add userdomain:fd use

This commit is contained in:
Chris PeBenito 2005-05-18 21:00:56 +00:00
parent 490639cd57
commit 26c87e0c42
2 changed files with 20 additions and 20 deletions

View File

@ -115,14 +115,16 @@ filesystem_get_persistent_filesystem_attributes(checkpolicy_t)
terminal_use_console(checkpolicy_t) terminal_use_console(checkpolicy_t)
domain_use_widely_inheritable_file_descriptors(checkpolicy_t)
init_use_file_descriptors(checkpolicy_t) init_use_file_descriptors(checkpolicy_t)
init_script_use_pseudoterminal(checkpolicy_t) init_script_use_pseudoterminal(checkpolicy_t)
domain_use_widely_inheritable_file_descriptors(checkpolicy_t)
libraries_use_dynamic_loader(checkpolicy_t) libraries_use_dynamic_loader(checkpolicy_t)
libraries_use_shared_libraries(checkpolicy_t) libraries_use_shared_libraries(checkpolicy_t)
userdomain_use_all_users_file_descriptors(checkpolicy_t)
ifdef(`TODO',` ifdef(`TODO',`
role sysadm_r types checkpolicy_t; role sysadm_r types checkpolicy_t;
domain_auto_trans(sysadm_t, checkpolicy_exec_t, checkpolicy_t) domain_auto_trans(sysadm_t, checkpolicy_exec_t, checkpolicy_t)
@ -138,9 +140,6 @@ ifdef(`sshd.te',`allow checkpolicy_t sshd_devpts_t:dir r_dir_perms;')
# Allow users to execute checkpolicy without a domain transition # Allow users to execute checkpolicy without a domain transition
# so it can be used without privilege to write real binary policy file # so it can be used without privilege to write real binary policy file
can_exec(unpriv_userdomain, checkpolicy_exec_t) can_exec(unpriv_userdomain, checkpolicy_exec_t)
allow checkpolicy_t userdomain:fd use;
') dnl endif TODO ') dnl endif TODO
######################################## ########################################
@ -178,6 +177,8 @@ libraries_use_shared_libraries(load_policy_t)
miscfiles_read_localization(load_policy_t) miscfiles_read_localization(load_policy_t)
userdomain_use_all_users_file_descriptors(load_policy_t)
ifdef(`TODO',` ifdef(`TODO',`
role sysadm_r types load_policy_t; role sysadm_r types load_policy_t;
domain_auto_trans(sysadm_t, load_policy_exec_t, load_policy_t) domain_auto_trans(sysadm_t, load_policy_exec_t, load_policy_t)
@ -186,8 +187,6 @@ allow load_policy_t admin_tty_type:chr_file { read write ioctl getattr };
# directory search permissions for path to binary policy files # directory search permissions for path to binary policy files
allow load_policy_t etc_t:dir search; allow load_policy_t etc_t:dir search;
allow load_policy_t userdomain:fd use;
') dnl endif TODO ') dnl endif TODO
######################################## ########################################
@ -327,6 +326,8 @@ libraries_use_shared_libraries(restorecon_t)
logging_send_system_log_message(restorecon_t) logging_send_system_log_message(restorecon_t)
userdomain_use_all_users_file_descriptors(restorecon_t)
optional_policy(`hotplug.te',` optional_policy(`hotplug.te',`
hotplug_use_file_descriptors(restorecon_t) hotplug_use_file_descriptors(restorecon_t)
') ')
@ -343,7 +344,6 @@ ifdef(`TODO',`
allow restorecon_t admin_tty_type:chr_file { read write ioctl }; allow restorecon_t admin_tty_type:chr_file { read write ioctl };
domain_audo_trans(sysadm_t, restorecon_exec_t, restorecon_t) domain_audo_trans(sysadm_t, restorecon_exec_t, restorecon_t)
role sysadm_r types restorecon_t; role sysadm_r types restorecon_t;
allow restorecon_t userdomain:fd use;
# for upgrading glibc and other shared objects - without this the upgrade # for upgrading glibc and other shared objects - without this the upgrade
# scripts will put things in a state such that restorecon can not be run! # scripts will put things in a state such that restorecon can not be run!
@ -478,6 +478,8 @@ logging_send_system_log_message(setfiles_t)
miscfiles_read_localization(setfiles_t) miscfiles_read_localization(setfiles_t)
userdomain_use_all_users_file_descriptors(setfiles_t)
# relabeling rules # relabeling rules
kernel_relabel_unlabeled_object(setfiles_t) kernel_relabel_unlabeled_object(setfiles_t)
devices_manage_all_devices_labels(setfiles_t) devices_manage_all_devices_labels(setfiles_t)
@ -491,8 +493,6 @@ ifdef(`TODO',`
domain_auto_trans(sysadm_t, setfiles_exec_t, setfiles_t) domain_auto_trans(sysadm_t, setfiles_exec_t, setfiles_t)
role sysadm_r types setfiles_t; role sysadm_r types setfiles_t;
allow setfiles_t userdomain:fd use;
# for upgrading glibc and other shared objects - without this the upgrade # for upgrading glibc and other shared objects - without this the upgrade
# scripts will put things in a state such that setfiles can not be run! # scripts will put things in a state such that setfiles can not be run!
allow setfiles_t lib_t:file { read execute }; allow setfiles_t lib_t:file { read execute };

View File

@ -115,14 +115,16 @@ filesystem_get_persistent_filesystem_attributes(checkpolicy_t)
terminal_use_console(checkpolicy_t) terminal_use_console(checkpolicy_t)
domain_use_widely_inheritable_file_descriptors(checkpolicy_t)
init_use_file_descriptors(checkpolicy_t) init_use_file_descriptors(checkpolicy_t)
init_script_use_pseudoterminal(checkpolicy_t) init_script_use_pseudoterminal(checkpolicy_t)
domain_use_widely_inheritable_file_descriptors(checkpolicy_t)
libraries_use_dynamic_loader(checkpolicy_t) libraries_use_dynamic_loader(checkpolicy_t)
libraries_use_shared_libraries(checkpolicy_t) libraries_use_shared_libraries(checkpolicy_t)
userdomain_use_all_users_file_descriptors(checkpolicy_t)
ifdef(`TODO',` ifdef(`TODO',`
role sysadm_r types checkpolicy_t; role sysadm_r types checkpolicy_t;
domain_auto_trans(sysadm_t, checkpolicy_exec_t, checkpolicy_t) domain_auto_trans(sysadm_t, checkpolicy_exec_t, checkpolicy_t)
@ -138,9 +140,6 @@ ifdef(`sshd.te',`allow checkpolicy_t sshd_devpts_t:dir r_dir_perms;')
# Allow users to execute checkpolicy without a domain transition # Allow users to execute checkpolicy without a domain transition
# so it can be used without privilege to write real binary policy file # so it can be used without privilege to write real binary policy file
can_exec(unpriv_userdomain, checkpolicy_exec_t) can_exec(unpriv_userdomain, checkpolicy_exec_t)
allow checkpolicy_t userdomain:fd use;
') dnl endif TODO ') dnl endif TODO
######################################## ########################################
@ -178,6 +177,8 @@ libraries_use_shared_libraries(load_policy_t)
miscfiles_read_localization(load_policy_t) miscfiles_read_localization(load_policy_t)
userdomain_use_all_users_file_descriptors(load_policy_t)
ifdef(`TODO',` ifdef(`TODO',`
role sysadm_r types load_policy_t; role sysadm_r types load_policy_t;
domain_auto_trans(sysadm_t, load_policy_exec_t, load_policy_t) domain_auto_trans(sysadm_t, load_policy_exec_t, load_policy_t)
@ -186,8 +187,6 @@ allow load_policy_t admin_tty_type:chr_file { read write ioctl getattr };
# directory search permissions for path to binary policy files # directory search permissions for path to binary policy files
allow load_policy_t etc_t:dir search; allow load_policy_t etc_t:dir search;
allow load_policy_t userdomain:fd use;
') dnl endif TODO ') dnl endif TODO
######################################## ########################################
@ -327,6 +326,8 @@ libraries_use_shared_libraries(restorecon_t)
logging_send_system_log_message(restorecon_t) logging_send_system_log_message(restorecon_t)
userdomain_use_all_users_file_descriptors(restorecon_t)
optional_policy(`hotplug.te',` optional_policy(`hotplug.te',`
hotplug_use_file_descriptors(restorecon_t) hotplug_use_file_descriptors(restorecon_t)
') ')
@ -343,7 +344,6 @@ ifdef(`TODO',`
allow restorecon_t admin_tty_type:chr_file { read write ioctl }; allow restorecon_t admin_tty_type:chr_file { read write ioctl };
domain_audo_trans(sysadm_t, restorecon_exec_t, restorecon_t) domain_audo_trans(sysadm_t, restorecon_exec_t, restorecon_t)
role sysadm_r types restorecon_t; role sysadm_r types restorecon_t;
allow restorecon_t userdomain:fd use;
# for upgrading glibc and other shared objects - without this the upgrade # for upgrading glibc and other shared objects - without this the upgrade
# scripts will put things in a state such that restorecon can not be run! # scripts will put things in a state such that restorecon can not be run!
@ -478,6 +478,8 @@ logging_send_system_log_message(setfiles_t)
miscfiles_read_localization(setfiles_t) miscfiles_read_localization(setfiles_t)
userdomain_use_all_users_file_descriptors(setfiles_t)
# relabeling rules # relabeling rules
kernel_relabel_unlabeled_object(setfiles_t) kernel_relabel_unlabeled_object(setfiles_t)
devices_manage_all_devices_labels(setfiles_t) devices_manage_all_devices_labels(setfiles_t)
@ -491,8 +493,6 @@ ifdef(`TODO',`
domain_auto_trans(sysadm_t, setfiles_exec_t, setfiles_t) domain_auto_trans(sysadm_t, setfiles_exec_t, setfiles_t)
role sysadm_r types setfiles_t; role sysadm_r types setfiles_t;
allow setfiles_t userdomain:fd use;
# for upgrading glibc and other shared objects - without this the upgrade # for upgrading glibc and other shared objects - without this the upgrade
# scripts will put things in a state such that setfiles can not be run! # scripts will put things in a state such that setfiles can not be run!
allow setfiles_t lib_t:file { read execute }; allow setfiles_t lib_t:file { read execute };