more sediff fixes

This commit is contained in:
Chris PeBenito 2005-10-21 22:56:41 +00:00
parent e6a2eaffdf
commit 1f8a8bbbbd
7 changed files with 27 additions and 7 deletions

View File

@ -29,7 +29,7 @@ type kernel_t, can_load_kernmodule;
domain_base_type(kernel_t) domain_base_type(kernel_t)
mls_rangetrans_source(kernel_t) mls_rangetrans_source(kernel_t)
role system_r types kernel_t; role system_r types kernel_t;
sid kernel gen_context(system_u:system_r:kernel_t,s0 - s9:c0.c127, c0.c127) sid kernel gen_context(system_u:system_r:kernel_t,s0 - s9:c0.c127)
# #
# DebugFS # DebugFS

View File

@ -17,6 +17,7 @@ interface(`term_pty',`
type devpts_t; type devpts_t;
') ')
files_type($1)
allow $1 devpts_t:filesystem associate; allow $1 devpts_t:filesystem associate;
typeattribute $1 ptynode; typeattribute $1 ptynode;
') ')
@ -514,10 +515,9 @@ interface(`term_use_all_user_ptys',`
interface(`term_dontaudit_use_all_user_ptys',` interface(`term_dontaudit_use_all_user_ptys',`
gen_require(` gen_require(`
attribute ptynode; attribute ptynode;
class chr_file { read write };
') ')
dontaudit $1 ptynode:chr_file { read write }; dontaudit $1 ptynode:chr_file { rw_term_perms lock append };
') ')
######################################## ########################################

View File

@ -24,7 +24,7 @@ files_pid_file(dhcpd_var_run_t)
# Local policy # Local policy
# #
dontaudit dhcpd_t self:capability { net_admin sys_tty_config }; dontaudit dhcpd_t self:capability { net_raw net_admin sys_tty_config };
allow dhcpd_t self:process signal_perms; allow dhcpd_t self:process signal_perms;
allow dhcpd_t self:fifo_file { read write getattr }; allow dhcpd_t self:fifo_file { read write getattr };
allow dhcpd_t self:unix_dgram_socket create_socket_perms; allow dhcpd_t self:unix_dgram_socket create_socket_perms;

View File

@ -30,7 +30,7 @@ files_type(news_spool_t)
# #
allow innd_t self:capability { dac_override kill setgid setuid }; allow innd_t self:capability { dac_override kill setgid setuid };
dontaudit innd_t self:capability sys_tty_config; dontaudit innd_t self:capability sys_tty_config;
allow innd_t self:process setsched; allow innd_t self:process { setsched signal_perms };
allow innd_t self:fifo_file rw_file_perms; allow innd_t self:fifo_file rw_file_perms;
allow innd_t self:tcp_socket create_stream_socket_perms; allow innd_t self:tcp_socket create_stream_socket_perms;
allow innd_t self:udp_socket create_socket_perms; allow innd_t self:udp_socket create_socket_perms;

View File

@ -325,6 +325,25 @@ interface(`files_getattr_all_files',`
allow $1 file_type:file getattr; allow $1 file_type:file getattr;
') ')
########################################
## <summary>
## Get the attributes of all sockets
## with the type of a file.
## </summary>
## <param name="domain">
## Domain allowed access.
## </param>
#
# cjp: added for initrc_t/distro_redhat. I
# do not think it has any effect.
interface(`files_getattr_all_file_type_sockets',`
gen_require(`
attribute file_type;
')
allow $1 file_type:socket_class_set getattr;
')
######################################## ########################################
## <summary> ## <summary>
## Do not audit attempts to get the attributes ## Do not audit attempts to get the attributes

View File

@ -92,10 +92,10 @@ interface(`init_daemon_domain',`
if(! regexp($1, `\(\w+\)_t', `\1_disable_trans') ) { if(! regexp($1, `\(\w+\)_t', `\1_disable_trans') ) {
domain_auto_trans(initrc_t,$2,$1) domain_auto_trans(initrc_t,$2,$1)
allow initrc_t $1:fd use; allow initrc_t $1:fd use;
allow initrc_t $1:process { noatsecure siginh rlimitinh };
allow $1 initrc_t:fd use; allow $1 initrc_t:fd use;
allow $1 initrc_t:fifo_file rw_file_perms; allow $1 initrc_t:fifo_file rw_file_perms;
allow $1 initrc_t:process sigchld; allow $1 initrc_t:process sigchld;
dontaudit initrc_t $1:process { noatsecure siginh rlimitinh };
} else { } else {
can_exec(initrc_t,$2) can_exec(initrc_t,$2)
can_exec(direct_run_init,$2) can_exec(direct_run_init,$2)
@ -103,10 +103,10 @@ interface(`init_daemon_domain',`
',` ',`
domain_auto_trans(initrc_t,$2,$1) domain_auto_trans(initrc_t,$2,$1)
allow initrc_t $1:fd use; allow initrc_t $1:fd use;
allow initrc_t $1:process { noatsecure siginh rlimitinh };
allow $1 initrc_t:fd use; allow $1 initrc_t:fd use;
allow $1 initrc_t:fifo_file rw_file_perms; allow $1 initrc_t:fifo_file rw_file_perms;
allow $1 initrc_t:process sigchld; allow $1 initrc_t:process sigchld;
dontaudit initrc_t $1:process { noatsecure siginh rlimitinh };
') ')
optional_policy(`nscd.te',` optional_policy(`nscd.te',`

View File

@ -418,6 +418,7 @@ ifdef(`distro_redhat',`
fs_use_tmpfs_chr_dev(initrc_t) fs_use_tmpfs_chr_dev(initrc_t)
files_create_boot_flag(initrc_t) files_create_boot_flag(initrc_t)
files_getattr_all_file_type_sockets(initrc_t)
# readahead asks for these # readahead asks for these
mta_read_aliases(initrc_t) mta_read_aliases(initrc_t)