kernel.if renaming

2005-06-09 20:50:17 +00:00 · 2005-06-09 20:50:17 +00:00 · 588ffaeb7f
commit 588ffaeb7f
parent eda201efe8
5 changed files with 231 additions and 475 deletions
--- a/refpolicy/policy/modules/kernel/kernel.if
+++ b/refpolicy/policy/modules/kernel/kernel.if
--- a/refpolicy/policy/modules/kernel/kernel.te
+++ b/refpolicy/policy/modules/kernel/kernel.te
@ -188,21 +188,25 @@ allow kernel_t sysctl_t:dir r_dir_perms;
 allow kernel_t sysctl_kernel_t:dir r_dir_perms;
 allow kernel_t sysctl_kernel_t:file r_file_perms;
 # old base_file_read_access():
 files_list_home_directories(kernel_t)
 files_read_general_application_resources(kernel_t)
 selinux_read_config(kernel_t)
 selinux_read_binary_policy(kernel_t)
 allow kernel_t security_t:dir r_dir_perms;
 allow kernel_t security_t:file rw_file_perms;
 allow kernel_t security_t:security load_policy;
 auditallow kernel_t security_t:security load_policy;
 corecommands_execute_shell(kernel_t)
 corecommands_read_system_programs_directory(kernel_t)
 files_read_root_dir(kernel_t)
 files_list_home_directories(kernel_t)
 files_read_general_application_resources(kernel_t)
 init_sigchld(kernel_t)
 libraries_use_dynamic_loader(kernel_t)
 libraries_use_shared_libraries(kernel_t)
-corecommands_execute_shell(kernel_t)
+selinux_read_config(kernel_t)
 selinux_read_binary_policy(kernel_t)
 terminal_use_console(kernel_t)
 domain_signal_all_domains(kernel_t)
@ -234,3 +238,14 @@ neverallow ~can_setsecparam security_t:security setsecparam;
 neverallow * *:process { setcurrent dyntransition };
 neverallow ~can_load_kernmodule *:capability sys_module;
 ########################################
 #
 # Unlabeled process local policy
 #
 # If you load a new policy that removes active domains, processes can
 # get stuck if you do not allow unlabeled processes to signal init.
 # If you load an incompatible policy, you should probably reboot,
 # since you may have compromised system security.
 init_sigchld(unlabeled_t)
--- a/refpolicy/policy/modules/system/corecommands.te
+++ b/refpolicy/policy/modules/system/corecommands.te
@ -12,7 +12,6 @@ files_make_file(bin_t)
 #
 type sbin_t;
 files_make_file(sbin_t)
 kernel_read_directory_from(sbin_t)
 #
 # ls_exec_t is the type of the ls program.
--- a/refpolicy/policy/modules/system/files.te
+++ b/refpolicy/policy/modules/system/files.te
@ -82,7 +82,6 @@ fs_noxattr_associate(readable_t)
 type root_t, file_type, mountpoint;
 fs_associate(root_t)
 fs_noxattr_associate(root_t)
 kernel_read_directory_from(root_t)
 kernel_make_root_fs_mountpoint(root_t)
 genfscon rootfs / context_template(system_u:object_r:root_t,s0)
--- a/refpolicy/policy/modules/system/init.te
+++ b/refpolicy/policy/modules/system/init.te
@ -85,20 +85,8 @@ devices_create_dev_entry(init_t,initctl_t,fifo_file)
 # Modify utmp.
 allow init_t initrc_var_run_t:file rw_file_perms;
-# Run init scripts.  this is ok since initrc
+# Run init scripts.
-# is also in this module
+domain_auto_trans(init_t,initrc_exec_t,initrc_t)
 allow init_t initrc_t:process transition;
 allow init_t initrc_exec_t:file rx_file_perms;
 type_transition init_t initrc_exec_t:process initrc_t;
 dontaudit init_t initrc_t:process { noatsecure siginh rlimitinh };
 kernel_sigchld_from(init_t)
 # If you load a new policy that removes active domains, processes can
 # get stuck if you do not allow unlabeled processes to signal init
 # If you load an incompatible policy, you should probably reboot,
 # since you may have compromised system security.
 kernel_unlabeled_sigchld_from(init_t)
 kernel_set_selinux_boolean(init_t)
 kernel_read_system_state(init_t)