rpms/selinux-policy
5
0
Fork 0
Code Issues Pull Requests Releases Activity

make a reasonable lib_t interface

Browse Source
This commit is contained in:
Chris PeBenito 2005-05-11 15:46:51 +00:00
parent 1832271029
commit 118186e3dc
8 changed files with 15 additions and 26 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
refpolicy/policy/modules/kernel/bootloader.te
View File

@ -91,6 +91,7 @@ domain_use_widely_inheritable_file_descriptors(bootloader_t)
libraries_use_dynamic_loader(bootloader_t) libraries_use_dynamic_loader(bootloader_t)
libraries_read_shared_libraries(bootloader_t) libraries_read_shared_libraries(bootloader_t)
libraries_read_library_resources(bootloader_t)
files_read_general_system_config(bootloader_t) files_read_general_system_config(bootloader_t)
files_read_runtime_system_config(bootloader_t) files_read_runtime_system_config(bootloader_t)
@ -186,8 +187,6 @@ allow bootloader_t admin_tty_type:chr_file rw_file_perms;
allow bootloader_t initrc_t:fifo_file { read write }; allow bootloader_t initrc_t:fifo_file { read write };
allow bootloader_t lib_t:file { getattr read };
allow bootloader_t sysfs_t:dir getattr; allow bootloader_t sysfs_t:dir getattr;
allow bootloader_t var_t:dir search; allow bootloader_t var_t:dir search;

5
refpolicy/policy/modules/system/hotplug.te
View File

@ -82,6 +82,8 @@ logging_send_system_log_message(hotplug_t)
libraries_use_dynamic_loader(hotplug_t) libraries_use_dynamic_loader(hotplug_t)
libraries_read_shared_libraries(hotplug_t) libraries_read_shared_libraries(hotplug_t)
# Read /usr/lib/gconv/.*
libraries_read_library_resources(hotplug_t)
modutils_insmod_transition(hotplug_t) modutils_insmod_transition(hotplug_t)
modutils_read_kernel_module_dependencies(hotplug_t) modutils_read_kernel_module_dependencies(hotplug_t)
@ -155,9 +157,6 @@ allow hotplug_t kernel_t:process sigchld;
# for when filesystems are not mounted early in the boot # for when filesystems are not mounted early in the boot
dontaudit hotplug_t file_t:dir { search getattr }; dontaudit hotplug_t file_t:dir { search getattr };
# Read /usr/lib/gconv/.*
allow hotplug_t lib_t:file { getattr read };
allow hotplug_t udev_runtime_t:file rw_file_perms; allow hotplug_t udev_runtime_t:file rw_file_perms;
allow hotplug_t var_log_t:dir search; allow hotplug_t var_log_t:dir search;

8
refpolicy/policy/modules/system/init.te
View File

@ -145,8 +145,6 @@ allow init_t self:capability ~sys_module;
allow init_t initrc_var_run_t:file { getattr read write setattr }; allow init_t initrc_var_run_t:file { getattr read write setattr };
ifdef(`TODO',` ifdef(`TODO',`
# something other then static libs
allow init_t lib_t:file { getattr read };
# for mount points # for mount points
allow init_t file_t:dir search; allow init_t file_t:dir search;
@ -438,14 +436,8 @@ domain_trans(initrc_t, shell_exec_t, unconfined_t)
', ` ', `
domain_auto_trans(sysadm_t, run_init_exec_t, run_init_t) domain_auto_trans(sysadm_t, run_init_exec_t, run_init_t)
role sysadm_r types run_init_t; role sysadm_r types run_init_t;
domain_auto_trans(run_init_t, chkpwd_exec_t, sysadm_chkpwd_t) domain_auto_trans(run_init_t, chkpwd_exec_t, sysadm_chkpwd_t)
# for utmp
allow run_init_t admin_tty_type:chr_file rw_file_perms; allow run_init_t admin_tty_type:chr_file rw_file_perms;
allow run_init_t lib_t:file { getattr read };
') dnl endif targeted policy ') dnl endif targeted policy
tunable_policy(`distro_gentoo', ` tunable_policy(`distro_gentoo', `

6
refpolicy/policy/modules/system/libraries.if
View File

@ -87,15 +87,15 @@ class file execmod;
######################################## ########################################
# #
# libraries_read_static_libraries(domain) # libraries_read_library_resources(domain)
# #
define(`libraries_read_static_libraries',` define(`libraries_read_library_resources',`
requires_block_template(`$0'_depend) requires_block_template(`$0'_depend)
allow $1 lib_t:dir { getattr read search }; allow $1 lib_t:dir { getattr read search };
allow $1 lib_t:{ file lnk_file } { getattr read }; allow $1 lib_t:{ file lnk_file } { getattr read };
') ')
define(`libraries_read_static_libraries_depend',` define(`libraries_read_library_resources_depend',`
type lib_t; type lib_t;
class dir { getattr read search }; class dir { getattr read search };
class lnk_file { getattr read }; class lnk_file { getattr read };

5
refpolicy/policy/modules/system/miscfiles.if
View File

@ -27,7 +27,10 @@ define(`miscfiles_read_localization',`
requires_block_template(`$0'_depend) requires_block_template(`$0'_depend)
# FIXME: $1 read etc_t:lnk_file here # FIXME: $1 read etc_t:lnk_file here
# FIXME: $1 search usr_t:dir here # FIXME: $1 search usr_t:dir here
# FIXME: $1 read lib_t:file(?)
# why?
libraries_read_library_resources($1)
allow $1 locale_t:dir { getattr read search }; allow $1 locale_t:dir { getattr read search };
allow $1 locale_t:lnk_file { getattr read }; allow $1 locale_t:lnk_file { getattr read };
allow $1 locale_t:file { getattr read }; allow $1 locale_t:file { getattr read };

8
refpolicy/policy/modules/system/modutils.te
View File

@ -2,6 +2,11 @@
policy_module(modutils,1.0) policy_module(modutils,1.0)
########################################
#
# Declarations
#
# module loading config # module loading config
type modules_conf_t; type modules_conf_t;
files_make_file(modules_conf_t) files_make_file(modules_conf_t)
@ -92,7 +97,6 @@ ifdef(`TODO',`
allow insmod_t initrc_t:fifo_file { getattr read write }; allow insmod_t initrc_t:fifo_file { getattr read write };
allow insmod_t lib_t:file { getattr read };
allow insmod_t { var_t var_log_t }:dir search; allow insmod_t { var_t var_log_t }:dir search;
allow insmod_t apm_bios_t:chr_file { read write }; allow insmod_t apm_bios_t:chr_file { read write };
@ -229,6 +233,4 @@ role sysadm_r types update_modules_t;
domain_auto_trans(sysadm_t, update_modules_exec_t, update_modules_t) domain_auto_trans(sysadm_t, update_modules_exec_t, update_modules_t)
allow update_modules_t admin_tty_type:chr_file rw_file_perms; allow update_modules_t admin_tty_type:chr_file rw_file_perms;
dontaudit update_modules_t sysadm_home_dir_t:dir search; dontaudit update_modules_t sysadm_home_dir_t:dir search;
allow update_modules_t lib_t:file { getattr read };
') dnl endif TODO ') dnl endif TODO

3
refpolicy/policy/modules/system/mount.te
View File

@ -67,9 +67,6 @@ ifdef(`TODO',`
# nfsv4 has a filesystem to mount for its userspace daemons # nfsv4 has a filesystem to mount for its userspace daemons
allow mount_t var_lib_nfs_t:dir mounton; allow mount_t var_lib_nfs_t:dir mounton;
# for localization
allow mount_t lib_t:file { getattr read };
# TODO: Need to examine this further. Not sure how to handle this # TODO: Need to examine this further. Not sure how to handle this
#type sysadm_mount_source_t, file_type, sysadmfile, $1_file_type; #type sysadm_mount_source_t, file_type, sysadmfile, $1_file_type;
#allow sysadm_t sysadm_mount_source_t:file create_file_perms; #allow sysadm_t sysadm_mount_source_t:file create_file_perms;

3
refpolicy/policy/modules/system/sysnetwork.te
View File

@ -165,9 +165,6 @@ allow dhcpc_t rhgb_t:fifo_file { read write };
can_ypbind(dhcpc_t) can_ypbind(dhcpc_t)
# for localization
allow dhcpc_t lib_t:file { getattr read };
ifdef(`cardmgr.te', ` ifdef(`cardmgr.te', `
domain_auto_trans(cardmgr_t, dhcpc_exec_t, dhcpc_t) domain_auto_trans(cardmgr_t, dhcpc_exec_t, dhcpc_t)
allow cardmgr_t dhcpc_var_run_t:file { getattr read }; allow cardmgr_t dhcpc_var_run_t:file { getattr read };