[selinux-policy: 3138/3172] The process and capability IPC goes on top of local policy.

Thu Oct 7 23:39:02 UTC 2010

commit 568349bd7026b6a98a08e94b6d6c15f8ff995e0b
Author: Dominick Grift <domg472 at gmail.com>
Date:   Fri Sep 24 09:33:35 2010 +0200

    The process and capability IPC goes on top of local policy.
    
    The process and capability IPC goes on top of local policy.
    
    The process and capability IPC goes on top of local policy.
    
    The process and capability IPC goes on top of local policy.

 policy/modules/services/rlogin.te  |    3 +--
 policy/modules/services/telnet.te  |    3 +--
 policy/modules/services/tftp.te    |    2 +-
 policy/modules/services/xserver.te |    3 +--
 4 files changed, 4 insertions(+), 7 deletions(-)
---

diff --git a/policy/modules/services/rlogin.te b/policy/modules/services/rlogin.te
index 29a5d0d..2744af2 100644
--- a/policy/modules/services/rlogin.te
+++ b/policy/modules/services/rlogin.te
@@ -27,13 +27,12 @@ files_pid_file(rlogind_var_run_t)
 # Local policy
 #
 
-allow rlogind_t self:capability { fsetid chown fowner sys_tty_config dac_override };
+allow rlogind_t self:capability { fsetid chown fowner setuid setgid sys_tty_config dac_override };
 allow rlogind_t self:process signal_perms;
 allow rlogind_t self:fifo_file rw_fifo_file_perms;
 allow rlogind_t self:tcp_socket connected_stream_socket_perms;
 # for identd; cjp: this should probably only be inetd_child rules?
 allow rlogind_t self:netlink_tcpdiag_socket r_netlink_socket_perms;
-allow rlogind_t self:capability { setuid setgid };
 
 allow rlogind_t rlogind_devpts_t:chr_file { rw_chr_file_perms setattr };
 term_create_pty(rlogind_t, rlogind_devpts_t)
diff --git a/policy/modules/services/telnet.te b/policy/modules/services/telnet.te
index 26c5931..fcdde4c 100644
--- a/policy/modules/services/telnet.te
+++ b/policy/modules/services/telnet.te
@@ -23,14 +23,13 @@ files_pid_file(telnetd_var_run_t)
 # Local policy
 #
 
-allow telnetd_t self:capability { fsetid chown fowner sys_tty_config dac_override };
+allow telnetd_t self:capability { fsetid chown fowner setuid setgid sys_tty_config dac_override };
 allow telnetd_t self:process signal_perms;
 allow telnetd_t self:fifo_file rw_fifo_file_perms;
 allow telnetd_t self:tcp_socket connected_stream_socket_perms;
 allow telnetd_t self:udp_socket create_socket_perms;
 # for identd; cjp: this should probably only be inetd_child rules?
 allow telnetd_t self:netlink_tcpdiag_socket r_netlink_socket_perms;
-allow telnetd_t self:capability { setuid setgid };
 
 allow telnetd_t telnetd_devpts_t:chr_file { rw_chr_file_perms setattr };
 term_create_pty(telnetd_t, telnetd_devpts_t)
diff --git a/policy/modules/services/tftp.te b/policy/modules/services/tftp.te
index b928f29..f4080d1 100644
--- a/policy/modules/services/tftp.te
+++ b/policy/modules/services/tftp.te
@@ -32,11 +32,11 @@ files_type(tftpdir_rw_t)
 #
 
 allow tftpd_t self:capability { setgid setuid sys_chroot };
+dontaudit tftpd_t self:capability sys_tty_config;
 allow tftpd_t self:tcp_socket create_stream_socket_perms;
 allow tftpd_t self:udp_socket create_socket_perms;
 allow tftpd_t self:unix_dgram_socket create_socket_perms;
 allow tftpd_t self:unix_stream_socket create_stream_socket_perms;
-dontaudit tftpd_t self:capability sys_tty_config;
 
 allow tftpd_t tftpdir_t:dir list_dir_perms;
 allow tftpd_t tftpdir_t:file read_file_perms;
diff --git a/policy/modules/services/xserver.te b/policy/modules/services/xserver.te
index b9dac48..8650b17 100644
--- a/policy/modules/services/xserver.te
+++ b/policy/modules/services/xserver.te
@@ -399,8 +399,7 @@ optional_policy(`
 #
 
 allow xdm_t self:capability { setgid setuid sys_resource kill sys_tty_config mknod chown dac_override dac_read_search fowner fsetid ipc_owner sys_nice sys_rawio net_bind_service sys_ptrace };
-allow xdm_t self:process { setexec setpgid getsched setsched setrlimit signal_perms setkeycreate ptrace };
-allow xdm_t self:process { getattr getcap setcap };
+allow xdm_t self:process { setexec setpgid getattr getcap setcap getsched setsched setrlimit signal_perms setkeycreate ptrace };
 allow xdm_t self:fifo_file rw_fifo_file_perms;
 allow xdm_t self:shm create_shm_perms;
 allow xdm_t self:sem create_sem_perms;
