[selinux-policy: 2218/3172] fix ordering in sysnetwork.

Thu Oct 7 22:16:55 UTC 2010

commit d69616c625a0f241b29a75cf535b6fd6c329dd4d
Author: Chris PeBenito <cpebenito at tresys.com>
Date:   Wed Aug 5 10:23:50 2009 -0400

    fix ordering in sysnetwork.

 policy/modules/system/sysnetwork.te |   34 ++++++++++++++++------------------
 1 files changed, 16 insertions(+), 18 deletions(-)
---

diff --git a/policy/modules/system/sysnetwork.te b/policy/modules/system/sysnetwork.te
index 86a860f..64dfcbf 100644
--- a/policy/modules/system/sysnetwork.te
+++ b/policy/modules/system/sysnetwork.te
@@ -83,6 +83,9 @@ kernel_read_network_state(dhcpc_t)
 kernel_read_kernel_sysctls(dhcpc_t)
 kernel_use_fds(dhcpc_t)
 
+corecmd_exec_bin(dhcpc_t)
+corecmd_exec_shell(dhcpc_t)
+
 corenet_all_recvfrom_unlabeled(dhcpc_t)
 corenet_all_recvfrom_netlabel(dhcpc_t)
 corenet_tcp_sendrecv_all_if(dhcpc_t)
@@ -104,17 +107,6 @@ dev_read_sysfs(dhcpc_t)
 # for SSP:
 dev_read_urand(dhcpc_t)
 
-fs_getattr_all_fs(dhcpc_t)
-fs_search_auto_mountpoints(dhcpc_t)
-
-term_dontaudit_use_all_user_ttys(dhcpc_t)
-term_dontaudit_use_all_user_ptys(dhcpc_t)
-term_dontaudit_use_unallocated_ttys(dhcpc_t)
-term_dontaudit_use_generic_ptys(dhcpc_t)
-
-corecmd_exec_bin(dhcpc_t)
-corecmd_exec_shell(dhcpc_t)
-
 domain_use_interactive_fds(dhcpc_t)
 domain_dontaudit_list_all_domains_state(dhcpc_t)
 
@@ -124,6 +116,14 @@ files_search_home(dhcpc_t)
 files_search_var_lib(dhcpc_t)
 files_dontaudit_search_locks(dhcpc_t)
 
+fs_getattr_all_fs(dhcpc_t)
+fs_search_auto_mountpoints(dhcpc_t)
+
+term_dontaudit_use_all_user_ttys(dhcpc_t)
+term_dontaudit_use_all_user_ptys(dhcpc_t)
+term_dontaudit_use_unallocated_ttys(dhcpc_t)
+term_dontaudit_use_generic_ptys(dhcpc_t)
+
 init_rw_utmp(dhcpc_t)
 
 logging_send_syslog_msg(dhcpc_t)
@@ -234,10 +234,9 @@ optional_policy(`
 # Ifconfig local policy
 #
 
-allow ifconfig_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execheap execstack };
 allow ifconfig_t self:capability { net_raw net_admin sys_tty_config };
 dontaudit ifconfig_t self:capability sys_module;
-
+allow ifconfig_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execheap execstack };
 allow ifconfig_t self:fd use;
 allow ifconfig_t self:fifo_file rw_fifo_file_perms;
 allow ifconfig_t self:sock_file read_sock_file_perms;
@@ -250,16 +249,13 @@ allow ifconfig_t self:shm create_shm_perms;
 allow ifconfig_t self:sem create_sem_perms;
 allow ifconfig_t self:msgq create_msgq_perms;
 allow ifconfig_t self:msg { send receive };
-
 # Create UDP sockets, necessary when called from dhcpc
 allow ifconfig_t self:udp_socket create_socket_perms;
-
 # for /sbin/ip
 allow ifconfig_t self:packet_socket create_socket_perms;
 allow ifconfig_t self:netlink_route_socket create_netlink_socket_perms;
 allow ifconfig_t self:netlink_xfrm_socket { create_netlink_socket_perms nlmsg_read };
 allow ifconfig_t self:tcp_socket { create ioctl };
-files_read_etc_files(ifconfig_t)
 
 kernel_use_fds(ifconfig_t)
 kernel_read_system_state(ifconfig_t)
@@ -273,14 +269,16 @@ dev_read_sysfs(ifconfig_t)
 # for IPSEC setup:
 dev_read_urand(ifconfig_t)
 
+domain_use_interactive_fds(ifconfig_t)
+
+files_read_etc_files(ifconfig_t)
+
 fs_getattr_xattr_fs(ifconfig_t)
 fs_search_auto_mountpoints(ifconfig_t)
 
 term_dontaudit_use_all_user_ttys(ifconfig_t)
 term_dontaudit_use_all_user_ptys(ifconfig_t)
 
-domain_use_interactive_fds(ifconfig_t)
-
 files_dontaudit_read_root_files(ifconfig_t)
 
 init_use_fds(ifconfig_t)
