_role_template', `
 ##	</summary>
 ## </param>
 #
-interface(`oidentd_read_all_user_content', `
+interface(`oident_read_all_user_content', `
 	gen_require(`
 		attribute oidentd_user_content_type;
 	')
diff --git a/policy/modules/services/oident.te b/policy/modules/services/oident.te
index 2b8070c..e0898be 100644
--- a/policy/modules/services/oident.te
+++ b/policy/modules/services/oident.te
@@ -56,7 +56,7 @@ miscfiles_read_localization(oidentd_t)
 
 sysnet_read_config(oidentd_t)
 
-oidentd_read_all_user_content(oidentd_t)
+oident_read_all_user_content(oidentd_t)
 
 optional_policy(`
 	nis_use_ypbind(oidentd_t)
diff --git a/policy/modules/services/postfix.te b/policy/modules/services/postfix.te
index 8c11bf2..3f2cb82 100644
--- a/policy/modules/services/postfix.te
+++ b/policy/modules/services/postfix.te
@@ -182,6 +182,12 @@ seutil_dontaudit_search_config(postfix_master_t)
 mta_rw_aliases(postfix_master_t)
 mta_read_sendmail_bin(postfix_master_t)
 
+ifdef(`distro_redhat',`
+	# for newer main.cf that uses /etc/aliases
+	mta_manage_aliases(postfix_master_t)
+	mta_etc_filetrans_aliases(postfix_master_t)
+')
+
 optional_policy(`
 	cyrus_stream_connect(postfix_master_t)
 ')
@@ -199,22 +205,6 @@ optional_policy(`
 	sendmail_signal(postfix_master_t)
 ')
 
-###########################################################
-#
-# Partially converted rules.  THESE ARE ONLY TEMPORARY
-#
-
-ifdef(`distro_redhat',`
-	# for newer main.cf that uses /etc/aliases
-	allow postfix_master_t etc_aliases_t:dir manage_dir_perms;
-	allow postfix_master_t etc_aliases_t:file manage_file_perms;
-	allow postfix_master_t etc_aliases_t:lnk_file manage_lnk_file_perms;
-	mta_etc_filetrans_aliases(postfix_master_t)
-	filetrans_pattern(postfix_master_t, postfix_etc_t, etc_aliases_t, { dir file lnk_file })
-')
-
-# end partially converted rules
-
 ########################################
 #
 # Postfix bounce local policy
diff --git a/policy/modules/services/sasl.if b/policy/modules/services/sasl.if
index 5a70491..f1aea88 100644
--- a/policy/modules/services/sasl.if
+++ b/policy/modules/services/sasl.if
@@ -29,6 +29,11 @@ interface(`sasl_connect',`
 ##	Domain allowed access.
 ##	</summary>
 ## </param>
+## <param name="role">
+##	<summary>
+##	Role allowed access.
+##	</summary>
+## </param>
 ## <rolecap/>
 #
 interface(`sasl_admin',`
diff --git a/policy/modules/services/virt.if b/policy/modules/services/virt.if
index efc0fb6..d4542a8 100644
--- a/policy/modules/services/virt.if
+++ b/policy/modules/services/virt.if
@@ -68,7 +68,7 @@ interface(`virt_read_pid_files',`
 ##	</summary>
 ## </param>
 #
-interface(`virt_manage_pids_files',`
+interface(`virt_manage_pid_files',`
 	gen_require(`
 		type virt_var_run_t;
 	')
@@ -167,7 +167,7 @@ interface(`virt_read_log',`
 #
 interface(`virt_append_log',`
 	gen_require(`
-		type var_log_t, virt_log_t;
+		type virt_log_t;
 	')
 
 	logging_search_logs($1)
diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
index 3e03dac..ab73da5 100644
--- a/policy/modules/system/init.te
+++ b/policy/modules/system/init.te
@@ -536,10 +536,6 @@ optional_policy(`
 ')
 
 optional_policy(`
-	automount_exec_config(initrc_t)
-')
-
-optional_policy(`
 	bind_read_config(initrc_t)
 
 	# for chmod in start script
diff --git a/policy/modules/system/pcmcia.te b/policy/modules/system/pcmcia.te
index 6de3bb8..d5b9391 100644
--- a/policy/modules/system/pcmcia.te
+++ b/policy/modules/system/pcmcia.te
@@ -136,5 +136,6 @@ optional_policy(`
 
 # Create device files in /tmp.
 # cjp: why is this created all over the place?
-allow cardmgr_t { var_run_t cardmgr_var_run_t tmp_t }:dir rw_dir_perms;
-type_transition cardmgr_t { var_run_t cardmgr_var_run_t tmp_t }:{ chr_file blk_file } cardmgr_dev_t;
+files_pid_filetrans(cardmgr_t, cardmgr_dev_t, { chr_file blk_file })
+files_tmp_filetrans(cardmgr_t, cardmgr_dev_t, { chr_file blk_file })
+filetrans_pattern(cardmgr_t, cardmgr_var_run_t, cardmgr_dev_t, { chr_file blk_file })

More information about the scm-commits mailing list