From 5e0da6a03eced7543794ba0f6ece4b3272411fb0 Mon Sep 17 00:00:00 2001 From: Chris PeBenito Date: Tue, 14 Jun 2005 20:48:34 +0000 Subject: [PATCH] finish renaming system/selinux to system/selinuxutil --- refpolicy/policy/modules/admin/dmesg.te | 2 +- refpolicy/policy/modules/admin/rpm.te | 46 ++-- refpolicy/policy/modules/admin/usermanage.te | 64 +++--- refpolicy/policy/modules/kernel/bootloader.te | 4 +- refpolicy/policy/modules/services/cron.if | 16 +- refpolicy/policy/modules/services/cron.te | 36 ++-- .../policy/modules/services/remotelogin.te | 16 +- refpolicy/policy/modules/services/sendmail.te | 2 +- refpolicy/policy/modules/system/authlogin.if | 4 +- refpolicy/policy/modules/system/authlogin.te | 6 +- refpolicy/policy/modules/system/clock.te | 2 +- refpolicy/policy/modules/system/files.if | 4 +- refpolicy/policy/modules/system/hostname.te | 2 +- refpolicy/policy/modules/system/hotplug.te | 2 +- refpolicy/policy/modules/system/init.te | 10 +- refpolicy/policy/modules/system/iptables.te | 2 +- refpolicy/policy/modules/system/locallogin.te | 32 +-- refpolicy/policy/modules/system/logging.te | 4 +- refpolicy/policy/modules/system/lvm.te | 18 +- .../policy/modules/system/selinuxutil.if | 198 +++++++++--------- .../policy/modules/system/selinuxutil.te | 58 ++--- refpolicy/policy/modules/system/sysnetwork.te | 4 +- refpolicy/policy/modules/system/udev.te | 20 +- refpolicy/policy/modules/system/userdomain.if | 34 +-- refpolicy/policy/modules/system/userdomain.te | 10 +- 25 files changed, 298 insertions(+), 298 deletions(-) diff --git a/refpolicy/policy/modules/admin/dmesg.te b/refpolicy/policy/modules/admin/dmesg.te index ca23adb0..7691ee43 100644 --- a/refpolicy/policy/modules/admin/dmesg.te +++ b/refpolicy/policy/modules/admin/dmesg.te @@ -56,7 +56,7 @@ ifdef(`targeted_policy', ` ') optional_policy(`selinux.te',` - selinux_newrole_sigchld(dmesg_t) + seutil_newrole_sigchld(dmesg_t) ') optional_policy(`udev.te', ` diff --git a/refpolicy/policy/modules/admin/rpm.te b/refpolicy/policy/modules/admin/rpm.te index a018e061..e33466b7 100644 --- a/refpolicy/policy/modules/admin/rpm.te +++ b/refpolicy/policy/modules/admin/rpm.te @@ -95,12 +95,12 @@ allow rpm_t rpm_var_lib_t:dir rw_dir_perms; kernel_read_system_state(rpm_t) kernel_read_kernel_sysctl(rpm_t) -kernel_get_selinuxfs_mount_point(rpm_t) -kernel_validate_context(rpm_t) -kernel_compute_access_vector(rpm_t) -kernel_compute_create_context(rpm_t) -kernel_compute_relabel_context(rpm_t) -kernel_compute_reachable_user_contexts(rpm_t) +selinux_get_fs_mount(rpm_t) +selinux_validate_context(rpm_t) +selinux_compute_access_vector(rpm_t) +selinux_compute_create_context(rpm_t) +selinux_compute_relabel_context(rpm_t) +selinux_compute_user_contexts(rpm_t) corenet_tcp_sendrecv_all_if(rpm_t) corenet_raw_sendrecv_all_if(rpm_t) @@ -149,8 +149,8 @@ libs_domtrans_ldconfig(rpm_t) logging_send_syslog_msg(rpm_t) # allow compiling and loading new policy -selinux_manage_src_pol(rpm_t) -selinux_manage_binary_pol(rpm_t) +seutil_manage_src_pol(rpm_t) +seutil_manage_binary_pol(rpm_t) sysnet_read_config(rpm_t) @@ -245,12 +245,12 @@ allow rpm_script_t rpm_script_tmpfs_t:fifo_file create_file_perms; fs_create_tmpfs_data(rpm_script_t,rpm_script_tmpfs_t,{ dir file lnk_file sock_file fifo_file }) kernel_read_kernel_sysctl(rpm_script_t) -kernel_get_selinuxfs_mount_point(rpm_script_t) -kernel_validate_context(rpm_script_t) -kernel_compute_access_vector(rpm_script_t) -kernel_compute_create_context(rpm_script_t) -kernel_compute_relabel_context(rpm_script_t) -kernel_compute_reachable_user_contexts(rpm_script_t) +selinux_get_fs_mount(rpm_script_t) +selinux_validate_context(rpm_script_t) +selinux_compute_access_vector(rpm_script_t) +selinux_compute_create_context(rpm_script_t) +selinux_compute_relabel_context(rpm_script_t) +selinux_compute_user_contexts(rpm_script_t) kernel_read_system_state(rpm_script_t) # ideally we would not need this @@ -303,8 +303,8 @@ miscfiles_read_localization(rpm_script_t) modutils_domtrans_depmod(rpm_script_t) modutils_domtrans_insmod(rpm_script_t) -selinux_domtrans_loadpol(rpm_script_t) -selinux_domtrans_restorecon(rpm_script_t) +seutil_domtrans_loadpol(rpm_script_t) +seutil_domtrans_restorecon(rpm_script_t) userdom_use_all_user_fd(rpm_script_t) @@ -347,14 +347,14 @@ allow sshd_t rpm_script_t:fd use; # can transition to this domain, nor can it # really do anything useful. -kernel_get_selinuxfs_mount_point(rpmbuild_t) -kernel_validate_context(rpmbuild_t) -kernel_compute_access_vector(rpmbuild_t) -kernel_compute_create_context(rpmbuild_t) -kernel_compute_relabel_context(rpmbuild_t) -kernel_compute_reachable_user_contexts(rpmbuild_t) +selinux_get_fs_mount(rpmbuild_t) +selinux_validate_context(rpmbuild_t) +selinux_compute_access_vector(rpmbuild_t) +selinux_compute_create_context(rpmbuild_t) +selinux_compute_relabel_context(rpmbuild_t) +selinux_compute_user_contexts(rpmbuild_t) -selinux_read_src_pol(rpmbuild_t) +seutil_read_src_pol(rpmbuild_t) ifdef(`TODO',` diff --git a/refpolicy/policy/modules/admin/usermanage.te b/refpolicy/policy/modules/admin/usermanage.te index ba4b2209..cec2a484 100644 --- a/refpolicy/policy/modules/admin/usermanage.te +++ b/refpolicy/policy/modules/admin/usermanage.te @@ -77,12 +77,12 @@ allow chfn_t self:msgq create_msgq_perms; allow chfn_t self:msg { send receive }; kernel_read_system_state(chfn_t) -kernel_get_selinuxfs_mount_point(chfn_t) -kernel_validate_context(chfn_t) -kernel_compute_access_vector(chfn_t) -kernel_compute_create_context(chfn_t) -kernel_compute_relabel_context(chfn_t) -kernel_compute_reachable_user_contexts(chfn_t) +selinux_get_fs_mount(chfn_t) +selinux_validate_context(chfn_t) +selinux_compute_access_vector(chfn_t) +selinux_compute_create_context(chfn_t) +selinux_compute_relabel_context(chfn_t) +selinux_compute_user_contexts(chfn_t) term_use_all_user_ttys(chfn_t) term_use_all_user_ptys(chfn_t) @@ -210,12 +210,12 @@ allow groupadd_t self:msgq create_msgq_perms; allow groupadd_t self:msg { send receive }; # Allow access to context for shadow file -kernel_get_selinuxfs_mount_point(groupadd_t) -kernel_validate_context(groupadd_t) -kernel_compute_access_vector(groupadd_t) -kernel_compute_create_context(groupadd_t) -kernel_compute_relabel_context(groupadd_t) -kernel_compute_reachable_user_contexts(groupadd_t) +selinux_get_fs_mount(groupadd_t) +selinux_validate_context(groupadd_t) +selinux_compute_access_vector(groupadd_t) +selinux_compute_create_context(groupadd_t) +selinux_compute_relabel_context(groupadd_t) +selinux_compute_user_contexts(groupadd_t) fs_getattr_xattr_fs(groupadd_t) @@ -243,7 +243,7 @@ miscfiles_read_localization(groupadd_t) auth_manage_shadow(groupadd_t) auth_rw_lastlog(groupadd_t) -selinux_read_config(groupadd_t) +seutil_read_config(groupadd_t) ifdef(`TODO',` role sysadm_r types groupadd_t; @@ -285,12 +285,12 @@ allow passwd_t self:sem create_sem_perms; allow passwd_t self:msgq create_msgq_perms; allow passwd_t self:msg { send receive }; -kernel_get_selinuxfs_mount_point(passwd_t) -kernel_validate_context(passwd_t) -kernel_compute_access_vector(passwd_t) -kernel_compute_create_context(passwd_t) -kernel_compute_relabel_context(passwd_t) -kernel_compute_reachable_user_contexts(passwd_t) +selinux_get_fs_mount(passwd_t) +selinux_validate_context(passwd_t) +selinux_compute_access_vector(passwd_t) +selinux_compute_create_context(passwd_t) +selinux_compute_relabel_context(passwd_t) +selinux_compute_user_contexts(passwd_t) # for SSP dev_read_urand(passwd_t) @@ -382,12 +382,12 @@ allow sysadm_passwd_t sysadm_passwd_tmp_t:file create_file_perms; files_create_tmp_files(sysadm_passwd_t, sysadm_passwd_tmp_t, { file dir }) files_search_var(sysadm_passwd_t) -kernel_get_selinuxfs_mount_point(sysadm_passwd_t) -kernel_validate_context(sysadm_passwd_t) -kernel_compute_access_vector(sysadm_passwd_t) -kernel_compute_create_context(sysadm_passwd_t) -kernel_compute_relabel_context(sysadm_passwd_t) -kernel_compute_reachable_user_contexts(sysadm_passwd_t) +selinux_get_fs_mount(sysadm_passwd_t) +selinux_validate_context(sysadm_passwd_t) +selinux_compute_access_vector(sysadm_passwd_t) +selinux_compute_create_context(sysadm_passwd_t) +selinux_compute_relabel_context(sysadm_passwd_t) +selinux_compute_user_contexts(sysadm_passwd_t) # for /proc/meminfo kernel_read_system_state(sysadm_passwd_t) @@ -474,12 +474,12 @@ allow useradd_t self:msgq create_msgq_perms; allow useradd_t self:msg { send receive }; # Allow access to context for shadow file -kernel_get_selinuxfs_mount_point(useradd_t) -kernel_validate_context(useradd_t) -kernel_compute_access_vector(useradd_t) -kernel_compute_create_context(useradd_t) -kernel_compute_relabel_context(useradd_t) -kernel_compute_reachable_user_contexts(useradd_t) +selinux_get_fs_mount(useradd_t) +selinux_validate_context(useradd_t) +selinux_compute_access_vector(useradd_t) +selinux_compute_create_context(useradd_t) +selinux_compute_relabel_context(useradd_t) +selinux_compute_user_contexts(useradd_t) # for getting the number of groups kernel_read_kernel_sysctl(useradd_t) @@ -505,7 +505,7 @@ corecmd_exec_sbin(useradd_t) miscfiles_read_localization(useradd_t) -selinux_read_config(useradd_t) +seutil_read_config(useradd_t) logging_send_syslog_msg(useradd_t) diff --git a/refpolicy/policy/modules/kernel/bootloader.te b/refpolicy/policy/modules/kernel/bootloader.te index 3e4ea33b..b1ccfcb3 100644 --- a/refpolicy/policy/modules/kernel/bootloader.te +++ b/refpolicy/policy/modules/kernel/bootloader.te @@ -136,8 +136,8 @@ logging_rw_generic_logs(bootloader_t) miscfiles_read_localization(bootloader_t) -selinux_read_binary_pol(bootloader_t) -selinux_read_loadpol(bootloader_t) +seutil_read_binary_pol(bootloader_t) +seutil_read_loadpol(bootloader_t) ifdef(`distro_debian', ` allow bootloader_t bootloader_tmp_t:{ dir file } { relabelfrom relabelto }; diff --git a/refpolicy/policy/modules/services/cron.if b/refpolicy/policy/modules/services/cron.if index b3315765..381ef6c4 100644 --- a/refpolicy/policy/modules/services/cron.if +++ b/refpolicy/policy/modules/services/cron.if @@ -91,7 +91,7 @@ define(`cron_per_userdomain_template',` logging_search_logs($1_crond_t) - selinux_read_config($1_crond_t) + seutil_read_config($1_crond_t) miscfiles_read_localization($1_crond_t) @@ -224,18 +224,18 @@ define(`cron_admin_template',` #allow $1_crontab_t user_cron_spool_t:file unlink; # Manipulate other users crontab. - kernel_get_selinuxfs_mount_point($1_crontab_t) - kernel_validate_context($1_crontab_t) - kernel_compute_access_vector($1_crontab_t) - kernel_compute_create_context($1_crontab_t) - kernel_compute_relabel_context($1_crontab_t) - kernel_compute_reachable_user_contexts($1_crontab_t) + selinux_get_fs_mount($1_crontab_t) + selinux_validate_context($1_crontab_t) + selinux_compute_access_vector($1_crontab_t) + selinux_compute_create_context($1_crontab_t) + selinux_compute_relabel_context($1_crontab_t) + selinux_compute_user_contexts($1_crontab_t) tunable_policy(`fcron_crond', ` # fcron wants an instant update of a crontab change for the administrator # also crontab does a security check for crontab -u allow $1_crontab_t self:process setfscreate; - kernel_get_selinuxfs_mount_point($1_crontab_t) + selinux_get_fs_mount($1_crontab_t) ') ') diff --git a/refpolicy/policy/modules/services/cron.te b/refpolicy/policy/modules/services/cron.te index 6a3a773a..6c5bd642 100644 --- a/refpolicy/policy/modules/services/cron.te +++ b/refpolicy/policy/modules/services/cron.te @@ -77,12 +77,12 @@ allow crond_t system_cron_spool_t:file r_file_perms; kernel_read_kernel_sysctl(crond_t) dev_read_sysfs(crond_t) -kernel_get_selinuxfs_mount_point(crond_t) -kernel_validate_context(crond_t) -kernel_compute_access_vector(crond_t) -kernel_compute_create_context(crond_t) -kernel_compute_relabel_context(crond_t) -kernel_compute_reachable_user_contexts(crond_t) +selinux_get_fs_mount(crond_t) +selinux_validate_context(crond_t) +selinux_compute_access_vector(crond_t) +selinux_compute_create_context(crond_t) +selinux_compute_relabel_context(crond_t) +selinux_compute_user_contexts(crond_t) dev_read_urand(crond_t) @@ -109,9 +109,9 @@ libs_use_shared_libs(crond_t) logging_send_syslog_msg(crond_t) -selinux_read_config(crond_t) -selinux_read_default_contexts(crond_t) -selinux_newrole_sigchld(crond_t) +seutil_read_config(crond_t) +seutil_read_default_contexts(crond_t) +seutil_newrole_sigchld(crond_t) miscfiles_read_localization(crond_t) @@ -287,18 +287,18 @@ miscfiles_read_localization(system_crond_t) miscfiles_read_man_pages(system_crond_t) miscfiles_rw_man_cache(system_crond_t) -selinux_read_config(system_crond_t) +seutil_read_config(system_crond_t) tunable_policy(`cron_can_relabel',` - selinux_domtrans_setfiles(system_crond_t) + seutil_domtrans_setfiles(system_crond_t) ',` - kernel_get_selinuxfs_mount_point(system_crond_t) - kernel_validate_context(system_crond_t) - kernel_compute_access_vector(system_crond_t) - kernel_compute_create_context(system_crond_t) - kernel_compute_relabel_context(system_crond_t) - kernel_compute_reachable_user_contexts(system_crond_t) - selinux_read_file_contexts(system_crond_t) + selinux_get_fs_mount(system_crond_t) + selinux_validate_context(system_crond_t) + selinux_compute_access_vector(system_crond_t) + selinux_compute_create_context(system_crond_t) + selinux_compute_relabel_context(system_crond_t) + selinux_compute_user_contexts(system_crond_t) + seutil_read_file_contexts(system_crond_t) ') ifdef(`TODO',` diff --git a/refpolicy/policy/modules/services/remotelogin.te b/refpolicy/policy/modules/services/remotelogin.te index 30589910..0119ff78 100644 --- a/refpolicy/policy/modules/services/remotelogin.te +++ b/refpolicy/policy/modules/services/remotelogin.te @@ -43,12 +43,12 @@ files_create_tmp_files(remote_login_t, remote_login_tmp_t, { file dir }) kernel_read_system_state(remote_login_t) kernel_read_kernel_sysctl(remote_login_t) -kernel_get_selinuxfs_mount_point(remote_login_t) -kernel_validate_context(remote_login_t) -kernel_compute_access_vector(remote_login_t) -kernel_compute_create_context(remote_login_t) -kernel_compute_relabel_context(remote_login_t) -kernel_compute_reachable_user_contexts(remote_login_t) +selinux_get_fs_mount(remote_login_t) +selinux_validate_context(remote_login_t) +selinux_compute_access_vector(remote_login_t) +selinux_compute_create_context(remote_login_t) +selinux_compute_relabel_context(remote_login_t) +selinux_compute_user_contexts(remote_login_t) # for SSP/ProPolice dev_read_urand(remote_login_t) @@ -69,8 +69,8 @@ libs_use_shared_libs(remote_login_t) logging_send_syslog_msg(remote_login_t) -selinux_read_config(remote_login_t) -selinux_read_default_contexts(remote_login_t) +seutil_read_config(remote_login_t) +seutil_read_default_contexts(remote_login_t) auth_domtrans_chk_passwd(remote_login_t) auth_dontaudit_read_shadow(remote_login_t) diff --git a/refpolicy/policy/modules/services/sendmail.te b/refpolicy/policy/modules/services/sendmail.te index d14ab32c..49850c84 100644 --- a/refpolicy/policy/modules/services/sendmail.te +++ b/refpolicy/policy/modules/services/sendmail.te @@ -95,7 +95,7 @@ ifdef(`targeted_policy', ` ') optional_policy(`selinux.te',` - selinux_newrole_sigchld(sendmail_t) + seutil_newrole_sigchld(sendmail_t) ') optional_policy(`udev.te', ` diff --git a/refpolicy/policy/modules/system/authlogin.if b/refpolicy/policy/modules/system/authlogin.if index 8631a7de..ab48c10f 100644 --- a/refpolicy/policy/modules/system/authlogin.if +++ b/refpolicy/policy/modules/system/authlogin.if @@ -55,7 +55,7 @@ define(`authlogin_per_userdomain_template',` miscfiles_read_localization($1_chkpwd_t) - selinux_read_config($1_chkpwd_t) + seutil_read_config($1_chkpwd_t) #can_ypbind($1_chkpwd_t) #can_kerberos($1_chkpwd_t) @@ -88,7 +88,7 @@ define(`authlogin_per_userdomain_template',` ') optional_policy(`selinux.te',` - selinux_use_newrole_fd($1_chkpwd_t) + seutil_use_newrole_fd($1_chkpwd_t) ') ') dnl end authlogin_per_userdomain_template diff --git a/refpolicy/policy/modules/system/authlogin.te b/refpolicy/policy/modules/system/authlogin.te index e085b1f8..b63ea5b6 100644 --- a/refpolicy/policy/modules/system/authlogin.te +++ b/refpolicy/policy/modules/system/authlogin.te @@ -165,7 +165,7 @@ libs_use_shared_libs(pam_console_t) logging_send_syslog_msg(pam_console_t) -selinux_read_file_contexts(pam_console_t) +seutil_read_file_contexts(pam_console_t) userdom_dontaudit_use_unpriv_user_fd(pam_console_t) @@ -185,7 +185,7 @@ optional_policy(`hotplug.te', ` ') optional_policy(`selinux.te',` - selinux_newrole_sigchld(pam_console_t) + seutil_newrole_sigchld(pam_console_t) ') optional_policy(`udev.te', ` @@ -250,7 +250,7 @@ logging_send_syslog_msg(system_chkpwd_t) miscfiles_read_localization(system_chkpwd_t) -selinux_read_config(system_chkpwd_t) +seutil_read_config(system_chkpwd_t) tunable_policy(`use_dns',` allow system_chkpwd_t self:udp_socket create_socket_perms; diff --git a/refpolicy/policy/modules/system/clock.te b/refpolicy/policy/modules/system/clock.te index 6c406632..fb8eb669 100644 --- a/refpolicy/policy/modules/system/clock.te +++ b/refpolicy/policy/modules/system/clock.te @@ -64,7 +64,7 @@ ifdef(`targeted_policy', ` ') optional_policy(`selinux.te',` - selinux_newrole_sigchld(hwclock_t) + seutil_newrole_sigchld(hwclock_t) ') optional_policy(`udev.te', ` diff --git a/refpolicy/policy/modules/system/files.if b/refpolicy/policy/modules/system/files.if index 4028f3b8..ea6d2b67 100644 --- a/refpolicy/policy/modules/system/files.if +++ b/refpolicy/policy/modules/system/files.if @@ -166,7 +166,7 @@ define(`files_relabel_all_files',` allow $1 { file_type $2 }:chr_file { getattr relabelfrom }; # satisfy the assertions: - selinux_relabelto_binary_pol($1) + seutil_relabelto_binary_pol($1) ') define(`files_relabel_all_files_depend',` @@ -206,7 +206,7 @@ define(`files_manage_all_files',` allow $1 { file_type $2 }:sock_file create_file_perms; # satisfy the assertions: - selinux_write_binary_pol($1) + seutil_write_binary_pol($1) bootloader_manage_kernel_modules($1) ') diff --git a/refpolicy/policy/modules/system/hostname.te b/refpolicy/policy/modules/system/hostname.te index 3d99ae2f..000fd821 100644 --- a/refpolicy/policy/modules/system/hostname.te +++ b/refpolicy/policy/modules/system/hostname.te @@ -80,7 +80,7 @@ optional_policy(`hotplug.te',` ') optional_policy(`selinux.te',` - selinux_newrole_sigchld(hostname_t) + seutil_newrole_sigchld(hostname_t) ') optional_policy(`udev.te', ` diff --git a/refpolicy/policy/modules/system/hotplug.te b/refpolicy/policy/modules/system/hotplug.te index 72de9773..9775a8d6 100644 --- a/refpolicy/policy/modules/system/hotplug.te +++ b/refpolicy/policy/modules/system/hotplug.te @@ -140,7 +140,7 @@ optional_policy(`mta.te', ` ') optional_policy(`selinux.te',` - selinux_newrole_sigchld(hotplug_t) + seutil_newrole_sigchld(hotplug_t) ') optional_policy(`sysnetwork.te',` diff --git a/refpolicy/policy/modules/system/init.te b/refpolicy/policy/modules/system/init.te index 9a3708a1..f6217ed8 100644 --- a/refpolicy/policy/modules/system/init.te +++ b/refpolicy/policy/modules/system/init.te @@ -88,7 +88,7 @@ allow init_t initrc_var_run_t:file { rw_file_perms setattr }; # Run init scripts. domain_auto_trans(init_t,initrc_exec_t,initrc_t) -kernel_set_boolean(init_t) +selinux_set_boolean(init_t) kernel_read_system_state(init_t) dev_read_sysfs(init_t) kernel_share_state(init_t) @@ -123,7 +123,7 @@ libs_rw_ld_so_cache(init_t) logging_send_syslog_msg(init_t) logging_rw_generic_logs(init_t) -selinux_read_config(init_t) +seutil_read_config(init_t) miscfiles_read_localization(init_t) @@ -184,7 +184,7 @@ dev_read_sysfs(initrc_t) dev_rw_sysfs(initrc_t) kernel_read_all_sysctl(initrc_t) kernel_rw_all_sysctl(initrc_t) -kernel_get_selinux_enforcement_mode(initrc_t) +selinux_get_enforce_mode(initrc_t) dev_list_usbfs(initrc_t) # for lsof which is used by alsa shutdown: kernel_dontaudit_getattr_message_if(initrc_t) @@ -283,7 +283,7 @@ miscfiles_read_localization(initrc_t) modutils_read_module_conf(initrc_t) -selinux_read_config(initrc_t) +seutil_read_config(initrc_t) sysnet_read_config(initrc_t) @@ -308,7 +308,7 @@ ifdef(`distro_redhat',` kernel_dontaudit_use_fd(initrc_t) files_dontaudit_read_root_file(initrc_t) - kernel_set_enforcement_mode(initrc_t) + selinux_set_enforce_mode(initrc_t) # Create and read /boot/kernel.h and /boot/System.map. # Redhat systems typically create this file at boot time. diff --git a/refpolicy/policy/modules/system/iptables.te b/refpolicy/policy/modules/system/iptables.te index 9064b0fe..dd2edc75 100644 --- a/refpolicy/policy/modules/system/iptables.te +++ b/refpolicy/policy/modules/system/iptables.te @@ -89,7 +89,7 @@ optional_policy(`modutils.te', ` ') optional_policy(`selinux.te',` - selinux_newrole_sigchld(iptables_t) + seutil_newrole_sigchld(iptables_t) ') optional_policy(`udev.te', ` diff --git a/refpolicy/policy/modules/system/locallogin.te b/refpolicy/policy/modules/system/locallogin.te index fc98a885..fb6ae0ab 100644 --- a/refpolicy/policy/modules/system/locallogin.te +++ b/refpolicy/policy/modules/system/locallogin.te @@ -53,12 +53,12 @@ files_create_tmp_files(local_login_t, local_login_tmp_t, { file dir }) kernel_read_system_state(local_login_t) kernel_read_kernel_sysctl(local_login_t) -kernel_get_selinuxfs_mount_point(local_login_t) -kernel_validate_context(local_login_t) -kernel_compute_access_vector(local_login_t) -kernel_compute_create_context(local_login_t) -kernel_compute_relabel_context(local_login_t) -kernel_compute_reachable_user_contexts(local_login_t) +selinux_get_fs_mount(local_login_t) +selinux_validate_context(local_login_t) +selinux_compute_access_vector(local_login_t) +selinux_compute_create_context(local_login_t) +selinux_compute_relabel_context(local_login_t) +selinux_compute_user_contexts(local_login_t) # for SSP/ProPolice dev_read_urand(local_login_t) @@ -95,8 +95,8 @@ logging_send_syslog_msg(local_login_t) miscfiles_read_localization(local_login_t) -selinux_read_config(local_login_t) -selinux_read_default_contexts(local_login_t) +seutil_read_config(local_login_t) +seutil_read_default_contexts(local_login_t) userdom_spec_domtrans_all_users(local_login_t) userdom_signal_all_users(local_login_t) @@ -223,8 +223,8 @@ libs_use_shared_libs(sulogin_t) logging_send_syslog_msg(sulogin_t) -selinux_read_config(sulogin_t) -selinux_read_default_contexts(sulogin_t) +seutil_read_config(sulogin_t) +seutil_read_default_contexts(sulogin_t) auth_read_shadow(sulogin_t) @@ -242,12 +242,12 @@ ifdef(`sulogin_no_pam', ` init_get_process_group(sulogin_t) ', ` allow sulogin_t self:process setexec; - kernel_get_selinuxfs_mount_point(sulogin_t) - kernel_validate_context(sulogin_t) - kernel_compute_access_vector(sulogin_t) - kernel_compute_create_context(sulogin_t) - kernel_compute_relabel_context(sulogin_t) - kernel_compute_reachable_user_contexts(sulogin_t) + selinux_get_fs_mount(sulogin_t) + selinux_validate_context(sulogin_t) + selinux_compute_access_vector(sulogin_t) + selinux_compute_create_context(sulogin_t) + selinux_compute_relabel_context(sulogin_t) + selinux_compute_user_contexts(sulogin_t) ') ifdef(`TODO',` diff --git a/refpolicy/policy/modules/system/logging.te b/refpolicy/policy/modules/system/logging.te index 69f178f8..b608f9db 100644 --- a/refpolicy/policy/modules/system/logging.te +++ b/refpolicy/policy/modules/system/logging.te @@ -86,7 +86,7 @@ ifdef(`targeted_policy', ` ') optional_policy(`selinux.te',` - selinux_newrole_sigchld(auditd_t) + seutil_newrole_sigchld(auditd_t) ') optional_policy(`udev.te', ` @@ -250,7 +250,7 @@ ifdef(`targeted_policy', ` ') optional_policy(`selinux.te',` - selinux_newrole_sigchld(syslogd_t) + seutil_newrole_sigchld(syslogd_t) ') optional_policy(`udev.te', ` diff --git a/refpolicy/policy/modules/system/lvm.te b/refpolicy/policy/modules/system/lvm.te index 390a82e5..b3517cb5 100644 --- a/refpolicy/policy/modules/system/lvm.te +++ b/refpolicy/policy/modules/system/lvm.te @@ -69,12 +69,12 @@ type_transition lvm_t lvm_etc_t:file lvm_metadata_t; files_create_etc_config(lvm_t,lvm_metadata_t,file) kernel_read_system_state(lvm_t) -kernel_get_selinuxfs_mount_point(lvm_t) -kernel_validate_context(lvm_t) -kernel_compute_access_vector(lvm_t) -kernel_compute_create_context(lvm_t) -kernel_compute_relabel_context(lvm_t) -kernel_compute_reachable_user_contexts(lvm_t) +selinux_get_fs_mount(lvm_t) +selinux_validate_context(lvm_t) +selinux_compute_access_vector(lvm_t) +selinux_compute_create_context(lvm_t) +selinux_compute_relabel_context(lvm_t) +selinux_compute_user_contexts(lvm_t) kernel_read_kernel_sysctl(lvm_t) dev_read_sysfs(lvm_t) # Read /sys/block. Device mapper metadata is kept there. @@ -132,9 +132,9 @@ logging_send_syslog_msg(lvm_t) miscfiles_read_localization(lvm_t) -selinux_read_config(lvm_t) -selinux_read_file_contexts(lvm_t) -selinux_newrole_sigchld(lvm_t) +seutil_read_config(lvm_t) +seutil_read_file_contexts(lvm_t) +seutil_newrole_sigchld(lvm_t) ifdef(`distro_redhat',` # this is from the initrd: diff --git a/refpolicy/policy/modules/system/selinuxutil.if b/refpolicy/policy/modules/system/selinuxutil.if index 5a4a99f6..c201b4f0 100644 --- a/refpolicy/policy/modules/system/selinuxutil.if +++ b/refpolicy/policy/modules/system/selinuxutil.if @@ -2,7 +2,7 @@ ## Policy for SELinux policy and userland applications. ####################################### -## +## ## ## Execute checkpolicy in the checkpolicy domain. ## @@ -11,7 +11,7 @@ ## ## # -define(`selinux_domtrans_checkpol',` +define(`seutil_domtrans_checkpol',` gen_require(`$0'_depend) allow $1 checkpolicy_exec_t:file rx_file_perms; @@ -25,7 +25,7 @@ define(`selinux_domtrans_checkpol',` allow checkpolicy_t $1:process sigchld; ') -define(`selinux_domtrans_checkpol_depend',` +define(`seutil_domtrans_checkpol_depend',` type checkpolicy_t, checkpolicy_exec_t; class file rx_file_perms @@ -35,7 +35,7 @@ define(`selinux_domtrans_checkpol_depend',` ') ######################################## -## +## ## ## Execute checkpolicy in the checkpolicy domain, and ## allow the specified role the checkpolicy domain, @@ -53,15 +53,15 @@ define(`selinux_domtrans_checkpol_depend',` ## ## # -define(`selinux_run_checkpol',` +define(`seutil_run_checkpol',` gen_require(`$0'_depend) - selinux_domtrans_checkpol($1) + seutil_domtrans_checkpol($1) role $2 types checkpolicy_t; allow checkpolicy_t $3:chr_file { getattr read write ioctl }; ') -define(`selinux_run_checkpol_depend',` +define(`seutil_run_checkpol_depend',` type checkpolicy_t; class chr_file { getattr read write ioctl }; @@ -69,22 +69,22 @@ define(`selinux_run_checkpol_depend',` ####################################### # -# selinux_exec_checkpol(domain) +# seutil_exec_checkpol(domain) # -define(`selinux_exec_checkpol',` +define(`seutil_exec_checkpol',` gen_require(`$0'_depend) can_exec($1,checkpolicy_exec_t) ') -define(`selinux_exec_checkpol_depend',` +define(`seutil_exec_checkpol_depend',` type checkpolicy_exec_t; class file { rx_file_perms execute_no_trans }; ') ####################################### -## +## ## ## Execute load_policy in the load_policy domain. ## @@ -93,7 +93,7 @@ define(`selinux_exec_checkpol_depend',` ## ## # -define(`selinux_domtrans_loadpol',` +define(`seutil_domtrans_loadpol',` gen_require(`$0'_depend) allow $1 load_policy_exec_t:file rx_file_perms; @@ -107,7 +107,7 @@ define(`selinux_domtrans_loadpol',` allow load_policy_t $1:process sigchld; ') -define(`selinux_domtrans_loadpol_depend',` +define(`seutil_domtrans_loadpol_depend',` type load_policy_t, load_policy_exec_t; class file rx_file_perms; @@ -117,7 +117,7 @@ define(`selinux_domtrans_loadpol_depend',` ') ######################################## -## +## ## ## Execute load_policy in the load_policy domain, and ## allow the specified role the load_policy domain, @@ -135,15 +135,15 @@ define(`selinux_domtrans_loadpol_depend',` ## ## # -define(`selinux_run_loadpol',` +define(`seutil_run_loadpol',` gen_require(`$0'_depend) - selinux_domtrans_loadpol($1) + seutil_domtrans_loadpol($1) role $2 types load_policy_t; allow load_policy_t $3:chr_file { getattr read write ioctl }; ') -define(`selinux_run_loadpol_depend',` +define(`seutil_run_loadpol_depend',` type load_policy_t; class chr_file { getattr read write ioctl }; @@ -151,15 +151,15 @@ define(`selinux_run_loadpol_depend',` ####################################### # -# selinux_exec_loadpol(domain) +# seutil_exec_loadpol(domain) # -define(`selinux_exec_loadpol',` +define(`seutil_exec_loadpol',` gen_require(`$0'_depend) can_exec($1,load_policy_exec_t) ') -define(`selinux_exec_loadpol_depend',` +define(`seutil_exec_loadpol_depend',` type load_policy_exec_t; class file { rx_file_perms execute_no_trans }; @@ -167,22 +167,22 @@ define(`selinux_exec_loadpol_depend',` ####################################### # -# selinux_read_loadpol(domain) +# seutil_read_loadpol(domain) # -define(`selinux_read_loadpol',` +define(`seutil_read_loadpol',` gen_require(`$0'_depend) allow $1 load_policy_exec_t:file r_file_perms; ') -define(`selinux_read_loadpol_depend',` +define(`seutil_read_loadpol_depend',` type load_policy_exec_t; class file r_file_perms ') ####################################### -## +## ## ## Execute newrole in the load_policy domain. ## @@ -191,7 +191,7 @@ define(`selinux_read_loadpol_depend',` ## ## # -define(`selinux_domtrans_newrole',` +define(`seutil_domtrans_newrole',` gen_require(`$0'_depend) allow $1 newrole_exec_t:file rx_file_perms; @@ -205,7 +205,7 @@ define(`selinux_domtrans_newrole',` allow newrole_t $1:process sigchld; ') -define(`selinux_domtrans_newrole_depend',` +define(`seutil_domtrans_newrole_depend',` type newrole_t, newrole_exec_t; class file rx_file_perms; @@ -215,7 +215,7 @@ define(`selinux_domtrans_newrole_depend',` ') ######################################## -## +## ## ## Execute newrole in the newrole domain, and ## allow the specified role the newrole domain, @@ -232,15 +232,15 @@ define(`selinux_domtrans_newrole_depend',` ## ## # -define(`selinux_run_newrole',` +define(`seutil_run_newrole',` gen_require(`$0'_depend) - selinux_domtrans_newrole($1) + seutil_domtrans_newrole($1) role $2 types newrole_t; allow newrole_t $3:chr_file { getattr read write ioctl }; ') -define(`selinux_run_newrole_depend',` +define(`seutil_run_newrole_depend',` type newrole_t; class chr_file { getattr read write ioctl }; @@ -248,22 +248,22 @@ define(`selinux_run_newrole_depend',` ####################################### # -# selinux_exec_newrole(domain) +# seutil_exec_newrole(domain) # -define(`selinux_exec_newrole',` +define(`seutil_exec_newrole',` gen_require(`$0'_depend) can_exec($1,newrole_exec_t) ') -define(`selinux_exec_newrole_depend',` +define(`seutil_exec_newrole_depend',` type newrole_t, newrole_exec_t; class file { rx_file_perms execute_no_trans }; ') ######################################## -## +## ## ## Do not audit the caller attempts to send ## a signal to newrole. @@ -273,13 +273,13 @@ define(`selinux_exec_newrole_depend',` ## ## # -define(`selinux_dontaudit_newrole_signal',` +define(`seutil_dontaudit_newrole_signal',` gen_require(`$0'_depend) dontaudit $1 newrole_t:process signal; ') -define(`selinux_dontaudit_newrole_signal_depend',` +define(`seutil_dontaudit_newrole_signal_depend',` type newrole_t; class process signal; @@ -287,15 +287,15 @@ define(`selinux_dontaudit_newrole_signal_depend',` ####################################### # -# selinux_newrole_sigchld(domain) +# seutil_newrole_sigchld(domain) # -define(`selinux_newrole_sigchld',` +define(`seutil_newrole_sigchld',` gen_require(`$0'_depend) allow $1 newrole_t:process sigchld; ') -define(`selinux_newrole_sigchld_depend',` +define(`seutil_newrole_sigchld_depend',` type newrole_t; class process sigchld; @@ -303,22 +303,22 @@ define(`selinux_newrole_sigchld_depend',` ####################################### # -# selinux_use_newrole_fd(domain) +# seutil_use_newrole_fd(domain) # -define(`selinux_use_newrole_fd',` +define(`seutil_use_newrole_fd',` gen_require(`$0'_depend) allow $1 newrole_t:fd use; ') -define(`selinux_use_newrole_fd_depend',` +define(`seutil_use_newrole_fd_depend',` type newrole_t; class fd use; ') ####################################### -## +## ## ## Execute restorecon in the restorecon domain. ## @@ -327,7 +327,7 @@ define(`selinux_use_newrole_fd_depend',` ## ## # -define(`selinux_domtrans_restorecon',` +define(`seutil_domtrans_restorecon',` gen_require(`$0'_depend) allow $1 restorecon_exec_t:file rx_file_perms; @@ -341,7 +341,7 @@ define(`selinux_domtrans_restorecon',` allow restorecon_t $1:process sigchld; ') -define(`selinux_domtrans_restorecon_depend',` +define(`seutil_domtrans_restorecon_depend',` type restorecon_t, restorecon_exec_t; class file rx_file_perms; @@ -351,7 +351,7 @@ define(`selinux_domtrans_restorecon_depend',` ') ######################################## -## +## ## ## Execute restorecon in the restorecon domain, and ## allow the specified role the restorecon domain, @@ -368,15 +368,15 @@ define(`selinux_domtrans_restorecon_depend',` ## ## # -define(`selinux_run_restorecon',` +define(`seutil_run_restorecon',` gen_require(`$0'_depend) - selinux_domtrans_restorecon($1) + seutil_domtrans_restorecon($1) role $2 types restorecon_t; allow restorecon_t $3:chr_file { getattr read write ioctl }; ') -define(`selinux_run_restorecon_depend',` +define(`seutil_run_restorecon_depend',` type restorecon_t; class chr_file { getattr read write ioctl }; @@ -384,21 +384,21 @@ define(`selinux_run_restorecon_depend',` ####################################### # -# selinux_exec_restorecon(domain) +# seutil_exec_restorecon(domain) # -define(`selinux_exec_restorecon',` +define(`seutil_exec_restorecon',` gen_require(`$0'_depend) can_exec($1,restorecon_exec_t) ') -define(`selinux_exec_restorecon_depend',` +define(`seutil_exec_restorecon_depend',` type restorecon_t, restorecon_exec_t; class file { rx_file_perms execute_no_trans }; ') ######################################## -## +## ## ## Execute run_init in the run_init domain. ## @@ -407,7 +407,7 @@ define(`selinux_exec_restorecon_depend',` ## ## # -define(`selinux_domtrans_runinit',` +define(`seutil_domtrans_runinit',` gen_require(`$0'_depend) allow $1 run_init_exec_t:file rx_file_perms; @@ -421,7 +421,7 @@ define(`selinux_domtrans_runinit',` allow run_init_t $1:process sigchld; ') -define(`selinux_domtrans_runinit_depend',` +define(`seutil_domtrans_runinit_depend',` type run_init_t, run_init_exec_t; class file rx_file_perms; @@ -431,7 +431,7 @@ define(`selinux_domtrans_runinit_depend',` ') ######################################## -## +## ## ## Execute run_init in the run_init domain, and ## allow the specified role the run_init domain, @@ -448,15 +448,15 @@ define(`selinux_domtrans_runinit_depend',` ## ## # -define(`selinux_run_runinit',` +define(`seutil_run_runinit',` gen_require(`$0'_depend) - selinux_domtrans_runinit($1) + seutil_domtrans_runinit($1) role $2 types run_init_t; allow run_init_t $3:chr_file { getattr read write ioctl }; ') -define(`selinux_run_runinit_depend',` +define(`seutil_run_runinit_depend',` type run_init_t; class chr_file { getattr read write ioctl }; @@ -464,22 +464,22 @@ define(`selinux_run_runinit_depend',` ######################################## # -# selinux_use_runinit_fd(domain) +# seutil_use_runinit_fd(domain) # -define(`selinux_use_runinit_fd',` +define(`seutil_use_runinit_fd',` gen_require(`$0'_depend) allow $1 run_init_t:fd use; ') -define(`selinux_use_runinit_fd_depend',` +define(`seutil_use_runinit_fd_depend',` type run_init_t; class fd use; ') ######################################## -## +## ## ## Execute setfiles in the setfiles domain. ## @@ -488,7 +488,7 @@ define(`selinux_use_runinit_fd_depend',` ## ## # -define(`selinux_domtrans_setfiles',` +define(`seutil_domtrans_setfiles',` gen_require(`$0'_depend) allow $1 setfiles_exec_t:file rx_file_perms; @@ -502,7 +502,7 @@ define(`selinux_domtrans_setfiles',` allow setfiles_t $1:process sigchld; ') -define(`selinux_domtrans_setfiles_depend',` +define(`seutil_domtrans_setfiles_depend',` type setfiles_t, setfiles_exec_t; class file rx_file_perms; @@ -512,7 +512,7 @@ define(`selinux_domtrans_setfiles_depend',` ') ######################################## -## +## ## ## Execute setfiles in the setfiles domain, and ## allow the specified role the setfiles domain, @@ -529,15 +529,15 @@ define(`selinux_domtrans_setfiles_depend',` ## ## # -define(`selinux_run_setfiles',` +define(`seutil_run_setfiles',` gen_require(`$0'_depend) - selinux_domtrans_setfiles($1) + seutil_domtrans_setfiles($1) role $2 types setfiles_t; allow setfiles_t $3:chr_file { getattr read write ioctl }; ') -define(`selinux_run_setfiles_depend',` +define(`seutil_run_setfiles_depend',` type setfiles_t; class chr_file { getattr read write ioctl }; @@ -545,15 +545,15 @@ define(`selinux_run_setfiles_depend',` ####################################### # -# selinux_exec_setfiles(domain) +# seutil_exec_setfiles(domain) # -define(`selinux_exec_setfiles',` +define(`seutil_exec_setfiles',` gen_require(`$0'_depend) can_exec($1,setfiles_exec_t) ') -define(`selinux_exec_setfiles_depend',` +define(`seutil_exec_setfiles_depend',` type setfiles_exec_t; class file { rx_file_perms execute_no_trans }; @@ -561,16 +561,16 @@ define(`selinux_exec_setfiles_depend',` ######################################## # -# selinux_read_config(domain) +# seutil_read_config(domain) # -define(`selinux_read_config',` +define(`seutil_read_config',` gen_require(`$0'_depend) allow $1 selinux_config_t:dir r_dir_perms; allow $1 selinux_config_t:file r_file_perms; ') -define(`selinux_read_config_depend',` +define(`seutil_read_config_depend',` type selinux_config_t; class dir r_dir_perms; @@ -579,9 +579,9 @@ define(`selinux_read_config_depend',` ######################################## # -# selinux_read_default_contexts(domain) +# seutil_read_default_contexts(domain) # -define(`selinux_read_default_contexts',` +define(`seutil_read_default_contexts',` gen_require(`$0'_depend) allow $1 selinux_config_t:dir search; @@ -589,7 +589,7 @@ define(`selinux_read_default_contexts',` allow $1 default_context_t:file r_file_perms; ') -define(`selinux_read_default_contexts_depend',` +define(`seutil_read_default_contexts_depend',` type selinux_config_t, default_context_t; class dir r_dir_perms; @@ -598,9 +598,9 @@ define(`selinux_read_default_contexts_depend',` ######################################## # -# selinux_read_file_contexts(domain) +# seutil_read_file_contexts(domain) # -define(`selinux_read_file_contexts',` +define(`seutil_read_file_contexts',` gen_require(`$0'_depend) allow $1 selinux_config_t:dir search; @@ -608,7 +608,7 @@ define(`selinux_read_file_contexts',` allow $1 file_context_t:file r_file_perms; ') -define(`selinux_read_file_contexts_depend',` +define(`seutil_read_file_contexts_depend',` type selinux_config_t, file_context_t; class dir r_dir_perms; @@ -617,16 +617,16 @@ define(`selinux_read_file_contexts_depend',` ######################################## # -# selinux_read_binary_pol(domain) +# seutil_read_binary_pol(domain) # -define(`selinux_read_binary_pol',` +define(`seutil_read_binary_pol',` gen_require(`$0'_depend) allow $1 policy_config_t:dir r_dir_perms; allow $1 policy_config_t:file r_file_perms; ') -define(`selinux_read_binary_pol_depend',` +define(`seutil_read_binary_pol_depend',` type policy_config_t; class dir r_dir_perms; @@ -635,9 +635,9 @@ define(`selinux_read_binary_pol_depend',` ######################################## # -# selinux_write_binary_pol(domain) +# seutil_write_binary_pol(domain) # -define(`selinux_write_binary_pol',` +define(`seutil_write_binary_pol',` gen_require(`$0'_depend) allow $1 policy_config_t:dir rw_dir_perms; @@ -645,7 +645,7 @@ define(`selinux_write_binary_pol',` typeattribute $1 can_write_binary_policy; ') -define(`selinux_write_binary_pol_depend',` +define(`seutil_write_binary_pol_depend',` attribute can_write_binary_policy; type policy_config_t; @@ -655,7 +655,7 @@ define(`selinux_write_binary_pol_depend',` ') ######################################## -## +## ## ## Allow the caller to relabel a file to the binary policy type. ## @@ -664,14 +664,14 @@ define(`selinux_write_binary_pol_depend',` ## ## # -define(`selinux_relabelto_binary_pol',` +define(`seutil_relabelto_binary_pol',` gen_require(`$0'_depend) allow $1 policy_config_t:file relabelto; typeattribute $1 can_relabelto_binary_policy; ') -define(`selinux_relabelto_binary_pol_depend',` +define(`seutil_relabelto_binary_pol_depend',` attribute can_relabelto_binary_policy; type policy_config_t; @@ -681,9 +681,9 @@ define(`selinux_relabelto_binary_pol_depend',` ######################################## # -# selinux_manage_binary_pol(domain) +# seutil_manage_binary_pol(domain) # -define(`selinux_manage_binary_pol',` +define(`seutil_manage_binary_pol',` gen_require(`$0'_depend) # FIXME: search etc_t:dir @@ -693,7 +693,7 @@ define(`selinux_manage_binary_pol',` typeattribute $1 can_write_binary_policy; ') -define(`selinux_manage_binary_pol_depend',` +define(`seutil_manage_binary_pol_depend',` attribute can_write_binary_policy; type selinux_config_t, policy_config_t; @@ -703,9 +703,9 @@ define(`selinux_manage_binary_pol_depend',` ######################################## # -# selinux_read_src_pol(domain) +# seutil_read_src_pol(domain) # -define(`selinux_read_src_pol',` +define(`seutil_read_src_pol',` gen_require(`$0'_depend) # FIXME: search etc_t:dir @@ -714,7 +714,7 @@ define(`selinux_read_src_pol',` allow $1 policy_src_t:file r_file_perms; ') -define(`selinux_read_src_pol_depend',` +define(`seutil_read_src_pol_depend',` type selinux_config_t, policy_src_t; class dir r_dir_perms; @@ -723,9 +723,9 @@ define(`selinux_read_src_pol_depend',` ######################################## # -# selinux_manage_src_pol(domain) +# seutil_manage_src_pol(domain) # -define(`selinux_manage_src_pol',` +define(`seutil_manage_src_pol',` gen_require(`$0'_depend) # FIXME: search etc_t:dir @@ -734,7 +734,7 @@ define(`selinux_manage_src_pol',` allow $1 policy_src_t:file create_file_perms; ') -define(`selinux_manage_src_pol_depend',` +define(`seutil_manage_src_pol_depend',` type selinux_config_t, policy_src_t; class dir create_dir_perms; diff --git a/refpolicy/policy/modules/system/selinuxutil.te b/refpolicy/policy/modules/system/selinuxutil.te index 81aea9ab..28a6751f 100644 --- a/refpolicy/policy/modules/system/selinuxutil.te +++ b/refpolicy/policy/modules/system/selinuxutil.te @@ -149,9 +149,9 @@ allow load_policy_t selinux_config_t:dir r_dir_perms; allow load_policy_t selinux_config_t:file r_file_perms; allow load_policy_t selinux_config_t:lnk_file r_file_perms; -kernel_get_selinuxfs_mount_point(load_policy_t) -kernel_load_policy(load_policy_t) -kernel_set_boolean(load_policy_t) +selinux_get_fs_mount(load_policy_t) +selinux_load_policy(load_policy_t) +selinux_set_boolean(load_policy_t) fs_getattr_xattr_fs(load_policy_t) @@ -196,12 +196,12 @@ allow newrole_t { selinux_config_t default_context_t }:lnk_file r_file_perms; kernel_read_system_state(newrole_t) kernel_read_kernel_sysctl(newrole_t) -kernel_get_selinuxfs_mount_point(newrole_t) -kernel_validate_context(newrole_t) -kernel_compute_access_vector(newrole_t) -kernel_compute_create_context(newrole_t) -kernel_compute_relabel_context(newrole_t) -kernel_compute_reachable_user_contexts(newrole_t) +selinux_get_fs_mount(newrole_t) +selinux_validate_context(newrole_t) +selinux_compute_access_vector(newrole_t) +selinux_compute_create_context(newrole_t) +selinux_compute_relabel_context(newrole_t) +selinux_compute_user_contexts(newrole_t) dev_read_urand(newrole_t) @@ -280,12 +280,12 @@ allow restorecon_t { policy_src_t policy_config_t file_context_t selinux_config_ kernel_use_fd(restorecon_t) kernel_read_system_state(restorecon_t) -kernel_get_selinuxfs_mount_point(restorecon_t) -kernel_validate_context(restorecon_t) -kernel_compute_access_vector(restorecon_t) -kernel_compute_create_context(restorecon_t) -kernel_compute_relabel_context(restorecon_t) -kernel_compute_reachable_user_contexts(restorecon_t) +selinux_get_fs_mount(restorecon_t) +selinux_validate_context(restorecon_t) +selinux_compute_access_vector(restorecon_t) +selinux_compute_create_context(restorecon_t) +selinux_compute_relabel_context(restorecon_t) +selinux_compute_user_contexts(restorecon_t) fs_getattr_xattr_fs(restorecon_t) @@ -343,12 +343,12 @@ allow restorecon_t kernel_t:fifo_file { read write }; # Run_init local policy # -kernel_get_selinuxfs_mount_point(run_init_t) -kernel_validate_context(run_init_t) -kernel_compute_access_vector(run_init_t) -kernel_compute_create_context(run_init_t) -kernel_compute_relabel_context(run_init_t) -kernel_compute_reachable_user_contexts(run_init_t) +selinux_get_fs_mount(run_init_t) +selinux_validate_context(run_init_t) +selinux_compute_access_vector(run_init_t) +selinux_compute_create_context(run_init_t) +selinux_compute_relabel_context(run_init_t) +selinux_compute_user_contexts(run_init_t) ifdef(`targeted_policy',`',` allow run_init_t self:process setexec; @@ -385,8 +385,8 @@ ifdef(`targeted_policy',`',` libs_use_ld_so(run_init_t) libs_use_shared_libs(run_init_t) - selinux_read_config(run_init_t) - selinux_read_default_contexts(run_init_t) + seutil_read_config(run_init_t) + seutil_read_default_contexts(run_init_t) miscfiles_read_localization(run_init_t) @@ -414,12 +414,12 @@ allow setfiles_t { policy_src_t policy_config_t file_context_t selinux_config_t allow setfiles_t { policy_src_t policy_config_t file_context_t selinux_config_t default_context_t }:lnk_file r_file_perms; kernel_read_system_state(setfiles_t) -kernel_get_selinuxfs_mount_point(setfiles_t) -kernel_validate_context(setfiles_t) -kernel_compute_access_vector(setfiles_t) -kernel_compute_create_context(setfiles_t) -kernel_compute_relabel_context(setfiles_t) -kernel_compute_reachable_user_contexts(setfiles_t) +selinux_get_fs_mount(setfiles_t) +selinux_validate_context(setfiles_t) +selinux_compute_access_vector(setfiles_t) +selinux_compute_create_context(setfiles_t) +selinux_compute_relabel_context(setfiles_t) +selinux_compute_user_contexts(setfiles_t) fs_getattr_xattr_fs(setfiles_t) diff --git a/refpolicy/policy/modules/system/sysnetwork.te b/refpolicy/policy/modules/system/sysnetwork.te index 1237c5c9..0faca2c0 100644 --- a/refpolicy/policy/modules/system/sysnetwork.te +++ b/refpolicy/policy/modules/system/sysnetwork.te @@ -157,7 +157,7 @@ optional_policy(`nscd.te',` ') optional_policy(`selinux.te',` - selinux_newrole_sigchld(dhcpc_t) + seutil_newrole_sigchld(dhcpc_t) ') optional_policy(`udev.te',` @@ -285,7 +285,7 @@ logging_send_syslog_msg(ifconfig_t) miscfiles_read_localization(ifconfig_t) -selinux_use_runinit_fd(ifconfig_t) +seutil_use_runinit_fd(ifconfig_t) userdom_use_all_user_fd(ifconfig_t) diff --git a/refpolicy/policy/modules/system/udev.te b/refpolicy/policy/modules/system/udev.te index bfeb6f6d..c4cc2d9a 100644 --- a/refpolicy/policy/modules/system/udev.te +++ b/refpolicy/policy/modules/system/udev.te @@ -71,12 +71,12 @@ kernel_read_hotplug_sysctl(udev_t) kernel_read_modprobe_sysctl(udev_t) kernel_read_kernel_sysctl(udev_t) dev_read_sysfs(udev_t) -kernel_get_selinuxfs_mount_point(udev_t) -kernel_validate_context(udev_t) -kernel_compute_access_vector(udev_t) -kernel_compute_create_context(udev_t) -kernel_compute_relabel_context(udev_t) -kernel_compute_reachable_user_contexts(udev_t) +selinux_get_fs_mount(udev_t) +selinux_validate_context(udev_t) +selinux_compute_access_vector(udev_t) +selinux_compute_create_context(udev_t) +selinux_compute_relabel_context(udev_t) +selinux_compute_user_contexts(udev_t) dev_manage_dev_nodes(udev_t) @@ -107,10 +107,10 @@ miscfiles_read_localization(udev_t) modutils_domtrans_insmod(udev_t) -selinux_read_config(udev_t) -selinux_read_default_contexts(udev_t) -selinux_read_file_contexts(udev_t) -selinux_domtrans_restorecon(udev_t) +seutil_read_config(udev_t) +seutil_read_default_contexts(udev_t) +seutil_read_file_contexts(udev_t) +seutil_domtrans_restorecon(udev_t) sysnet_domtrans_ifconfig(udev_t) diff --git a/refpolicy/policy/modules/system/userdomain.if b/refpolicy/policy/modules/system/userdomain.if index b6265918..db11429e 100644 --- a/refpolicy/policy/modules/system/userdomain.if +++ b/refpolicy/policy/modules/system/userdomain.if @@ -102,7 +102,7 @@ define(`base_user_domain',` per_userdomain_templates($1) kernel_read_kernel_sysctl($1_t) - kernel_get_selinuxfs_mount_point($1_t) + selinux_get_fs_mount($1_t) # Very permissive allowing every domain to see every type: kernel_get_sysvipc_info($1_t) # Find CDROM devices: @@ -170,7 +170,7 @@ define(`base_user_domain',` miscfiles_read_localization($1_t) miscfiles_rw_man_cache($1_t) - selinux_run_newrole($1_t,$1_r,{ $1_devpts_t $1_tty_device_t }) + seutil_run_newrole($1_t,$1_r,{ $1_devpts_t $1_tty_device_t }) mta_rw_spool($1_t) @@ -475,10 +475,10 @@ define(`user_domain_template', ` miscfiles_read_man_pages($1_t) - selinux_read_config($1_t) + seutil_read_config($1_t) # Allow users to execute checkpolicy without a domain transition # so it can be used without privilege to write real binary policy file - selinux_exec_checkpol($1_t) + seutil_exec_checkpol($1_t) tunable_policy(`user_dmesg',` kernel_read_ring_buffer($1_t) @@ -500,7 +500,7 @@ define(`user_domain_template', ` optional_policy(`selinux.te',` # for when the network connection is killed - selinux_dontaudit_newrole_signal($1_t) + seutil_dontaudit_newrole_signal($1_t) ') # Need the following rule to allow users to run vpnc @@ -664,16 +664,16 @@ define(`admin_domain_template',` kernel_read_ring_buffer($1_t) kernel_get_sysvipc_info($1_t) kernel_rw_all_sysctl($1_t) - kernel_set_enforcement_mode($1_t) - kernel_set_boolean($1_t) - kernel_set_security_parameters($1_t) + selinux_set_enforce_mode($1_t) + selinux_set_boolean($1_t) + selinux_set_parameters($1_t) # Get security policy decisions: - kernel_get_selinuxfs_mount_point($1_t) - kernel_validate_context($1_t) - kernel_compute_access_vector($1_t) - kernel_compute_create_context($1_t) - kernel_compute_relabel_context($1_t) - kernel_compute_reachable_user_contexts($1_t) + selinux_get_fs_mount($1_t) + selinux_validate_context($1_t) + selinux_compute_access_vector($1_t) + selinux_compute_create_context($1_t) + selinux_compute_relabel_context($1_t) + selinux_compute_user_contexts($1_t) # signal unlabeled processes: kernel_kill_unlabeled($1_t) kernel_signal_unlabeled($1_t) @@ -722,14 +722,14 @@ define(`admin_domain_template',` modutils_domtrans_insmod($1_t) - selinux_read_config($1_t) + seutil_read_config($1_t) # The following rule is temporary until such time that a complete # policy management infrastructure is in place so that an administrator # cannot directly manipulate policy files with arbitrary programs. - selinux_manage_src_pol($1_t) + seutil_manage_src_pol($1_t) # Violates the goal of limiting write access to checkpolicy. # But presently necessary for installing the file_contexts file. - selinux_manage_binary_pol($1_t) + seutil_manage_binary_pol($1_t) optional_policy(`cron.te',` cron_admin_template($1) diff --git a/refpolicy/policy/modules/system/userdomain.te b/refpolicy/policy/modules/system/userdomain.te index 751d6e92..422261e9 100644 --- a/refpolicy/policy/modules/system/userdomain.te +++ b/refpolicy/policy/modules/system/userdomain.te @@ -112,12 +112,12 @@ optional_policy(`rpm.te',` ') optional_policy(`selinux.te',` - selinux_run_checkpol(sysadm_t,sysadm_r,admin_terminal) - selinux_run_loadpol(sysadm_t,sysadm_r,admin_terminal) - selinux_run_restorecon(sysadm_t,sysadm_r,admin_terminal) - selinux_run_setfiles(sysadm_t,sysadm_r,admin_terminal) + seutil_run_checkpol(sysadm_t,sysadm_r,admin_terminal) + seutil_run_loadpol(sysadm_t,sysadm_r,admin_terminal) + seutil_run_restorecon(sysadm_t,sysadm_r,admin_terminal) + seutil_run_setfiles(sysadm_t,sysadm_r,admin_terminal) optional_policy(`targeted_policy',`',` - selinux_run_runinit(sysadm_t,sysadm_r,admin_terminal) + seutil_run_runinit(sysadm_t,sysadm_r,admin_terminal) ') ')