[selinux-policy: 2578/3172] bind patch from Dan Walsh some fixes in interfaces, added bind_setattr_zone_dirs interface sysnet_re
Daniel J Walsh
dwalsh at fedoraproject.org
Thu Oct 7 22:49:09 UTC 2010
commit c37d843fa1efd51662d2a95ecda53839edf51f48
Author: Jeremy Solt <jsolt at tresys.com>
Date: Mon Mar 22 15:14:47 2010 -0400
bind patch from Dan Walsh
some fixes in interfaces, added bind_setattr_zone_dirs interface
sysnet_read_config not needed with auth_use_nsswitch
Did not include init_read_script_tmp_files for named_t
policy/modules/services/bind.if | 23 +++++++++++++++++++++--
policy/modules/services/bind.te | 2 --
2 files changed, 21 insertions(+), 4 deletions(-)
---
diff --git a/policy/modules/services/bind.if b/policy/modules/services/bind.if
index 31032a6..ccbc537 100644
--- a/policy/modules/services/bind.if
+++ b/policy/modules/services/bind.if
@@ -253,7 +253,7 @@ interface(`bind_manage_cache',`
########################################
## <summary>
-## Do not audit attempts to set the attributes
+## Allow domain to set the attributes
## of the BIND pid directory.
## </summary>
## <param name="domain">
@@ -272,6 +272,25 @@ interface(`bind_setattr_pid_dirs',`
########################################
## <summary>
+## Allow domain to set attributes
+## of the BIND zone directory.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`bind_setattr_zone_dirs',`
+ gen_require(`
+ type named_zone_t;
+ ')
+
+ allow $1 named_zone_t:dir setattr;
+')
+
+########################################
+## <summary>
## Read BIND zone files.
## </summary>
## <param name="domain">
@@ -356,7 +375,7 @@ interface(`bind_admin',`
bind_run_ndc($1, $2)
- init_labeled_script_domtrans($1, bind_initrc_exec_t)
+ init_labeled_script_domtrans($1, named_initrc_exec_t)
domain_system_change_exemption($1)
role_transition $2 named_initrc_exec_t system_r;
allow $2 system_r;
diff --git a/policy/modules/services/bind.te b/policy/modules/services/bind.te
index 362ab64..3e8554b 100644
--- a/policy/modules/services/bind.te
+++ b/policy/modules/services/bind.te
@@ -145,8 +145,6 @@ logging_send_syslog_msg(named_t)
miscfiles_read_localization(named_t)
miscfiles_read_certs(named_t)
-sysnet_read_config(named_t)
-
userdom_dontaudit_use_unpriv_user_fds(named_t)
userdom_dontaudit_search_user_home_dirs(named_t)
More information about the scm-commits
mailing list