a few module compile fixes

2005-09-19 14:18:48 +00:00 · 2005-09-19 14:18:48 +00:00 · 41c4800de4
commit 41c4800de4
parent cf6a7d8993
11 changed files with 38 additions and 67 deletions
--- a/refpolicy/policy/modules/admin/firstboot.te
+++ b/refpolicy/policy/modules/admin/firstboot.te
@ -1,6 +1,10 @@
 policy_module(firstboot,1.0)
 gen_require(`
 	class passwd rootok;
 ')
 ########################################
 #
 # Declarations
@ -111,6 +115,10 @@ optional_policy(`nis.te',`
 	nis_use_ypbind(firstboot_t)
 ')
 optional_policy(`samba.te',`
 	samba_rw_config(firstboot_t)
 ')
 optional_policy(`usermanage.te',`
 	usermanage_domtrans_useradd(firstboot_t)
 	usermanage_domtrans_groupadd(firstboot_t)
@ -123,10 +131,6 @@ ifdef(`printconf.te', `
 	can_exec(firstboot_t, printconf_t)
 ')
 ifdef(`samba.te', `
 	rw_dir_file(firstboot_t, samba_etc_t)
 ')
 ifdef(`userhelper.te', `
 	role system_r types sysadm_userhelper_t;
 	domain_auto_trans(firstboot_t, userhelper_exec_t, sysadm_userhelper_t)
--- a/refpolicy/policy/modules/kernel/kernel.if
+++ b/refpolicy/policy/modules/kernel/kernel.if
@ -756,8 +756,6 @@ interface(`kernel_dontaudit_search_network_sysctl_dir',`
 interface(`kernel_read_net_sysctl',`
 	gen_require(`
 		type proc_t, sysctl_t, sysctl_net_t;
 		class dir r_dir_perms;
 		class file f_file_perms;
 	')
 	allow $1 proc_t:dir search;
--- a/refpolicy/policy/modules/kernel/terminal.if
+++ b/refpolicy/policy/modules/kernel/terminal.if
@ -454,8 +454,7 @@ interface(`term_relabelto_all_user_ptys',`
 interface(`term_use_all_user_ptys',`
 	gen_require(`
 		attribute ptynode;
-		class dir r_dir_perms;
+		type devpts_t;
 		class chr_file { getattr read write ioctl };
 	')
 	dev_list_all_dev_nodes($1)
--- a/refpolicy/policy/modules/services/kerberos.if
+++ b/refpolicy/policy/modules/services/kerberos.if
@ -32,9 +32,6 @@
 interface(`kerberos_use',`
 	gen_require(`
 		type krb5_conf_t;
 		class file r_file_perms;
 		class tcp_socket create_socket_perms;
 		class udp_socket create_socket_perms;
 	')
 	files_search_etc($1)
@ -71,7 +68,6 @@ interface(`kerberos_use',`
 interface(`kerberos_read_config',`
 	gen_require(`
 		type krb5_conf_t;
 		class files r_file_perms;
 	')
 	files_search_etc($1)
@ -89,7 +85,6 @@ interface(`kerberos_read_config',`
 interface(`kerberos_rw_config',`
 	gen_require(`
 		type krb5_conf_t;
 		class files rw_file_perms;
 	')
 	files_search_etc($1)
--- a/refpolicy/policy/modules/services/nis.if
+++ b/refpolicy/policy/modules/services/nis.if
@ -11,12 +11,6 @@
 interface(`nis_use_ypbind',`
 	gen_require(`
 		type var_yp_t;
 		class dir r_dir_perms;
 		class lnk_file r_file_perms;
 		class file r_file_perms;
 		class capability net_bind_service;
 		class tcp_socket create_stream_socket_perms;
 		class udp_socket create_socket_perms;
 	')
 	tunable_policy(`allow_ypbind',`
@ -65,7 +59,6 @@ interface(`nis_use_ypbind',`
 interface(`nis_list_var_yp',`
 	gen_require(`
 		type ypbind_t;
 		class dir r_dir_perms;
 	')
 	files_search_var($1)
@ -83,7 +76,6 @@ interface(`nis_list_var_yp',`
 interface(`nis_udp_sendto_ypbind',`
 	gen_require(`
 		type ypbind_t;
 		class udp_socket { sendto recvfrom };
 	')
 	allow $1 ypbind_t:udp_socket sendto;
--- a/refpolicy/policy/modules/services/nscd.if
+++ b/refpolicy/policy/modules/services/nscd.if
@ -11,9 +11,6 @@
 interface(`nscd_domtrans',`
 	gen_require(`
 		type nscd_t, nscd_exec_t;
 		class process sigchld;
 		class fd use;
 		class fifo_file rw_file_perms;
 	')
 	corecmd_search_sbin($1)
@ -37,12 +34,6 @@ interface(`nscd_domtrans',`
 interface(`nscd_use_socket',`
 	gen_require(`
 		type nscd_t, nscd_var_run_t;
 		class fd use;
 		class nscd { getpwd getgrp gethost shmempwd shmemgrp shmemhost };
 		class unix_stream_socket { create_socket_perms connectto };
 		class dir { search getattr };
 		class sock_file rw_file_perms;
 		class file { getattr read };
 	')
 	allow $1 self:unix_stream_socket create_socket_perms;
@ -70,12 +61,6 @@ interface(`nscd_use_socket',`
 interface(`nscd_use_shared_mem',`
 	gen_require(`
 		type nscd_t, nscd_var_run_t;
 		class fd use;
 		class nscd { getpwd getgrp gethost shmempwd shmemgrp shmemhost };
 		class unix_stream_socket { create_stream_socket_perms connectto };
 		class dir r_dir_perms;
 		class sock_file rw_file_perms;
 		class file { getattr read };
 	')
 	allow $1 nscd_var_run_t:dir r_dir_perms;
@ -106,8 +91,6 @@ interface(`nscd_use_shared_mem',`
 interface(`nscd_read_pid',`
 	gen_require(`
 		type nscd_var_run_t;
 		class dir search;
 		class file { getattr read };
 	')
 	files_search_pids($1)
@ -126,6 +109,7 @@ interface(`nscd_read_pid',`
 interface(`nscd_unconfined',`
 	gen_require(`
 		type nscd_t;
 		class nscd all_nscd_perms;
 	')
 	allow $1 nscd_t:nscd *;
--- a/refpolicy/policy/modules/services/nscd.te
+++ b/refpolicy/policy/modules/services/nscd.te
@ -1,6 +1,10 @@
 policy_module(nscd,1.0)
 gen_require(`
 	class nscd { admin getstat };
 ')
 ########################################
 #
 # Declarations
@ -35,7 +39,6 @@ allow nscd_t self:udp_socket create_socket_perms;
 # For client program operation, invoked from sysadm_t.
 # Transition occurs to nscd_t due to direct_sysadm_daemon. 
 # cjp: this should probably be in a direct_sysadm_daemon tunable
 allow nscd_t self:nscd { admin getstat };
 allow nscd_t nscd_log_t:file create_file_perms;
--- a/refpolicy/policy/modules/services/samba.if
+++ b/refpolicy/policy/modules/services/samba.if
@ -52,9 +52,6 @@ template(`samba_per_userdomain_template',`
 interface(`samba_domtrans_net',`
 	gen_require(`
 		type samba_net_t, samba_net_exec_t;
 		class process sigchld;
 		class fd use;
 		class fifo_file rw_file_perms;
 	')
 	corecmd_search_bin($1)
@ -84,7 +81,6 @@ interface(`samba_domtrans_net',`
 interface(`samba_run_net',`
 	gen_require(`
 		type samba_net_t;
 		class chr_file rw_term_perms;
 	')
 	samba_domtrans_net($1)
@ -103,9 +99,6 @@ interface(`samba_run_net',`
 interface(`samba_domtrans_smbmount',`
 	gen_require(`
 		type smbmount_t, smbmount_exec_t;
 		class process sigchld;
 		class fd use;
 		class fifo_file rw_file_perms;
 	')
 	corecmd_search_bin($1)
@ -129,7 +122,6 @@ interface(`samba_domtrans_smbmount',`
 interface(`samba_read_config',`
 	gen_require(`
 		type samba_etc_t;
 		class file { read getattr lock };
 	')
 	files_search_etc($1)
@ -148,7 +140,6 @@ interface(`samba_read_config',`
 interface(`samba_rw_config',`
 	gen_require(`
 		type samba_etc_t;
 		class file rw_file_perms;
 	')
 	files_search_etc($1)
@ -166,7 +157,6 @@ interface(`samba_rw_config',`
 interface(`samba_read_log',`
 	gen_require(`
 		type samba_log_t;
 		class file { read getattr lock };
 	')
 	logging_search_logs($1)
@ -201,7 +191,6 @@ interface(`samba_exec_log',`
 interface(`samba_read_secrets',`
 	gen_require(`
 		type samba_secrets_t;
 		class file { read getattr lock };
 	')
 	files_search_etc($1)
@ -219,7 +208,6 @@ interface(`samba_read_secrets',`
 interface(`samba_write_smbmount_tcp_socket',`
 	gen_require(`
 		type smbmount_t;
 		class tcp_socket write;
 	')
 	allow $1 smbmount_t:tcp_socket write;
@ -236,7 +224,6 @@ interface(`samba_write_smbmount_tcp_socket',`
 interface(`samba_rw_smbmount_tcp_socket',`
 	gen_require(`
 		type smbmount_t;
 		class tcp_socket { read write };
 	')
 	allow $1 smbmount_t:tcp_socket { read write };
--- a/refpolicy/policy/modules/system/domain.if
+++ b/refpolicy/policy/modules/system/domain.if
@ -875,12 +875,7 @@ interface(`domain_unconfined',`
 		attribute can_change_process_identity;
 		attribute can_change_process_role;
 		attribute can_change_object_identity;
-		class fd use;
+		attribute unconfined_domain;
 		class fifo_file rw_file_perms;
 		class process { transition dyntransition execmem };
 		class dir r_dir_perms;
 		class file r_file_perms;
 		class lnk_file r_file_perms;
 	')
 	typeattribute $1 unconfined_domain;
--- a/refpolicy/policy/modules/system/files.if
+++ b/refpolicy/policy/modules/system/files.if
@ -700,7 +700,6 @@ interface(`files_mounton_default',`
 interface(`files_dontaudit_getattr_default_files',`
 	gen_require(`
 		type default_t;
 		class files getattr;
 	')
 	dontaudit $1 default_t:file getattr;
--- a/refpolicy/policy/support/loadable_module.spt
+++ b/refpolicy/policy/support/loadable_module.spt
@ -22,9 +22,11 @@ define(`policy_module',`
 #
 define(`gen_require',`
 	ifdef(`monolithic_policy',`',`
 		define(`in_gen_require_block')
 		require {
 			$1
 		}
 		undefine(`in_gen_require_block')
 	')
 ')
@ -107,6 +109,18 @@ define(`dflt_or_overr',`ifdef(`$1',$1,$2)')
 # Tunable declaration
 #
 define(`gen_tunable',`
 	ifdef(`in_gen_require_block',`
 		ifdef(`monolithic_policy',`
 			bool $1;
 		',`
 			# loadable module tunable
 			# declaration will go here
 			# instead of bool when
 			# loadable modules support
 			# tunables
 			bool $1;
 		')
 	',`
 		ifdef(`monolithic_policy',`
 			bool $1 dflt_or_overr(`$1'_conf,$2);
 		',`
@ -118,6 +132,7 @@ define(`gen_tunable',`
 			bool $1 dflt_or_overr(`$1'_conf,$2);
 		')
 	')
 ')
 ##############################
 #