trunk: switch daemons from inheriting from all levels to initrc_t sharing to all levels.
This commit is contained in:
parent
8d2c34195e
commit
2af7b42a06
@ -1,3 +1,5 @@
|
||||
- Allow initrc_t file descriptors to be inherited regardless of MLS level.
|
||||
Accordingly drop MLS permissions from daemons that inherit from any level.
|
||||
- Files and radvd updates from Stefan Schulze Frielinghaus.
|
||||
- Deprecate mls_file_write_down() and mls_file_read_up(), replaced with
|
||||
mls_write_all_levels() and mls_read_all_levels(), for consistency.
|
||||
|
@ -1,5 +1,5 @@
|
||||
|
||||
policy_module(cups,1.7.1)
|
||||
policy_module(cups,1.7.2)
|
||||
|
||||
########################################
|
||||
#
|
||||
@ -165,7 +165,6 @@ domain_read_all_domains_state(cupsd_t)
|
||||
fs_getattr_all_fs(cupsd_t)
|
||||
fs_search_auto_mountpoints(cupsd_t)
|
||||
|
||||
mls_fd_use_all_levels(cupsd_t)
|
||||
mls_file_downgrade(cupsd_t)
|
||||
mls_file_write_all_levels(cupsd_t)
|
||||
mls_file_read_all_levels(cupsd_t)
|
||||
|
@ -1,5 +1,5 @@
|
||||
|
||||
policy_module(inetd,1.4.0)
|
||||
policy_module(inetd,1.4.1)
|
||||
|
||||
########################################
|
||||
#
|
||||
@ -132,11 +132,9 @@ logging_send_syslog_msg(inetd_t)
|
||||
miscfiles_read_localization(inetd_t)
|
||||
|
||||
# xinetd needs MLS override privileges to work
|
||||
mls_fd_use_all_levels(inetd_t)
|
||||
mls_fd_share_all_levels(inetd_t)
|
||||
mls_socket_read_to_clearance(inetd_t)
|
||||
mls_process_set_level(inetd_t)
|
||||
mls_socket_read_to_clearance(inetd_t)
|
||||
|
||||
sysnet_read_config(inetd_t)
|
||||
|
||||
|
@ -1,5 +1,5 @@
|
||||
|
||||
policy_module(init,1.7.2)
|
||||
policy_module(init,1.7.3)
|
||||
|
||||
gen_require(`
|
||||
class passwd rootok;
|
||||
@ -292,6 +292,7 @@ mls_file_write_all_levels(initrc_t)
|
||||
mls_process_read_up(initrc_t)
|
||||
mls_process_write_down(initrc_t)
|
||||
mls_rangetrans_source(initrc_t)
|
||||
mls_fd_share_all_levels(initrc_t)
|
||||
|
||||
selinux_get_enforce_mode(initrc_t)
|
||||
|
||||
|
@ -1,5 +1,5 @@
|
||||
|
||||
policy_module(logging,1.7.1)
|
||||
policy_module(logging,1.7.2)
|
||||
|
||||
########################################
|
||||
#
|
||||
@ -155,7 +155,6 @@ miscfiles_read_localization(auditd_t)
|
||||
|
||||
mls_file_read_all_levels(auditd_t)
|
||||
mls_file_write_all_levels(auditd_t) # Need to be able to write to /var/run/ directory
|
||||
mls_fd_use_all_levels(auditd_t)
|
||||
|
||||
seutil_dontaudit_read_config(auditd_t)
|
||||
|
||||
|
@ -1,5 +1,5 @@
|
||||
|
||||
policy_module(setrans,1.3.1)
|
||||
policy_module(setrans,1.3.2)
|
||||
|
||||
########################################
|
||||
#
|
||||
@ -58,7 +58,6 @@ mls_net_receive_all_levels(setrans_t)
|
||||
mls_socket_write_all_levels(setrans_t)
|
||||
mls_process_read_up(setrans_t)
|
||||
mls_socket_read_all_levels(setrans_t)
|
||||
mls_fd_use_all_levels(setrans_t)
|
||||
|
||||
selinux_compute_access_vector(setrans_t)
|
||||
|
||||
|
Loading…
Reference in New Issue
Block a user