rpms/selinux-policy
6
0
Fork 0
Code Issues Pull Requests Releases Activity

* fixes uncovered by sediff

Browse Source 
* fix disable_trans support so the daemon can be both
init and inet services, and not get dup bool decl
This commit is contained in:
Chris PeBenito 2005-10-31 20:32:53 +00:00
parent bea7b4548e
commit 0500e01f2d
11 changed files with 38 additions and 15 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
refpolicy/policy/modules/services/apache.if
View File

@ -81,7 +81,7 @@ template(`apache_content_template',`
allow httpd_$1_script_t httpd_$1_script_rw_t:lnk_file create_lnk_perms; allow httpd_$1_script_t httpd_$1_script_rw_t:lnk_file create_lnk_perms;
allow httpd_$1_script_t httpd_$1_script_rw_t:sock_file create_file_perms; allow httpd_$1_script_t httpd_$1_script_rw_t:sock_file create_file_perms;
allow httpd_$1_script_t httpd_$1_script_rw_t:fifo_file create_file_perms; allow httpd_$1_script_t httpd_$1_script_rw_t:fifo_file create_file_perms;
files_create_tmp_files(httpd_$1_script_t,httpd_$1_script_rw_t,{ file lnk_file sock_file fifo_file }) files_create_tmp_files(httpd_$1_script_t,httpd_$1_script_rw_t,{ dir file lnk_file sock_file fifo_file })
kernel_dontaudit_search_sysctl(httpd_$1_script_t) kernel_dontaudit_search_sysctl(httpd_$1_script_t)
kernel_dontaudit_search_kernel_sysctl(httpd_$1_script_t) kernel_dontaudit_search_kernel_sysctl(httpd_$1_script_t)

2
refpolicy/policy/modules/services/apache.te
View File

@ -130,6 +130,7 @@ allow httpd_t self:capability { chown dac_override kill setgid setuid sys_tty_co
dontaudit httpd_t self:capability { net_admin sys_tty_config }; dontaudit httpd_t self:capability { net_admin sys_tty_config };
allow httpd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap }; allow httpd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
allow httpd_t self:fd use; allow httpd_t self:fd use;
allow httpd_t self:sock_file r_file_perms;
allow httpd_t self:fifo_file rw_file_perms; allow httpd_t self:fifo_file rw_file_perms;
allow httpd_t self:shm create_shm_perms; allow httpd_t self:shm create_shm_perms;
allow httpd_t self:sem create_sem_perms; allow httpd_t self:sem create_sem_perms;
@ -384,6 +385,7 @@ optional_policy(`mailman.te',`
mailman_signal_cgi(httpd_t) mailman_signal_cgi(httpd_t)
mailman_domtrans_cgi(httpd_t) mailman_domtrans_cgi(httpd_t)
# should have separate types for public and private archives # should have separate types for public and private archives
mailman_search_data(httpd_t)
mailman_read_archive(httpd_t) mailman_read_archive(httpd_t)
') ')

2
refpolicy/policy/modules/services/finger.te
View File

@ -7,7 +7,7 @@ policy_module(finger,1.0)
# #
type fingerd_t; type fingerd_t;
type fingerd_exec_t; type fingerd_exec_t;
init_system_domain(fingerd_t,fingerd_exec_t) init_daemon_domain(fingerd_t,fingerd_exec_t)
inetd_tcp_service_domain(fingerd_t,fingerd_exec_t) inetd_tcp_service_domain(fingerd_t,fingerd_exec_t)
type fingerd_etc_t; type fingerd_etc_t;

5
refpolicy/policy/modules/services/inetd.if
View File

@ -36,7 +36,10 @@ interface(`inetd_core_service_domain',`
# this regex is a hack, since it assumes there is a # this regex is a hack, since it assumes there is a
# _t at the end of the domain type. If there is no _t # _t at the end of the domain type. If there is no _t
# at the end of the type, it returns empty! # at the end of the type, it returns empty!
bool regexp($1, `\(\w+\)_t', `\1_disable_trans') false; ifdef(`__define_'regexp($1, `\(\w+\)_t', `\1_disable_trans'),`',`
bool regexp($1, `\(\w+\)_t', `\1_disable_trans') false;
define(`__define_'regexp($1, `\(\w+\)_t', `\1_disable_trans'))
')
if(regexp($1, `\(\w+\)_t', `\1_disable_trans') ) { if(regexp($1, `\(\w+\)_t', `\1_disable_trans') ) {
# can_exec(inetd_t,$2) # can_exec(inetd_t,$2)
# cjp: this must be wrong # cjp: this must be wrong

1
refpolicy/policy/modules/services/inetd.te
View File

@ -183,6 +183,7 @@ allow inetd_child_t inetd_child_tmp_t:file create_file_perms;
files_create_tmp_files(inetd_child_t, inetd_child_tmp_t, { file dir }) files_create_tmp_files(inetd_child_t, inetd_child_tmp_t, { file dir })
allow inetd_child_t inetd_child_var_run_t:file create_file_perms; allow inetd_child_t inetd_child_var_run_t:file create_file_perms;
allow inetd_child_t inetd_child_var_run_t:dir rw_dir_perms;
files_create_pid(inetd_child_t,inetd_child_var_run_t) files_create_pid(inetd_child_t,inetd_child_var_run_t)
kernel_read_kernel_sysctl(inetd_child_t) kernel_read_kernel_sysctl(inetd_child_t)

2
refpolicy/policy/modules/services/mailman.if
View File

@ -182,7 +182,7 @@ interface(`mailman_search_data',`
type mailman_data_t; type mailman_data_t;
') ')
allow $1 mailman_data_t:dir search; allow $1 mailman_data_t:dir search_dir_perms;
') ')
####################################### #######################################

2
refpolicy/policy/modules/services/tftp.te
View File

@ -8,7 +8,7 @@ policy_module(tftp,1.0)
type tftpd_t; type tftpd_t;
type tftpd_exec_t; type tftpd_exec_t;
init_system_domain(tftpd_t,tftpd_exec_t) init_daemon_domain(tftpd_t,tftpd_exec_t)
inetd_udp_service_domain(tftpd_t,tftpd_exec_t) inetd_udp_service_domain(tftpd_t,tftpd_exec_t)
type tftpd_var_run_t; type tftpd_var_run_t;

2
refpolicy/policy/modules/system/domain.if
View File

@ -989,7 +989,7 @@ interface(`domain_unconfined',`
# domain_trans(source_domain,entrypoint_file,target_domain) # domain_trans(source_domain,entrypoint_file,target_domain)
# #
template(`domain_trans',` template(`domain_trans',`
allow $1 $2:file rx_file_perms; allow $1 $2:file { getattr read execute };
allow $1 $3:process transition; allow $1 $3:process transition;
dontaudit $1 $3:process { noatsecure siginh rlimitinh }; dontaudit $1 $3:process { noatsecure siginh rlimitinh };
') ')

1
refpolicy/policy/modules/system/hotplug.te
View File

@ -187,6 +187,7 @@ optional_policy(`sysnetwork.te',`
optional_policy(`udev.te', ` optional_policy(`udev.te', `
udev_domtrans(hotplug_t) udev_domtrans(hotplug_t)
udev_helper_domtrans(hotplug_t)
udev_read_db(hotplug_t) udev_read_db(hotplug_t)
') ')

5
refpolicy/policy/modules/system/init.if
View File

@ -88,7 +88,10 @@ interface(`init_daemon_domain',`
# this regex is a hack, since it assumes there is a # this regex is a hack, since it assumes there is a
# _t at the end of the domain type. If there is no _t # _t at the end of the domain type. If there is no _t
# at the end of the type, it returns empty! # at the end of the type, it returns empty!
bool regexp($1, `\(\w+\)_t', `\1_disable_trans') false; ifdef(`__define_'regexp($1, `\(\w+\)_t', `\1_disable_trans'),`',`
bool regexp($1, `\(\w+\)_t', `\1_disable_trans') false;
define(`__define_'regexp($1, `\(\w+\)_t', `\1_disable_trans'))
')
if(regexp($1, `\(\w+\)_t', `\1_disable_trans') ) { if(regexp($1, `\(\w+\)_t', `\1_disable_trans') ) {
can_exec(initrc_t,$2) can_exec(initrc_t,$2)
can_exec(direct_run_init,$2) can_exec(direct_run_init,$2)

29
refpolicy/policy/modules/system/udev.if
View File

@ -11,9 +11,6 @@
interface(`udev_domtrans',` interface(`udev_domtrans',`
gen_require(` gen_require(`
type udev_t, udev_exec_t; type udev_t, udev_exec_t;
class process sigchld;
class fd use;
class fifo_file rw_file_perms;
') ')
domain_auto_trans($1, udev_exec_t, udev_t) domain_auto_trans($1, udev_exec_t, udev_t)
@ -24,6 +21,27 @@ interface(`udev_domtrans',`
allow udev_t $1:process sigchld; allow udev_t $1:process sigchld;
') ')
########################################
## <summary>
## Execute a udev helper in the udev domain.
## </summary>
## <param name="domain">
## The type of the process performing this action.
## </param>
#
interface(`udev_helper_domtrans',`
gen_require(`
type udev_t, udev_helper_exec_t;
')
domain_auto_trans($1, udev_helper_exec_t, udev_t)
allow $1 udev_t:fd use;
allow udev_t $1:fd use;
allow udev_t $1:fifo_file rw_file_perms;
allow udev_t $1:process sigchld;
')
######################################## ########################################
## <summary> ## <summary>
## Allow process to read udev process state. ## Allow process to read udev process state.
@ -54,7 +72,6 @@ interface(`udev_read_state',`
interface(`udev_dontaudit_use_fd',` interface(`udev_dontaudit_use_fd',`
gen_require(` gen_require(`
type udev_t; type udev_t;
class fd use;
') ')
dontaudit $1 udev_t:fd use; dontaudit $1 udev_t:fd use;
@ -72,7 +89,6 @@ interface(`udev_dontaudit_use_fd',`
interface(`udev_dontaudit_rw_unix_dgram_socket',` interface(`udev_dontaudit_rw_unix_dgram_socket',`
gen_require(` gen_require(`
type udev_t; type udev_t;
class unix_dgram_socket { read write };
') ')
dontaudit $1 udev_t:unix_dgram_socket { read write }; dontaudit $1 udev_t:unix_dgram_socket { read write };
@ -89,7 +105,6 @@ interface(`udev_dontaudit_rw_unix_dgram_socket',`
interface(`udev_read_db',` interface(`udev_read_db',`
gen_require(` gen_require(`
type udev_tdb_t; type udev_tdb_t;
class file r_file_perms;
') ')
dev_list_all_dev_nodes($1) dev_list_all_dev_nodes($1)
@ -107,10 +122,8 @@ interface(`udev_read_db',`
interface(`udev_rw_db',` interface(`udev_rw_db',`
gen_require(` gen_require(`
type udev_tdb_t; type udev_tdb_t;
class file rw_file_perms;
') ')
dev_list_all_dev_nodes($1) dev_list_all_dev_nodes($1)
allow $1 udev_tdb_t:file rw_file_perms; allow $1 udev_tdb_t:file rw_file_perms;
') ')