rpms/selinux-policy
6
0
Fork 0
Code Issues Pull Requests Releases Activity

add macro to expand object class sets for use in require blocks

Browse Source
This commit is contained in:
Chris PeBenito 2005-07-15 15:53:54 +00:00
parent 50f6503452
commit 157c69416f
3 changed files with 53 additions and 5 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

27
refpolicy/policy/modules/system/domain.if
View File

@ -358,6 +358,33 @@ interface(`domain_getsession_all_domains',`
allow $1 domain:process getsession; allow $1 domain:process getsession;
') ')
########################################
## <summary>
## Do not audit attempts to get the attributes
## of all domains sockets, for all socket types.
## </summary>
## <desc>
## <p>
## Do not audit attempts to get the attributes
## of all domains sockets, for all socket types.
## </p>
## <p>
## This interface was added for PCMCIA cardmgr
## and is probably excessive.
## </p>
## </desc>
## <param name="domain">
## Domain to not audit.
## </param>
#
interface(`domain_dontaudit_getattr_all_sockets',`
gen_require(`
gen_require_set(getattr,socket_class_set)
')
dontaudit $1 domain:socket_class_set getattr;
')
######################################## ########################################
## <desc> ## <desc>
## Do not audit attempts to get the attributes ## Do not audit attempts to get the attributes

8
refpolicy/policy/modules/system/pcmcia.te
View File

@ -63,8 +63,11 @@ corecmd_exec_sbin(cardmgr_t)
domain_use_wide_inherit_fd(cardmgr_t) domain_use_wide_inherit_fd(cardmgr_t)
domain_exec_all_entry_files(cardmgr_t) domain_exec_all_entry_files(cardmgr_t)
# Read /proc/PID directories for all domains (for fuser).
domain_read_all_domains_state(cardmgr_t)
# cjp: these look excessive: # cjp: these look excessive:
domain_dontaudit_getattr_all_unnamed_pipes(cardmgr_t) domain_dontaudit_getattr_all_unnamed_pipes(cardmgr_t)
domain_dontaudit_getattr_all_sockets(cardmgr_t)
files_search_home(cardmgr_t) files_search_home(cardmgr_t)
files_read_etc_runtime_files(cardmgr_t) files_read_etc_runtime_files(cardmgr_t)
@ -126,12 +129,7 @@ allow cardmgr_t var_lib_t:file { getattr read };
# Create device files in /tmp. # Create device files in /tmp.
file_type_auto_trans(cardmgr_t, { var_run_t cardmgr_var_run_t device_t tmp_t }, cardmgr_dev_t, { blk_file chr_file }) file_type_auto_trans(cardmgr_t, { var_run_t cardmgr_var_run_t device_t tmp_t }, cardmgr_dev_t, { blk_file chr_file })
# Read /proc/PID directories for all domains (for fuser).
can_ps(cardmgr_t, domain)
dontaudit cardmgr_t ptyfile:chr_file getattr; dontaudit cardmgr_t ptyfile:chr_file getattr;
# cjp: these look excessive:
dontaudit cardmgr_t domain:socket_class_set getattr;
# this goes to apm # this goes to apm
optional_policy(`pcmcia.te',` optional_policy(`pcmcia.te',`

23
refpolicy/policy/support/obj_perm_sets.spt
View File

@ -200,3 +200,26 @@ define(`create_shm_perms', `{ associate getattr setattr create destroy read writ
# Use (read and write) terminals # Use (read and write) terminals
# #
define(`rw_term_perms', `{ getattr read write ioctl }') define(`rw_term_perms', `{ getattr read write ioctl }')
########################################
#
# Expand object class set macros.
#
# gen_require_set(permissions,object_class_set)
#
# the statement:
# gen_require_set({ getattr read },{ foo bar tar })
#
# makes:
# class foo { getattr read };
# class bar { getattr read };
# class tar { getattr read };
#
# !! This is only used in require blocks. !!
define(`gen_require_set',`
ifelse(regexp($2, `\w'), -1, `', `dnl
class regexp($2, `\(\w+\)', `\1') $1;
gen_require_set($1, regexp($2, `\w+\(.*\)', `\1'))dnl
') dnl
')