[selinux-policy: 1934/3172] trunk: another pile of misc fixes.
Daniel J Walsh
dwalsh at fedoraproject.org
Thu Oct 7 21:52:09 UTC 2010
commit b34db7a8ecbcbf9b136a9927a7f0624fbb22969c
Author: Chris PeBenito <cpebenito at tresys.com>
Date: Thu May 22 15:24:52 2008 +0000
trunk: another pile of misc fixes.
policy/modules/admin/apt.if | 2 +-
policy/modules/apps/gnome.if | 2 +-
policy/modules/apps/mplayer.if | 7 ++---
policy/modules/apps/rssh.if | 5 ++++
policy/modules/kernel/filesystem.if | 4 +-
policy/modules/roles/sysadm.te | 10 ++++----
policy/modules/services/aide.if | 12 +---------
policy/modules/services/amavis.if | 14 +----------
policy/modules/services/apcupsd.if | 2 +-
policy/modules/services/bluetooth.if | 1 +
policy/modules/services/cups.te | 2 +-
policy/modules/services/cvs.te | 2 +-
policy/modules/services/mta.if | 7 +----
policy/modules/services/sasl.if | 14 ++++++------
policy/modules/services/smartmon.if | 10 ++++----
policy/modules/services/ssh.if | 2 +-
policy/modules/services/zabbix.if | 2 +-
policy/modules/system/userdomain.if | 38 +++++++++++++++++++++++++++++----
policy/modules/system/xen.if | 4 +-
policy/support/obj_perm_sets.spt | 3 +-
20 files changed, 77 insertions(+), 66 deletions(-)
---
diff --git a/policy/modules/admin/apt.if b/policy/modules/admin/apt.if
index 53e1c60..06ae950 100644
--- a/policy/modules/admin/apt.if
+++ b/policy/modules/admin/apt.if
@@ -188,5 +188,5 @@ interface(`apt_dontaudit_manage_db',`
dontaudit $1 apt_var_lib_t:dir rw_dir_perms;
dontaudit $1 apt_var_lib_t:file manage_file_perms;
- dontaudit $1 apt_var_lib_t:lnk_file manage_lnk_perms;
+ dontaudit $1 apt_var_lib_t:lnk_file manage_lnk_file_perms;
')
diff --git a/policy/modules/apps/gnome.if b/policy/modules/apps/gnome.if
index 4da4442..f3aebbc 100644
--- a/policy/modules/apps/gnome.if
+++ b/policy/modules/apps/gnome.if
@@ -34,7 +34,7 @@
#
template(`gnome_per_role_template',`
gen_require(`
- type gconfd_exec_t;
+ type gconfd_exec_t, gconf_etc_t;
attribute gnomedomain;
')
diff --git a/policy/modules/apps/mplayer.if b/policy/modules/apps/mplayer.if
index ff7c010..9390298 100644
--- a/policy/modules/apps/mplayer.if
+++ b/policy/modules/apps/mplayer.if
@@ -75,7 +75,7 @@ template(`mplayer_per_role_template',`
domtrans_pattern($2, mencoder_exec_t, $1_mencoder_t)
# Allow the user domain to signal/ps.
- ps_process_pattern($2,$1_mencoder_t,$1_mencoder_t)
+ ps_process_pattern($2,$1_mencoder_t)
allow $2 $1_mencoder_t:process signal_perms;
# Read /proc files and directories
@@ -235,9 +235,8 @@ template(`mplayer_per_role_template',`
files_tmp_filetrans($1_mencoder_t,$1_untrusted_content_tmp_t,file)
files_tmp_filetrans($1_mencoder_t,$1_untrusted_content_tmp_t,dir)
- userdom_manage_user_untrusted_content_files($1,$1_mencoder_t,file)
- userdom_manage_user_untrusted_content_files($1,$1_mencoder_t,dir)
-
+ userdom_manage_user_untrusted_content_dirs($1,$1_mencoder_t)
+ userdom_manage_user_untrusted_content_files($1,$1_mencoder_t)
',`
files_dontaudit_list_home($1_mencoder_t)
files_dontaudit_list_tmp($1_mencoder_t)
diff --git a/policy/modules/apps/rssh.if b/policy/modules/apps/rssh.if
index 32659b7..3f46fe8 100644
--- a/policy/modules/apps/rssh.if
+++ b/policy/modules/apps/rssh.if
@@ -24,6 +24,11 @@
## </param>
#
template(`rssh_per_role_template',`
+ gen_require(`
+ type rssh_exec_t;
+ attribute rssh_domain_type;
+ attribute rssh_ro_content_type;
+ ')
##############################
#
diff --git a/policy/modules/kernel/filesystem.if b/policy/modules/kernel/filesystem.if
index df40869..4895ac5 100644
--- a/policy/modules/kernel/filesystem.if
+++ b/policy/modules/kernel/filesystem.if
@@ -473,10 +473,10 @@ interface(`fs_manage_autofs_symlinks',`
#
interface(`fs_getattr_binfmt_misc_dirs',`
gen_require(`
- type binfmt_misc_t;
+ type binfmt_misc_fs_t;
')
- allow $1 binfmt_misc_t:dir getattr;
+ allow $1 binfmt_misc_fs_tt:dir getattr;
')
diff --git a/policy/modules/roles/sysadm.te b/policy/modules/roles/sysadm.te
index 186b2a6..1823f4f 100644
--- a/policy/modules/roles/sysadm.te
+++ b/policy/modules/roles/sysadm.te
@@ -110,7 +110,7 @@ optional_policy(`
')
optional_policy(`
- cron_admin_template(sysadm, sysadm_t, sysadm_r)
+ cron_admin_template(sysadm)
')
optional_policy(`
@@ -141,7 +141,7 @@ optional_policy(`
optional_policy(`
ethereal_run_tethereal(sysadm_t, sysadm_r, { sysadm_tty_device_t sysadm_devpts_t })
- ethereal_admin_template(sysadm, sysadm_t, sysadm_r)
+ ethereal_admin_template(sysadm)
')
optional_policy(`
@@ -184,7 +184,7 @@ optional_policy(`
optional_policy(`
lpd_run_checkpc(sysadm_t, sysadm_r, { sysadm_tty_device_t sysadm_devpts_t })
- lpr_admin_template(sysadm, sysadm_t, sysadm_r)
+ lpr_admin_template(sysadm)
')
optional_policy(`
@@ -202,7 +202,7 @@ optional_policy(`
')
optional_policy(`
- mta_admin_template(sysadm, sysadm_t, sysadm_r)
+ mta_admin_template(sysadm, sysadm_t)
')
optional_policy(`
@@ -296,7 +296,7 @@ optional_policy(`
')
optional_policy(`
- unconfined_domtrans(sysadm_t, sysadm_r, { sysadm_tty_device_t sysadm_devpts_t })
+ unconfined_domtrans(sysadm_t)
')
optional_policy(`
diff --git a/policy/modules/services/aide.if b/policy/modules/services/aide.if
index 9cf2c59..133ca19 100644
--- a/policy/modules/services/aide.if
+++ b/policy/modules/services/aide.if
@@ -60,16 +60,6 @@ interface(`aide_run',`
## Domain allowed access.
## </summary>
## </param>
-## <param name="role">
-## <summary>
-## The role to be allowed to manage the aide domain.
-## </summary>
-## </param>
-## <param name="terminal">
-## <summary>
-## The type of the user terminal.
-## </summary>
-## </param>
## <rolecap/>
#
interface(`aide_admin',`
@@ -84,5 +74,5 @@ interface(`aide_admin',`
manage_files_pattern($1, aide_db_t, aide_db_t)
logging_list_logs($1)
- manage_all_pattern($1, aide_log_t, aide_log_t)
+ manage_files_pattern($1, aide_log_t, aide_log_t)
')
diff --git a/policy/modules/services/amavis.if b/policy/modules/services/amavis.if
index 8366797..ec1a204 100644
--- a/policy/modules/services/amavis.if
+++ b/policy/modules/services/amavis.if
@@ -197,21 +197,11 @@ interface(`amavis_create_pid_files',`
## Domain allowed access.
## </summary>
## </param>
-## <param name="role">
-## <summary>
-## The role to be allowed to manage the amavis domain.
-## </summary>
-## </param>
-## <param name="terminal">
-## <summary>
-## The type of the user terminal.
-## </summary>
-## </param>
## <rolecap/>
#
interface(`amavis_admin',`
gen_require(`
- type amavis_t, amavis_tmp_t, amavis_log_t;
+ type amavis_t, amavis_tmp_t, amavis_var_log_t;
type amavis_spool_t, amavis_var_lib_t, amavis_var_run_t;
type amavis_etc_t, amavis_quarantine_t;
')
@@ -228,7 +218,7 @@ interface(`amavis_admin',`
manage_files_pattern($1, amavis_etc_t, amavis_etc_t)
logging_list_logs($1)
- manage_files_pattern($1, amavis_log_t, amavis_log_t)
+ manage_files_pattern($1, amavis_var_log_t, amavis_var_log_t)
files_list_spool($1)
manage_files_pattern($1, amavis_spool_t, amavis_spool_t)
diff --git a/policy/modules/services/apcupsd.if b/policy/modules/services/apcupsd.if
index de8b91b..1a3789b 100644
--- a/policy/modules/services/apcupsd.if
+++ b/policy/modules/services/apcupsd.if
@@ -72,7 +72,7 @@ interface(`apcupsd_read_log',`
#
interface(`apcupsd_append_log',`
gen_require(`
- type var_log_t, apcupsd_log_t;
+ type apcupsd_log_t;
')
logging_search_logs($1)
diff --git a/policy/modules/services/bluetooth.if b/policy/modules/services/bluetooth.if
index 6d971f0..9ce5b29 100644
--- a/policy/modules/services/bluetooth.if
+++ b/policy/modules/services/bluetooth.if
@@ -36,6 +36,7 @@ template(`bluetooth_per_role_template',`
gen_require(`
attribute bluetooth_helper_domain;
type bluetooth_helper_exec_t;
+ type bluetooth_t;
')
type $1_bluetooth_t, bluetooth_helper_domain;
diff --git a/policy/modules/services/cups.te b/policy/modules/services/cups.te
index 5a00230..c013fae 100644
--- a/policy/modules/services/cups.te
+++ b/policy/modules/services/cups.te
@@ -255,7 +255,7 @@ optional_policy(`
')
optional_policy(`
- inetd_core_service_domain(cupsd_t,cupsd_exec_t,cupsd_t)
+ inetd_core_service_domain(cupsd_t, cupsd_exec_t)
')
optional_policy(`
diff --git a/policy/modules/services/cvs.te b/policy/modules/services/cvs.te
index 6e3588c..2320feb 100644
--- a/policy/modules/services/cvs.te
+++ b/policy/modules/services/cvs.te
@@ -42,7 +42,7 @@ allow cvs_t self:capability { setuid setgid };
manage_dirs_pattern(cvs_t,cvs_data_t,cvs_data_t)
manage_files_pattern(cvs_t,cvs_data_t,cvs_data_t)
-manage_lnk_files_pattern(cvs_t,cvs_data_t,cvs_data_t,cvs_data_t)
+manage_lnk_files_pattern(cvs_t,cvs_data_t,cvs_data_t)
manage_dirs_pattern(cvs_t,cvs_tmp_t,cvs_tmp_t)
manage_files_pattern(cvs_t,cvs_tmp_t,cvs_tmp_t)
diff --git a/policy/modules/services/mta.if b/policy/modules/services/mta.if
index 1708315..9488fb0 100644
--- a/policy/modules/services/mta.if
+++ b/policy/modules/services/mta.if
@@ -172,6 +172,7 @@ template(`mta_per_role_template',`
gen_require(`
attribute mta_user_agent;
attribute mailserver_delivery;
+ type sendmail_exec_t;
')
##############################
@@ -332,11 +333,7 @@ interface(`mta_mailserver',`
## The type to be used for the mail server.
## </summary>
## </param>
-## <param name="entry_point">
-## <summary>
-## The type to be used for the domain entry point program.
-## </summary>
-## </param>
+#
interface(`mta_sendmail_mailserver',`
gen_require(`
attribute mailserver_domain;
diff --git a/policy/modules/services/sasl.if b/policy/modules/services/sasl.if
index 01ef9cc..b157ca5 100644
--- a/policy/modules/services/sasl.if
+++ b/policy/modules/services/sasl.if
@@ -33,17 +33,17 @@ interface(`sasl_connect',`
#
interface(`sasl_admin',`
gen_require(`
- type sasl_t;
- type sasl_tmp_t;
- type sasl_var_run_t;
+ type saslauthd_t;
+ type saslauthd_tmp_t;
+ type saslauthd_var_run_t;
')
- allow $1 sasl_t:process { ptrace signal_perms getattr };
- ps_process_pattern($1, sasl_t)
+ allow $1 saslauthd_t:process { ptrace signal_perms getattr };
+ ps_process_pattern($1, saslauthd_t)
files_list_tmp($1)
- manage_files_pattern($1, sasl_tmp_t, sasl_tmp_t)
+ manage_files_pattern($1, saslauthd_tmp_t, saslauthd_tmp_t)
files_list_pids($1)
- manage_files_pattern($1, sasl_var_run_t, sasl_var_run_t)
+ manage_files_pattern($1, saslauthd_var_run_t, saslauthd_var_run_t)
')
diff --git a/policy/modules/services/smartmon.if b/policy/modules/services/smartmon.if
index 56e1f72..b695c2e 100644
--- a/policy/modules/services/smartmon.if
+++ b/policy/modules/services/smartmon.if
@@ -32,15 +32,15 @@ interface(`smartmon_read_tmp_files',`
#
interface(`smartmon_admin',`
gen_require(`
- type smartmon_t, smartmon_tmp_t, smartmon_var_run_t;
+ type fsdaemon_t, fsdaemon_tmp_t, fsdaemon_var_run_t;
')
- allow $1 smartmon_t:process { ptrace signal_perms getattr };
- ps_process_pattern($1, smartmon_t)
+ allow $1 fsdaemon_t:process { ptrace signal_perms getattr };
+ ps_process_pattern($1, fsdaemon_t)
files_list_tmp($1)
- manage_files_pattern($1, smartmon_tmp_t, smartmon_tmp_t)
+ manage_files_pattern($1, fsdaemon_tmp_t, fsdaemon_tmp_t)
files_list_pids($1)
- manage_files_pattern($1, smartmon_var_run_t, smartmon_var_run_t)
+ manage_files_pattern($1, fsdaemon_var_run_t, fsdaemon_var_run_t)
')
diff --git a/policy/modules/services/ssh.if b/policy/modules/services/ssh.if
index f4eb2c8..9279c9f 100644
--- a/policy/modules/services/ssh.if
+++ b/policy/modules/services/ssh.if
@@ -202,7 +202,7 @@ template(`ssh_basic_client_template',`
#
template(`ssh_per_role_template',`
gen_require(`
- type ssh_agent_exec_t, ssh_keysign_exec_t;
+ type ssh_agent_exec_t, ssh_keysign_exec_t, sshd_t, sshd_key_t;
')
##############################
diff --git a/policy/modules/services/zabbix.if b/policy/modules/services/zabbix.if
index bdd8cbc..0f87847 100644
--- a/policy/modules/services/zabbix.if
+++ b/policy/modules/services/zabbix.if
@@ -51,7 +51,7 @@ interface(`zabbix_read_log',`
#
interface(`zabbix_append_log',`
gen_require(`
- type var_log_t, zabbix_log_t;
+ type zabbix_log_t;
')
logging_search_logs($1)
diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if
index 824005d..dd2c793 100644
--- a/policy/modules/system/userdomain.if
+++ b/policy/modules/system/userdomain.if
@@ -1402,11 +1402,6 @@ template(`userdom_admin_user_template',`
## The role of the object to create.
## </summary>
## </param>
-## <param name="object_class">
-## <summary>
-## The terminal
-## </summary>
-## </param>
#
template(`userdom_security_admin_template',`
allow $1 self:capability { dac_read_search dac_override };
@@ -3276,6 +3271,39 @@ template(`userdom_dontaudit_list_user_untrusted_content',`
########################################
## <summary>
+## Create, read, write, and delete users untrusted directories.
+## </summary>
+## <desc>
+## <p>
+## Create, read, write, and delete users untrusted directories.
+## </p>
+## <p>
+## This is a templated interface, and should only
+## be called from a per-userdomain template.
+## </p>
+## </desc>
+## <param name="userdomain_prefix">
+## <summary>
+## The prefix of the user domain (e.g., user
+## is the prefix for user_t).
+## </summary>
+## </param>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+template(`userdom_manage_user_untrusted_content_dirs',`
+ gen_require(`
+ type $1_untrusted_content_t;
+ ')
+
+ allow $2 $1_untrusted_content_t:dir manage_dir_perms;
+')
+
+########################################
+## <summary>
## Read user untrusted files.
## </summary>
## <desc>
diff --git a/policy/modules/system/xen.if b/policy/modules/system/xen.if
index 4c9ea79..a2f67b2 100644
--- a/policy/modules/system/xen.if
+++ b/policy/modules/system/xen.if
@@ -87,7 +87,7 @@ interface(`xen_read_image_files',`
#
interface(`xen_append_log',`
gen_require(`
- type var_log_t, xend_var_log_t;
+ type xend_var_log_t;
')
logging_search_logs($1)
@@ -108,7 +108,7 @@ interface(`xen_append_log',`
#
interface(`xen_manage_log',`
gen_require(`
- type var_log_t, xend_var_log_t;
+ type xend_var_log_t;
')
logging_search_logs($1)
diff --git a/policy/support/obj_perm_sets.spt b/policy/support/obj_perm_sets.spt
index 58ed41d..5b5e992 100644
--- a/policy/support/obj_perm_sets.spt
+++ b/policy/support/obj_perm_sets.spt
@@ -223,7 +223,8 @@ define(`relabel_file_perms',`{ getattr relabelfrom relabelto }')
define(`getattr_lnk_file_perms',`{ getattr }')
define(`setattr_lnk_file_perms',`{ setattr }')
define(`read_lnk_file_perms',`{ getattr read }')
-define(`write_lnk_file_perms',`{ getattr write lock ioctl }')
+define(`append_lnk_file_perms',`{ getattr append lock ioctl }')
+define(`write_lnk_file_perms',`{ getattr append write lock ioctl }')
define(`rw_lnk_file_perms',`{ getattr read write lock ioctl }')
define(`create_lnk_file_perms',`{ create getattr }')
define(`rename_lnk_file_perms',`{ getattr rename }')
More information about the scm-commits
mailing list