trunk: switch daemons from inheriting from all levels to initrc_t sharing to all levels.

2007-08-22 20:21:52 +00:00 · 2007-08-22 20:21:52 +00:00 · 2af7b42a06
parent 8d2c34195e
commit 2af7b42a06
6 changed files with 8 additions and 10 deletions
--- a/2
+++ b/2
@ -1,3 +1,5 @@
+- Allow initrc_t file descriptors to be inherited regardless of MLS level.
+  Accordingly drop MLS permissions from daemons that inherit from any level.
 - Files and radvd updates from Stefan Schulze Frielinghaus.
 - Deprecate mls_file_write_down() and mls_file_read_up(), replaced with
  mls_write_all_levels() and mls_read_all_levels(), for consistency.
--- a/policy/modules/services/cups.te
+++ b/policy/modules/services/cups.te
@ -1,5 +1,5 @@

-policy_module(cups,1.7.1)
+policy_module(cups,1.7.2)

 ########################################
 #
@ -165,7 +165,6 @@ domain_read_all_domains_state(cupsd_t)
 fs_getattr_all_fs(cupsd_t)
 fs_search_auto_mountpoints(cupsd_t)

-mls_fd_use_all_levels(cupsd_t)
 mls_file_downgrade(cupsd_t)
 mls_file_write_all_levels(cupsd_t)
 mls_file_read_all_levels(cupsd_t)
--- a/policy/modules/services/inetd.te
+++ b/policy/modules/services/inetd.te
@ -1,5 +1,5 @@

-policy_module(inetd,1.4.0)
+policy_module(inetd,1.4.1)

 ########################################
 #
@ -132,11 +132,9 @@ logging_send_syslog_msg(inetd_t)
 miscfiles_read_localization(inetd_t)

 # xinetd needs MLS override privileges to work
-mls_fd_use_all_levels(inetd_t)
 mls_fd_share_all_levels(inetd_t)
 mls_socket_read_to_clearance(inetd_t)
 mls_process_set_level(inetd_t)
-mls_socket_read_to_clearance(inetd_t)

 sysnet_read_config(inetd_t)

--- a/policy/modules/system/init.te
+++ b/policy/modules/system/init.te
@ -1,5 +1,5 @@

-policy_module(init,1.7.2)
+policy_module(init,1.7.3)

 gen_require(`
 	class passwd rootok;
@ -292,6 +292,7 @@ mls_file_write_all_levels(initrc_t)
 mls_process_read_up(initrc_t)
 mls_process_write_down(initrc_t)
 mls_rangetrans_source(initrc_t)
+mls_fd_share_all_levels(initrc_t)

 selinux_get_enforce_mode(initrc_t)

--- a/policy/modules/system/logging.te
+++ b/policy/modules/system/logging.te
@ -1,5 +1,5 @@

-policy_module(logging,1.7.1)
+policy_module(logging,1.7.2)

 ########################################
 #
@ -155,7 +155,6 @@ miscfiles_read_localization(auditd_t)

 mls_file_read_all_levels(auditd_t)
 mls_file_write_all_levels(auditd_t) # Need to be able to write to /var/run/ directory
-mls_fd_use_all_levels(auditd_t)

 seutil_dontaudit_read_config(auditd_t)

--- a/policy/modules/system/setrans.te
+++ b/policy/modules/system/setrans.te
@ -1,5 +1,5 @@

-policy_module(setrans,1.3.1)
+policy_module(setrans,1.3.2)

 ########################################
 #
@ -58,7 +58,6 @@ mls_net_receive_all_levels(setrans_t)
 mls_socket_write_all_levels(setrans_t)
 mls_process_read_up(setrans_t)
 mls_socket_read_all_levels(setrans_t)
-mls_fd_use_all_levels(setrans_t)

 selinux_compute_access_vector(setrans_t)