move selinux unconfined to attribute setup, clean up unconfined interface a bit

This commit is contained in:
Chris PeBenito 2006-05-19 15:15:45 +00:00
parent 9d4538024a
commit 41a0f8bf3b
3 changed files with 26 additions and 22 deletions

View File

@ -394,20 +394,8 @@ interface(`selinux_compute_user_contexts',`
#
interface(`selinux_unconfined',`
gen_require(`
attribute can_load_policy, can_setenforce, can_setsecparam;
bool secure_mode_policyload;
type security_t;
attribute selinux_unconfined_type;
')
# use SELinuxfs
allow $1 security_t:dir { getattr search read };
allow $1 security_t:file { getattr read write };
typeattribute $1 can_load_policy, can_setenforce, can_setsecparam;
if(!secure_mode_policyload) {
# Access the security API.
allow $1 security_t:security *;
auditallow $1 security_t:security { load_policy setenforce setbool };
}
typeattribute $1 selinux_unconfined_type;
')

View File

@ -1,5 +1,5 @@
policy_module(selinux,1.1.0)
policy_module(selinux,1.1.1)
########################################
#
@ -9,6 +9,7 @@ policy_module(selinux,1.1.0)
attribute can_load_policy;
attribute can_setenforce;
attribute can_setsecparam;
attribute selinux_unconfined_type;
#
# security_t is the target type when checking
@ -21,6 +22,23 @@ mls_trusted_object(security_t)
sid security gen_context(system_u:object_r:security_t,s15:c0.c255)
genfscon selinuxfs / gen_context(system_u:object_r:security_t,s0)
neverallow ~can_load_policy security_t:security load_policy;
neverallow ~can_setenforce security_t:security setenforce;
neverallow ~can_setsecparam security_t:security setsecparam;
neverallow ~{ selinux_unconfined_type can_load_policy } security_t:security load_policy;
neverallow ~{ selinux_unconfined_type can_setenforce } security_t:security setenforce;
neverallow ~{ selinux_unconfined_type can_setsecparam } security_t:security setsecparam;
########################################
#
# Unconfined access to this module
#
# use SELinuxfs
allow selinux_unconfined_type security_t:dir { getattr search read };
allow selinux_unconfined_type security_t:file { getattr read write };
# Access the security API.
allow selinux_unconfined_type security_t:security ~{ load_policy setenforce setbool };
if(!secure_mode_policyload) {
allow selinux_unconfined_type security_t:security { load_policy setenforce setbool };
auditallow selinux_unconfined_type security_t:security { load_policy setenforce setbool };
}

View File

@ -56,10 +56,6 @@ interface(`unconfined_domain_noaudit',`
# Allow making the stack executable via mprotect.
allow $1 self:process execstack;
# auditallow $1 self:process execstack;
', `
# These are fairly common but seem to be harmless
# caused by using shared libraries built with old tool chains
#dontaudit $1 self:process execstack;
')
@ -73,6 +69,8 @@ interface(`unconfined_domain_noaudit',`
')
optional_policy(`
# this is to handle execmod on shared
# libs with text relocations
libs_use_shared_libs($1)
')