[selinux-policy/f14/master: 3223/3230] Merge upstream

Daniel J Walsh dwalsh at fedoraproject.org
Tue Oct 12 20:17:38 UTC 2010 

commit f33c5066758c9cc36f5ca86a111f84ef6c0ac06e
Author: Dan Walsh <dwalsh at redhat.com>
Date:   Thu Oct 7 14:50:04 2010 -0400

    Merge upstream

 policy/modules/apps/gnome.if          |    1 +
 policy/modules/kernel/files.if        |    2 +-
 policy/modules/services/ftp.if        |   22 +++++++++-
 policy/modules/services/ftp.te        |   80 ++++++++++++++++----------------
 policy/modules/services/gnomeclock.if |    4 +-
 policy/modules/services/hal.if        |   18 +++++++
 policy/modules/system/init.if         |   20 --------
 7 files changed, 83 insertions(+), 64 deletions(-)
---
diff --git a/policy/modules/apps/gnome.if b/policy/modules/apps/gnome.if
index 91737d4..8978675 100644
--- a/policy/modules/apps/gnome.if
+++ b/policy/modules/apps/gnome.if
@@ -327,6 +327,7 @@ interface(`gnome_read_gconf_config',`
 
 	allow $1 gconf_etc_t:dir list_dir_perms;
 	read_files_pattern($1, gconf_etc_t, gconf_etc_t)
+	files_search_etc($1)
 ')
 
 #######################################
diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if
index a738502..2bf2d69 100644
--- a/policy/modules/kernel/files.if
+++ b/policy/modules/kernel/files.if
@@ -5392,7 +5392,7 @@ interface(`files_getattr_generic_locks',`
 #
 interface(`files_delete_generic_locks',`
        gen_require(`
-               type var_t, var_lock_t;
+		type var_t, var_lock_t;
        ')
 
        allow $1 var_t:dir search_dir_perms;
diff --git a/policy/modules/services/ftp.if b/policy/modules/services/ftp.if
index 26cc64b..bc27421 100644
--- a/policy/modules/services/ftp.if
+++ b/policy/modules/services/ftp.if
@@ -53,6 +53,25 @@ interface(`ftp_read_config',`
 
 ########################################
 ## <summary>
+##	Execute FTP daemon entry point programs.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`ftp_check_exec',`
+	gen_require(`
+		type ftpd_exec_t;
+	')
+
+	corecmd_search_bin($1)
+	allow $1 ftpd_exec_t:file { getattr execute };
+')
+
+########################################
+## <summary>
 ##	Read FTP transfer logs
 ## </summary>
 ## <param name="domain">
@@ -152,8 +171,9 @@ interface(`ftp_dyntrans_sftpd',`
 interface(`ftp_admin',`
 	gen_require(`
 		type ftpd_t, ftpdctl_t, ftpd_tmp_t;
-		type ftpd_etc_t, ftpd_lock_t, ftpd_initrc_exec_t;
+		type ftpd_etc_t, ftpd_lock_t;
 		type ftpd_var_run_t, xferlog_t;
+		type ftpd_initrc_exec_t;
 	')
 
 	allow $1 ftpd_t:process { ptrace signal_perms };
diff --git a/policy/modules/services/ftp.te b/policy/modules/services/ftp.te
index 2284f4e..ce4f73b 100644
--- a/policy/modules/services/ftp.te
+++ b/policy/modules/services/ftp.te
@@ -6,82 +6,82 @@ policy_module(ftp, 1.12.0)
 #
 
 ## <desc>
-##	<p>
-##	Allow ftp servers to upload files,  used for public file
-##	transfer services. Directories must be labeled
-##	public_content_rw_t.
-##	</p>
+## <p>
+## Allow ftp servers to upload files,  used for public file
+## transfer services. Directories must be labeled
+## public_content_rw_t.
+## </p>
 ## </desc>
 gen_tunable(allow_ftpd_anon_write, false)
 
 ## <desc>
-##	<p>
-##	Allow ftp servers to login to local users and
-##	read/write all files on the system, governed by DAC.
-##	</p>
+## <p>
+## Allow ftp servers to login to local users and
+## read/write all files on the system, governed by DAC.
+## </p>
 ## </desc>
 gen_tunable(allow_ftpd_full_access, false)
 
 ## <desc>
-##	<p>
-##	Allow ftp servers to use cifs
-##	used for public file transfer services.
-##	</p>
+## <p>
+## Allow ftp servers to use cifs
+## used for public file transfer services.
+## </p>
 ## </desc>
 gen_tunable(allow_ftpd_use_cifs, false)
 
 ## <desc>
-##	<p>
-##	Allow ftp servers to use nfs
-##	used for public file transfer services.
-##	</p>
+## <p>
+## Allow ftp servers to use nfs
+## used for public file transfer services.
+## </p>
 ## </desc>
 gen_tunable(allow_ftpd_use_nfs, false)
 
 ## <desc>
-##	<p>
-##	Allow ftp servers to use connect to mysql database
-##	</p>
+## <p>
+## Allow ftp servers to use connect to mysql database
+## </p>
 ## </desc>
 gen_tunable(ftpd_connect_db, false)
 
 ## <desc>
-##	<p>
-##	Allow ftp to read and write files in the user home directories
-##	</p>
+## <p>
+## Allow ftp to read and write files in the user home directories
+## </p>
 ## </desc>
 gen_tunable(ftp_home_dir, false)
 
 ## <desc>
-##	<p>
-##	Allow anon internal-sftp to upload files, used for
-##	public file transfer services. Directories must be labeled
-##	public_content_rw_t.
-##	</p>
+## <p>
+## Allow anon internal-sftp to upload files, used for
+## public file transfer services. Directories must be labeled
+## public_content_rw_t.
+## </p>
 ## </desc>
 gen_tunable(sftpd_anon_write, false)
 
 ## <desc>
-##	<p>
-##	Allow sftp-internal to read and write files
-##	in the user home directories
-##	</p>
+## <p>
+## Allow sftp-internal to read and write files
+## in the user home directories
+## </p>
 ## </desc>
 gen_tunable(sftpd_enable_homedirs, false)
 
 ## <desc>
-##	<p>
-##	Allow sftp-internal to login to local users and
-##	read/write all files on the system, governed by DAC.
-##	</p>
+## <p>
+## Allow sftp-internal to login to local users and
+## read/write all files on the system, governed by DAC.
+## </p>
 ## </desc>
 gen_tunable(sftpd_full_access, false)
 
 ## <desc>
-##	<p>
-##	Allow interlnal-sftp to read and write files 
-##	in the user ssh home directories.
-##	</p>
+## <p>
+## Allow interlnal-sftp to read and write files 
+## in the user ssh home directories.
+## </p>
 ## </desc>
 gen_tunable(sftpd_write_ssh_home, false)
 
diff --git a/policy/modules/services/gnomeclock.if b/policy/modules/services/gnomeclock.if
index b1f8f93..25c7ab8 100644
--- a/policy/modules/services/gnomeclock.if
+++ b/policy/modules/services/gnomeclock.if
@@ -5,9 +5,9 @@
 ##	Execute a domain transition to run gnomeclock.
 ## </summary>
 ## <param name="domain">
-##	<summary>
+## <summary>
 ##	Domain allowed to transition.
-##	</summary>
+## </summary>
 ## </param>
 #
 interface(`gnomeclock_domtrans',`
diff --git a/policy/modules/services/hal.if b/policy/modules/services/hal.if
index 26de57a..ce32fe5 100644
--- a/policy/modules/services/hal.if
+++ b/policy/modules/services/hal.if
@@ -20,6 +20,24 @@ interface(`hal_domtrans',`
 
 ########################################
 ## <summary>
+##	Get the attributes of a hal process.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`hal_getattr',`
+	gen_require(`
+		type hald_t;
+	')
+
+	allow $1 hald_t:process getattr;
+')
+
+########################################
+## <summary>
 ##	Read hal system state
 ## </summary>
 ## <param name="domain">
diff --git a/policy/modules/system/init.if b/policy/modules/system/init.if
index 57ad3d0..5865dba 100644
--- a/policy/modules/system/init.if
+++ b/policy/modules/system/init.if
@@ -1914,26 +1914,6 @@ interface(`init_dontaudit_script_leaks',`
 	init_dontaudit_use_script_fds($1)
 ')
 
-
-########################################
-## <summary>
-##	Allow the specified domain to connect to
-##	the init process with a unix socket.
-## </summary>
-## <param name="domain">
-##	<summary>
-##	Domain allowed access.
-##	</summary>
-## </param>
-#
-interface(`init_stream_connect',`
-	gen_require(`
-		type init_t;
-	')
-
-	allow $1 init_t:unix_stream_socket connectto;
-')
-
 ########################################
 ## <summary>
 ##	Allow the specified domain to read/write to

More information about the scm-commits mailing list