[selinux-policy/f14/master: 3223/3230] Merge upstream
Daniel J Walsh
dwalsh at fedoraproject.org
Tue Oct 12 20:17:38 UTC 2010
commit f33c5066758c9cc36f5ca86a111f84ef6c0ac06e
Author: Dan Walsh <dwalsh at redhat.com>
Date: Thu Oct 7 14:50:04 2010 -0400
Merge upstream
policy/modules/apps/gnome.if | 1 +
policy/modules/kernel/files.if | 2 +-
policy/modules/services/ftp.if | 22 +++++++++-
policy/modules/services/ftp.te | 80 ++++++++++++++++----------------
policy/modules/services/gnomeclock.if | 4 +-
policy/modules/services/hal.if | 18 +++++++
policy/modules/system/init.if | 20 --------
7 files changed, 83 insertions(+), 64 deletions(-)
---
diff --git a/policy/modules/apps/gnome.if b/policy/modules/apps/gnome.if
index 91737d4..8978675 100644
--- a/policy/modules/apps/gnome.if
+++ b/policy/modules/apps/gnome.if
@@ -327,6 +327,7 @@ interface(`gnome_read_gconf_config',`
allow $1 gconf_etc_t:dir list_dir_perms;
read_files_pattern($1, gconf_etc_t, gconf_etc_t)
+ files_search_etc($1)
')
#######################################
diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if
index a738502..2bf2d69 100644
--- a/policy/modules/kernel/files.if
+++ b/policy/modules/kernel/files.if
@@ -5392,7 +5392,7 @@ interface(`files_getattr_generic_locks',`
#
interface(`files_delete_generic_locks',`
gen_require(`
- type var_t, var_lock_t;
+ type var_t, var_lock_t;
')
allow $1 var_t:dir search_dir_perms;
diff --git a/policy/modules/services/ftp.if b/policy/modules/services/ftp.if
index 26cc64b..bc27421 100644
--- a/policy/modules/services/ftp.if
+++ b/policy/modules/services/ftp.if
@@ -53,6 +53,25 @@ interface(`ftp_read_config',`
########################################
## <summary>
+## Execute FTP daemon entry point programs.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`ftp_check_exec',`
+ gen_require(`
+ type ftpd_exec_t;
+ ')
+
+ corecmd_search_bin($1)
+ allow $1 ftpd_exec_t:file { getattr execute };
+')
+
+########################################
+## <summary>
## Read FTP transfer logs
## </summary>
## <param name="domain">
@@ -152,8 +171,9 @@ interface(`ftp_dyntrans_sftpd',`
interface(`ftp_admin',`
gen_require(`
type ftpd_t, ftpdctl_t, ftpd_tmp_t;
- type ftpd_etc_t, ftpd_lock_t, ftpd_initrc_exec_t;
+ type ftpd_etc_t, ftpd_lock_t;
type ftpd_var_run_t, xferlog_t;
+ type ftpd_initrc_exec_t;
')
allow $1 ftpd_t:process { ptrace signal_perms };
diff --git a/policy/modules/services/ftp.te b/policy/modules/services/ftp.te
index 2284f4e..ce4f73b 100644
--- a/policy/modules/services/ftp.te
+++ b/policy/modules/services/ftp.te
@@ -6,82 +6,82 @@ policy_module(ftp, 1.12.0)
#
## <desc>
-## <p>
-## Allow ftp servers to upload files, used for public file
-## transfer services. Directories must be labeled
-## public_content_rw_t.
-## </p>
+## <p>
+## Allow ftp servers to upload files, used for public file
+## transfer services. Directories must be labeled
+## public_content_rw_t.
+## </p>
## </desc>
gen_tunable(allow_ftpd_anon_write, false)
## <desc>
-## <p>
-## Allow ftp servers to login to local users and
-## read/write all files on the system, governed by DAC.
-## </p>
+## <p>
+## Allow ftp servers to login to local users and
+## read/write all files on the system, governed by DAC.
+## </p>
## </desc>
gen_tunable(allow_ftpd_full_access, false)
## <desc>
-## <p>
-## Allow ftp servers to use cifs
-## used for public file transfer services.
-## </p>
+## <p>
+## Allow ftp servers to use cifs
+## used for public file transfer services.
+## </p>
## </desc>
gen_tunable(allow_ftpd_use_cifs, false)
## <desc>
-## <p>
-## Allow ftp servers to use nfs
-## used for public file transfer services.
-## </p>
+## <p>
+## Allow ftp servers to use nfs
+## used for public file transfer services.
+## </p>
## </desc>
gen_tunable(allow_ftpd_use_nfs, false)
## <desc>
-## <p>
-## Allow ftp servers to use connect to mysql database
-## </p>
+## <p>
+## Allow ftp servers to use connect to mysql database
+## </p>
## </desc>
gen_tunable(ftpd_connect_db, false)
## <desc>
-## <p>
-## Allow ftp to read and write files in the user home directories
-## </p>
+## <p>
+## Allow ftp to read and write files in the user home directories
+## </p>
## </desc>
gen_tunable(ftp_home_dir, false)
## <desc>
-## <p>
-## Allow anon internal-sftp to upload files, used for
-## public file transfer services. Directories must be labeled
-## public_content_rw_t.
-## </p>
+## <p>
+## Allow anon internal-sftp to upload files, used for
+## public file transfer services. Directories must be labeled
+## public_content_rw_t.
+## </p>
## </desc>
gen_tunable(sftpd_anon_write, false)
## <desc>
-## <p>
-## Allow sftp-internal to read and write files
-## in the user home directories
-## </p>
+## <p>
+## Allow sftp-internal to read and write files
+## in the user home directories
+## </p>
## </desc>
gen_tunable(sftpd_enable_homedirs, false)
## <desc>
-## <p>
-## Allow sftp-internal to login to local users and
-## read/write all files on the system, governed by DAC.
-## </p>
+## <p>
+## Allow sftp-internal to login to local users and
+## read/write all files on the system, governed by DAC.
+## </p>
## </desc>
gen_tunable(sftpd_full_access, false)
## <desc>
-## <p>
-## Allow interlnal-sftp to read and write files
-## in the user ssh home directories.
-## </p>
+## <p>
+## Allow interlnal-sftp to read and write files
+## in the user ssh home directories.
+## </p>
## </desc>
gen_tunable(sftpd_write_ssh_home, false)
diff --git a/policy/modules/services/gnomeclock.if b/policy/modules/services/gnomeclock.if
index b1f8f93..25c7ab8 100644
--- a/policy/modules/services/gnomeclock.if
+++ b/policy/modules/services/gnomeclock.if
@@ -5,9 +5,9 @@
## Execute a domain transition to run gnomeclock.
## </summary>
## <param name="domain">
-## <summary>
+## <summary>
## Domain allowed to transition.
-## </summary>
+## </summary>
## </param>
#
interface(`gnomeclock_domtrans',`
diff --git a/policy/modules/services/hal.if b/policy/modules/services/hal.if
index 26de57a..ce32fe5 100644
--- a/policy/modules/services/hal.if
+++ b/policy/modules/services/hal.if
@@ -20,6 +20,24 @@ interface(`hal_domtrans',`
########################################
## <summary>
+## Get the attributes of a hal process.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`hal_getattr',`
+ gen_require(`
+ type hald_t;
+ ')
+
+ allow $1 hald_t:process getattr;
+')
+
+########################################
+## <summary>
## Read hal system state
## </summary>
## <param name="domain">
diff --git a/policy/modules/system/init.if b/policy/modules/system/init.if
index 57ad3d0..5865dba 100644
--- a/policy/modules/system/init.if
+++ b/policy/modules/system/init.if
@@ -1914,26 +1914,6 @@ interface(`init_dontaudit_script_leaks',`
init_dontaudit_use_script_fds($1)
')
-
-########################################
-## <summary>
-## Allow the specified domain to connect to
-## the init process with a unix socket.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`init_stream_connect',`
- gen_require(`
- type init_t;
- ')
-
- allow $1 init_t:unix_stream_socket connectto;
-')
-
########################################
## <summary>
## Allow the specified domain to read/write to
More information about the scm-commits
mailing list