rpms/selinux-policy
7
0
Fork 0
Code Issues Pull Requests Releases Activity

move selinux unconfined to attribute setup, clean up unconfined interface a bit

Browse Source
This commit is contained in:
Chris PeBenito 2006-05-19 15:15:45 +00:00
parent 9d4538024a
commit 41a0f8bf3b
3 changed files with 26 additions and 22 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

16
refpolicy/policy/modules/kernel/selinux.if
View File

@ -394,20 +394,8 @@ interface(`selinux_compute_user_contexts',`
# #
interface(`selinux_unconfined',` interface(`selinux_unconfined',`
gen_require(` gen_require(`
attribute can_load_policy, can_setenforce, can_setsecparam; attribute selinux_unconfined_type;
bool secure_mode_policyload;
type security_t;
') ')
# use SELinuxfs typeattribute $1 selinux_unconfined_type;
allow $1 security_t:dir { getattr search read };
allow $1 security_t:file { getattr read write };
typeattribute $1 can_load_policy, can_setenforce, can_setsecparam;
if(!secure_mode_policyload) {
# Access the security API.
allow $1 security_t:security *;
auditallow $1 security_t:security { load_policy setenforce setbool };
}
') ')

26
refpolicy/policy/modules/kernel/selinux.te
View File

@ -1,5 +1,5 @@
policy_module(selinux,1.1.0) policy_module(selinux,1.1.1)
######################################## ########################################
# #
@ -9,6 +9,7 @@ policy_module(selinux,1.1.0)
attribute can_load_policy; attribute can_load_policy;
attribute can_setenforce; attribute can_setenforce;
attribute can_setsecparam; attribute can_setsecparam;
attribute selinux_unconfined_type;
# #
# security_t is the target type when checking # security_t is the target type when checking
@ -21,6 +22,23 @@ mls_trusted_object(security_t)
sid security gen_context(system_u:object_r:security_t,s15:c0.c255) sid security gen_context(system_u:object_r:security_t,s15:c0.c255)
genfscon selinuxfs / gen_context(system_u:object_r:security_t,s0) genfscon selinuxfs / gen_context(system_u:object_r:security_t,s0)
neverallow ~can_load_policy security_t:security load_policy; neverallow ~{ selinux_unconfined_type can_load_policy } security_t:security load_policy;
neverallow ~can_setenforce security_t:security setenforce; neverallow ~{ selinux_unconfined_type can_setenforce } security_t:security setenforce;
neverallow ~can_setsecparam security_t:security setsecparam; neverallow ~{ selinux_unconfined_type can_setsecparam } security_t:security setsecparam;
########################################
#
# Unconfined access to this module
#
# use SELinuxfs
allow selinux_unconfined_type security_t:dir { getattr search read };
allow selinux_unconfined_type security_t:file { getattr read write };
# Access the security API.
allow selinux_unconfined_type security_t:security ~{ load_policy setenforce setbool };
if(!secure_mode_policyload) {
allow selinux_unconfined_type security_t:security { load_policy setenforce setbool };
auditallow selinux_unconfined_type security_t:security { load_policy setenforce setbool };
}

6
refpolicy/policy/modules/system/unconfined.if
View File

@ -56,10 +56,6 @@ interface(`unconfined_domain_noaudit',`
# Allow making the stack executable via mprotect. # Allow making the stack executable via mprotect.
allow $1 self:process execstack; allow $1 self:process execstack;
# auditallow $1 self:process execstack; # auditallow $1 self:process execstack;
', `
# These are fairly common but seem to be harmless
# caused by using shared libraries built with old tool chains
#dontaudit $1 self:process execstack;
') ')
@ -73,6 +69,8 @@ interface(`unconfined_domain_noaudit',`
') ')
optional_policy(` optional_policy(`
# this is to handle execmod on shared
# libs with text relocations
libs_use_shared_libs($1) libs_use_shared_libs($1)
') ')