misc fixes

2005-09-05 18:17:17 +00:00 · 2005-09-05 18:17:17 +00:00 · 603f90ab9d
commit 603f90ab9d
parent b11a75a5e3
12 changed files with 66 additions and 20 deletions
--- a/refpolicy/policy/modules/admin/acct.te
+++ b/refpolicy/policy/modules/admin/acct.te
@ -52,6 +52,7 @@ domain_use_wide_inherit_fd(acct_t)
 files_read_etc_files(acct_t)
 files_read_etc_runtime_files(acct_t)
 files_list_usr(acct_t)
 # for nscd
 files_dontaudit_search_pids(acct_t)
--- a/refpolicy/policy/modules/kernel/bootloader.te
+++ b/refpolicy/policy/modules/kernel/bootloader.te
@ -66,9 +66,9 @@ allow bootloader_t self:capability { dac_read_search fsetid sys_rawio sys_admin
 allow bootloader_t self:process { sigkill sigstop signull signal };
 allow bootloader_t self:fifo_file { getattr read write };
-allow bootloader_t boot_t:dir ra_dir_perms;
+allow bootloader_t boot_t:dir rw_dir_perms;
-allow bootloader_t boot_t:file { rw_file_perms create };
+allow bootloader_t boot_t:file create_file_perms;
-allow bootloader_t boot_t:lnk_file { r_file_perms create unlink };
+allow bootloader_t boot_t:lnk_file create_lnk_perms;
 allow bootloader_t bootloader_etc_t:file r_file_perms;
 # uncomment the following lines if you use "lilo -p"
--- a/refpolicy/policy/modules/services/hal.te
+++ b/refpolicy/policy/modules/services/hal.te
@ -116,6 +116,11 @@ optional_policy(`nscd.te',`
 	nscd_use_socket(hald_t)
 ')
 optional_policy(`pcmcia.te',`
 	pcmcia_manage_pid(hald_t)
 	pcmcia_manage_runtime_chr(hald_t)
 ')
 optional_policy(`selinuxutil.te',`
 	seutil_sigchld_newrole(hald_t)
 ')
--- a/refpolicy/policy/modules/services/mysql.te
+++ b/refpolicy/policy/modules/services/mysql.te
@ -14,6 +14,7 @@ type mysqld_var_run_t;
 files_pid_file(mysqld_var_run_t)
 type mysqld_db_t;
 files_type(mysqld_db_t)
 type mysqld_etc_t alias etc_mysqld_t;
 files_type(mysqld_etc_t)
--- a/refpolicy/policy/modules/system/authlogin.if
+++ b/refpolicy/policy/modules/system/authlogin.if
@ -73,8 +73,6 @@ template(`authlogin_per_userdomain_template',`
 	seutil_read_config($1_chkpwd_t)
 	#can_ldap($1_chkpwd_t)
 	# Transition from the user domain to this domain.
 	domain_auto_trans($2,chkpwd_exec_t,$1_chkpwd_t)
@ -104,6 +102,17 @@ template(`authlogin_per_userdomain_template',`
 		kerberos_use($1_chkpwd_t)
 	')
 	optional_policy(`ldap.te',`
 		allow $1_chkpwd_t self:tcp_socket create_socket_perms;
 		corenet_tcp_sendrecv_all_if($1_chkpwd_t)
 		corenet_raw_sendrecv_all_if($1_chkpwd_t)
 		corenet_tcp_sendrecv_all_nodes($1_chkpwd_t)
 		corenet_raw_sendrecv_all_nodes($1_chkpwd_t)
 		corenet_tcp_sendrecv_ldap_port($1_chkpwd_t)
 		corenet_tcp_bind_all_nodes($1_chkpwd_t)
 		sysnet_read_config($1_chkpwd_t)
 	')
 	optional_policy(`nis.te',`
 		nis_use_ypbind($1_chkpwd_t)
 	')
@ -243,7 +252,16 @@ interface(`auth_domtrans_chk_passwd',`
 		kerberos_use($1)
 	')
-	#can_ldap($1)
+	optional_policy(`ldap.te',`
 		allow $1 self:tcp_socket create_socket_perms;
 		corenet_tcp_sendrecv_all_if($1)
 		corenet_raw_sendrecv_all_if($1)
 		corenet_tcp_sendrecv_all_nodes($1)
 		corenet_raw_sendrecv_all_nodes($1)
 		corenet_tcp_sendrecv_ldap_port($1)
 		corenet_tcp_bind_all_nodes($1)
 		sysnet_read_config($1)
 	')
 	optional_policy(`nis.te',`
 		nis_use_ypbind($1)
--- a/refpolicy/policy/modules/system/authlogin.te
+++ b/refpolicy/policy/modules/system/authlogin.te
@ -287,6 +287,17 @@ optional_policy(`kerberos.te',`
 	kerberos_use(system_chkpwd_t)
 ')
 optional_policy(`ldap.te',`
 	allow system_chkpwd_t self:tcp_socket create_socket_perms;
 	corenet_tcp_sendrecv_all_if(system_chkpwd_t)
 	corenet_raw_sendrecv_all_if(system_chkpwd_t)
 	corenet_tcp_sendrecv_all_nodes(system_chkpwd_t)
 	corenet_raw_sendrecv_all_nodes(system_chkpwd_t)
 	corenet_tcp_sendrecv_ldap_port(system_chkpwd_t)
 	corenet_tcp_bind_all_nodes(system_chkpwd_t)
 	sysnet_read_config(system_chkpwd_t)
 ')
 optional_policy(`nis.te',`
 	nis_use_ypbind(system_chkpwd_t)
 ')
@ -295,10 +306,6 @@ optional_policy(`nscd.te',`
 	nscd_use_socket(system_chkpwd_t)
 ')
 ifdef(`TODO',`
 can_ldap(system_chkpwd_t)
 ') dnl end TODO
 ########################################
 #
 # Utempter local policy
--- a/refpolicy/policy/modules/system/files.if
+++ b/refpolicy/policy/modules/system/files.if
@ -1608,6 +1608,24 @@ interface(`files_search_usr',`
 	allow $1 usr_t:dir search;
 ')
 ########################################
 ## <summary>
 ##	List the contents of generic
 ##	directories in /usr.
 ## </summary>
 ## <param name="domain">
 ##	Domain allowed access.
 ## </param>
 #
 interface(`files_list_usr',`
 	gen_require(`
 		type usr_t;
 		class dir r_dir_perms;
 	')
 	allow $1 usr_t:dir r_dir_perms;
 ')
 ########################################
 ## <summary>
 ##	Get the attributes of files in /usr.
--- a/refpolicy/policy/modules/system/getty.te
+++ b/refpolicy/policy/modules/system/getty.te
@ -13,6 +13,7 @@ domain_wide_inherit_fd(getty_t)
 type getty_etc_t;
 typealias getty_etc_t alias etc_getty_t;
 files_type(getty_etc_t)
 type getty_log_t;
 logging_log_file(getty_log_t)
--- a/refpolicy/policy/modules/system/init.te
+++ b/refpolicy/policy/modules/system/init.te
@ -48,9 +48,8 @@ type initrc_exec_t;
 domain_entry_file(initrc_t,initrc_exec_t)
 type initrc_devpts_t;
 fs_associate(initrc_devpts_t)
 fs_associate_noxattr(initrc_devpts_t)
 term_pty(initrc_devpts_t)
 files_type(initrc_devpts_t)
 type initrc_var_run_t;
 files_pid_file(initrc_var_run_t)
--- a/refpolicy/policy/modules/system/logging.te
+++ b/refpolicy/policy/modules/system/logging.te
@ -54,8 +54,7 @@ dontaudit auditd_t self:capability sys_tty_config;
 allow auditd_t self:process { signal_perms setsched };
 allow auditd_t self:netlink_audit_socket { bind create getattr nlmsg_read nlmsg_write read write };
-allow auditd_t var_log_t:dir search;
+allow auditd_t var_log_t:dir rw_dir_perms;
 allow auditd_t auditd_log_t:dir rw_dir_perms;
 allow auditd_t auditd_log_t:file create_file_perms;
 allow auditd_t auditd_var_run_t:file create_file_perms;
@ -78,6 +77,7 @@ init_use_script_pty(auditd_t)
 domain_use_wide_inherit_fd(auditd_t)
 files_read_etc_files(auditd_t)
 files_list_usr(auditd_t)
 logging_send_syslog_msg(auditd_t)
--- a/refpolicy/policy/modules/system/pcmcia.te
+++ b/refpolicy/policy/modules/system/pcmcia.te
@ -148,11 +148,6 @@ optional_policy(`pcmcia.te',`
 	pcmcia_domtrans_cardctl(apmd_t)
 ')
 # this goes to hald
 optional_policy(`pcmcia.te',`
 	pcmcia_manage_pid(hald_t)
 	pcmcia_manage_runtime_chr(hald_t)
 ')
 optional_policy(`rhgb.te',`
 	rhgb_domain(cardmgr_t)
 ')
--- a/refpolicy/policy/modules/system/userdomain.if
+++ b/refpolicy/policy/modules/system/userdomain.if
@ -35,6 +35,7 @@ template(`base_user_template',`
 	# user pseudoterminal
 	type $1_devpts_t;
 	term_user_pty($1_t,$1_devpts_t)
 	files_type($1_devpts_t)
 	# type for contents of home directory
 	type $1_home_t, $1_file_type, home_type;
@ -42,7 +43,7 @@ template(`base_user_template',`
 	# type of home directory
 	type $1_home_dir_t, home_dir_type, home_type;
-	files_type($1_home_t)
+	files_type($1_home_dir_t)
 	type $1_tmp_t, $1_file_type;
 	files_tmp_file($1_tmp_t)