[selinux-policy: 2578/3172] bind patch from Dan Walsh some fixes in interfaces, added bind_setattr_zone_dirs interface sysnet_re

Daniel J Walsh dwalsh at fedoraproject.org
Thu Oct 7 22:49:09 UTC 2010 

commit c37d843fa1efd51662d2a95ecda53839edf51f48
Author: Jeremy Solt <jsolt at tresys.com>
Date:   Mon Mar 22 15:14:47 2010 -0400

    bind patch from Dan Walsh
    some fixes in interfaces, added bind_setattr_zone_dirs interface
    sysnet_read_config not needed with auth_use_nsswitch
    
    Did not include init_read_script_tmp_files for named_t

 policy/modules/services/bind.if |   23 +++++++++++++++++++++--
 policy/modules/services/bind.te |    2 --
 2 files changed, 21 insertions(+), 4 deletions(-)
---
diff --git a/policy/modules/services/bind.if b/policy/modules/services/bind.if
index 31032a6..ccbc537 100644
--- a/policy/modules/services/bind.if
+++ b/policy/modules/services/bind.if
@@ -253,7 +253,7 @@ interface(`bind_manage_cache',`
 
 ########################################
 ## <summary>
-##	Do not audit attempts to set the attributes
+##	Allow domain to  set the attributes
 ##	of the BIND pid directory.
 ## </summary>
 ## <param name="domain">
@@ -272,6 +272,25 @@ interface(`bind_setattr_pid_dirs',`
 
 ########################################
 ## <summary>
+##	Allow domain to set attributes
+##	of the BIND zone directory.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`bind_setattr_zone_dirs',`
+	gen_require(`
+		type named_zone_t;
+	')
+
+	allow $1 named_zone_t:dir setattr;
+')
+
+########################################
+## <summary>
 ##	Read BIND zone files.
 ## </summary>
 ## <param name="domain">
@@ -356,7 +375,7 @@ interface(`bind_admin',`
 
 	bind_run_ndc($1, $2)
 
-	init_labeled_script_domtrans($1, bind_initrc_exec_t)
+	init_labeled_script_domtrans($1, named_initrc_exec_t)
 	domain_system_change_exemption($1)
 	role_transition $2 named_initrc_exec_t system_r;
 	allow $2 system_r;
diff --git a/policy/modules/services/bind.te b/policy/modules/services/bind.te
index 362ab64..3e8554b 100644
--- a/policy/modules/services/bind.te
+++ b/policy/modules/services/bind.te
@@ -145,8 +145,6 @@ logging_send_syslog_msg(named_t)
 miscfiles_read_localization(named_t)
 miscfiles_read_certs(named_t)
 
-sysnet_read_config(named_t)
-
 userdom_dontaudit_use_unpriv_user_fds(named_t)
 userdom_dontaudit_search_user_home_dirs(named_t)

More information about the scm-commits mailing list