Change initrc_var_run_t interface noun from script_pid to utmp for clarity.

This commit is contained in:
Chris PeBenito 2006-01-18 18:08:39 +00:00
parent b94cc19178
commit 68228b3300
34 changed files with 64 additions and 62 deletions

View File

@ -1,3 +1,5 @@
- Change initrc_var_run_t interface noun from script_pid to utmp,
for greater clarity.
- Added modules:
portage
userhelper

View File

@ -81,7 +81,7 @@ files_manage_var_files(firstboot_t)
files_manage_var_symlinks(firstboot_t)
init_domtrans_script(firstboot_t)
init_rw_script_pid(firstboot_t)
init_rw_utmp(firstboot_t)
libs_use_ld_so(firstboot_t)
libs_use_shared_libs(firstboot_t)

View File

@ -64,7 +64,7 @@ template(`su_restricted_domain_template', `
init_dontaudit_use_fd($1_su_t)
init_dontaudit_use_script_pty($1_su_t)
# Write to utmp.
init_rw_script_pid($1_su_t)
init_rw_utmp($1_su_t)
libs_use_ld_so($1_su_t)
libs_use_shared_libs($1_su_t)
@ -199,7 +199,7 @@ template(`su_per_userdomain_template',`
init_dontaudit_use_fd($1_su_t)
# Write to utmp.
init_rw_script_pid($1_su_t)
init_rw_utmp($1_su_t)
libs_use_ld_so($1_su_t)
libs_use_shared_libs($1_su_t)

View File

@ -121,7 +121,7 @@ template(`sudo_per_userdomain_template',`
# for some PAM modules and for cwd
files_dontaudit_search_home($1_sudo_t)
init_rw_script_pid($1_sudo_t)
init_rw_utmp($1_sudo_t)
libs_use_ld_so($1_sudo_t)
libs_use_shared_libs($1_sudo_t)

View File

@ -115,7 +115,7 @@ files_dontaudit_search_var(chfn_t)
# /usr/bin/passwd asks for w access to utmp, but it will operate
# correctly without it. Do not audit write denials to utmp.
init_dontaudit_rw_script_pid(chfn_t)
init_dontaudit_rw_utmp(chfn_t)
libs_use_ld_so(chfn_t)
libs_use_shared_libs(chfn_t)
@ -218,8 +218,8 @@ term_use_all_user_ttys(groupadd_t)
term_use_all_user_ptys(groupadd_t)
init_use_fd(groupadd_t)
init_read_script_pid(groupadd_t)
init_dontaudit_write_script_pid(groupadd_t)
init_read_utmp(groupadd_t)
init_dontaudit_write_utmp(groupadd_t)
domain_use_wide_inherit_fd(groupadd_t)
@ -319,7 +319,7 @@ files_relabel_etc_files(passwd_t)
# /usr/bin/passwd asks for w access to utmp, but it will operate
# correctly without it. Do not audit write denials to utmp.
init_dontaudit_rw_script_pid(passwd_t)
init_dontaudit_rw_utmp(passwd_t)
libs_use_ld_so(passwd_t)
libs_use_shared_libs(passwd_t)
@ -413,7 +413,7 @@ files_dontaudit_search_pids(sysadm_passwd_t)
# /usr/bin/passwd asks for w access to utmp, but it will operate
# correctly without it. Do not audit write denials to utmp.
init_dontaudit_rw_script_pid(sysadm_passwd_t)
init_dontaudit_rw_utmp(sysadm_passwd_t)
libs_use_ld_so(sysadm_passwd_t)
libs_use_shared_libs(sysadm_passwd_t)
@ -486,7 +486,7 @@ files_search_var_lib(useradd_t)
files_relabel_etc_files(useradd_t)
init_use_fd(useradd_t)
init_rw_script_pid(useradd_t)
init_rw_utmp(useradd_t)
libs_use_ld_so(useradd_t)
libs_use_shared_libs(useradd_t)

View File

@ -123,8 +123,8 @@ template(`irc_per_userdomain_template',`
term_list_ptys($1_irc_t)
# allow utmp access
init_read_script_pid($1_irc_t)
init_dontaudit_lock_pid($1_irc_t)
init_read_utmp($1_irc_t)
init_dontaudit_lock_utmp($1_irc_t)
libs_use_ld_so($1_irc_t)
libs_use_shared_libs($1_irc_t)

View File

@ -142,7 +142,7 @@ template(`screen_per_userdomain_template',`
auth_dontaudit_exec_utempter($1_screen_t)
# Write to utmp.
init_rw_script_pid($1_screen_t)
init_rw_utmp($1_screen_t)
libs_use_ld_so($1_screen_t)
libs_use_shared_libs($1_screen_t)

View File

@ -127,7 +127,7 @@ files_dontaudit_getattr_all_sockets(apmd_t) # Excessive?
init_domtrans_script(apmd_t)
init_use_fd(apmd_t)
init_use_script_pty(apmd_t)
init_rw_script_pid(apmd_t)
init_rw_utmp(apmd_t)
init_write_initctl(apmd_t)
libs_exec_ld_so(apmd_t)

View File

@ -64,8 +64,8 @@ files_list_usr(comsat_t)
files_search_spool(comsat_t)
files_search_home(comsat_t)
init_read_script_pid(comsat_t)
init_dontaudit_write_script_pid(comsat_t)
init_read_utmp(comsat_t)
init_dontaudit_write_utmp(comsat_t)
libs_use_ld_so(comsat_t)
libs_use_shared_libs(comsat_t)

View File

@ -120,7 +120,7 @@ files_search_default(crond_t)
init_use_fd(crond_t)
init_use_script_pty(crond_t)
init_rw_script_pid(crond_t)
init_rw_utmp(crond_t)
libs_use_ld_so(crond_t)
libs_use_shared_libs(crond_t)
@ -331,8 +331,8 @@ ifdef(`targeted_policy',`
init_use_fd(system_crond_t)
init_use_script_fd(system_crond_t)
init_use_script_pty(system_crond_t)
init_read_script_pid(system_crond_t)
init_dontaudit_rw_script_pid(system_crond_t)
init_read_utmp(system_crond_t)
init_dontaudit_rw_utmp(system_crond_t)
# prelink tells init to restart it self, we either need to allow or dontaudit
init_write_initctl(system_crond_t)

View File

@ -99,7 +99,7 @@ files_dontaudit_list_default(dovecot_t)
init_use_fd(dovecot_t)
init_use_script_pty(dovecot_t)
init_getattr_script_pids(dovecot_t)
init_getattr_utmp(dovecot_t)
libs_use_ld_so(dovecot_t)
libs_use_shared_libs(dovecot_t)

View File

@ -81,8 +81,8 @@ files_search_home(fingerd_t)
files_read_etc_files(fingerd_t)
files_read_etc_runtime_files(fingerd_t)
init_read_script_pid(fingerd_t)
init_dontaudit_write_script_pid(fingerd_t)
init_read_utmp(fingerd_t)
init_dontaudit_write_utmp(fingerd_t)
init_use_fd(fingerd_t)
init_use_script_pty(fingerd_t)

View File

@ -62,7 +62,7 @@ files_read_etc_files(howl_t)
init_use_fd(howl_t)
init_use_script_pty(howl_t)
init_rw_script_pid(howl_t)
init_rw_utmp(howl_t)
libs_use_ld_so(howl_t)
libs_use_shared_libs(howl_t)

View File

@ -80,7 +80,7 @@ files_read_usr_files(NetworkManager_t)
init_use_fd(NetworkManager_t)
init_use_script_pty(NetworkManager_t)
init_read_script_pid(NetworkManager_t)
init_read_utmp(NetworkManager_t)
init_domtrans_script(NetworkManager_t)
libs_use_ld_so(NetworkManager_t)

View File

@ -99,7 +99,7 @@ files_read_var_lib_symlinks(pegasus_t)
init_use_fd(pegasus_t)
init_use_script_pty(pegasus_t)
init_rw_script_pid(pegasus_t)
init_rw_utmp(pegasus_t)
libs_use_ld_so(pegasus_t)
libs_use_shared_libs(pegasus_t)

View File

@ -187,7 +187,7 @@ domain_dontaudit_use_wide_inherit_fd(portmap_helper_t)
files_read_etc_files(portmap_helper_t)
files_rw_generic_pids(portmap_helper_t)
init_rw_script_pid(portmap_helper_t)
init_rw_utmp(portmap_helper_t)
libs_use_ld_so(portmap_helper_t)
libs_use_shared_libs(portmap_helper_t)

View File

@ -121,7 +121,7 @@ files_search_etc(postgresql_t)
files_read_etc_runtime_files(postgresql_t)
files_read_usr_files(postgresql_t)
init_read_script_pid(postgresql_t)
init_read_utmp(postgresql_t)
init_use_fd(postgresql_t)
init_use_script_pty(postgresql_t)

View File

@ -153,8 +153,8 @@ files_read_etc_runtime_files(pppd_t)
# for scripts
files_read_etc_files(pppd_t)
init_read_script_pid(pppd_t)
init_dontaudit_write_script_pid(pppd_t)
init_read_utmp(pppd_t)
init_dontaudit_write_utmp(pppd_t)
init_use_fd(pppd_t)
init_use_script_pty(pppd_t)

View File

@ -99,7 +99,7 @@ files_list_mnt(remote_login_t)
# for when /var/mail is a sym-link
files_read_var_symlink(remote_login_t)
init_rw_script_pid(remote_login_t)
init_rw_utmp(remote_login_t)
libs_use_ld_so(remote_login_t)
libs_use_shared_libs(remote_login_t)

View File

@ -75,7 +75,7 @@ files_read_etc_runtime_files(rlogind_t)
files_search_home(rlogind_t)
files_search_default(rlogind_t)
init_rw_script_pid(rlogind_t)
init_rw_utmp(rlogind_t)
libs_use_ld_so(rlogind_t)
libs_use_shared_libs(rlogind_t)

View File

@ -76,8 +76,8 @@ files_read_etc_runtime_files(sendmail_t)
init_use_fd(sendmail_t)
init_use_script_pty(sendmail_t)
# sendmail wants to read /var/run/utmp if the controlling tty is /dev/console
init_read_script_pid(sendmail_t)
init_dontaudit_write_script_pid(sendmail_t)
init_read_utmp(sendmail_t)
init_dontaudit_write_utmp(sendmail_t)
libs_use_ld_so(sendmail_t)
libs_use_shared_libs(sendmail_t)

View File

@ -97,10 +97,10 @@ storage_dontaudit_read_removable_device(snmpd_t)
term_dontaudit_use_console(snmpd_t)
init_read_script_pid(snmpd_t)
init_read_utmp(snmpd_t)
init_use_fd(snmpd_t)
init_use_script_pty(snmpd_t)
init_dontaudit_write_script_pid(snmpd_t)
init_dontaudit_write_utmp(snmpd_t)
libs_use_ld_so(snmpd_t)
libs_use_shared_libs(snmpd_t)

View File

@ -99,7 +99,7 @@ files_read_etc_runtime_files(spamd_t)
init_use_fd(spamd_t)
init_use_script_pty(spamd_t)
init_dontaudit_rw_script_pid(spamd_t)
init_dontaudit_rw_utmp(spamd_t)
libs_use_ld_so(spamd_t)
libs_use_shared_libs(spamd_t)

View File

@ -473,7 +473,7 @@ template(`ssh_server_template', `
files_read_etc_files($1_t)
files_read_etc_runtime_files($1_t)
init_rw_script_pid($1_t)
init_rw_utmp($1_t)
libs_use_ld_so($1_t)
libs_use_shared_libs($1_t)

View File

@ -74,7 +74,7 @@ files_read_etc_runtime_files(telnetd_t)
# for identd; cjp: this should probably only be inetd_child rules?
files_search_home(telnetd_t)
init_rw_script_pid(telnetd_t)
init_rw_utmp(telnetd_t)
libs_use_ld_so(telnetd_t)
libs_use_shared_libs(telnetd_t)

View File

@ -105,7 +105,7 @@ fs_search_auto_mountpoints(pam_t)
term_use_all_user_ttys(pam_t)
term_use_all_user_ptys(pam_t)
init_dontaudit_rw_script_pid(pam_t)
init_dontaudit_rw_utmp(pam_t)
files_read_etc_files(pam_t)
files_list_pids(pam_t)
@ -289,7 +289,7 @@ term_dontaudit_use_all_user_ttys(utempter_t)
term_dontaudit_use_all_user_ptys(utempter_t)
term_dontaudit_use_ptmx(utempter_t)
init_rw_script_pid(utempter_t)
init_rw_utmp(utempter_t)
files_read_etc_files(utempter_t)

View File

@ -89,7 +89,7 @@ files_rw_generic_pids(getty_t)
files_read_etc_runtime_files(getty_t)
files_read_etc_files(getty_t)
init_rw_script_pid(getty_t)
init_rw_utmp(getty_t)
init_use_script_pty(getty_t)
init_dontaudit_use_script_pty(getty_t)

View File

@ -774,7 +774,7 @@ interface(`init_filetrans_script_tmp',`
## Domain allowed access.
## </param>
#
interface(`init_getattr_script_pids',`
interface(`init_getattr_utmp',`
gen_require(`
type initrc_var_run_t;
class file getattr;
@ -785,9 +785,9 @@ interface(`init_getattr_script_pids',`
########################################
#
# init_read_script_pid(domain)
# init_read_utmp(domain)
#
interface(`init_read_script_pid',`
interface(`init_read_utmp',`
gen_require(`
type initrc_var_run_t;
class file r_file_perms;
@ -799,9 +799,9 @@ interface(`init_read_script_pid',`
########################################
#
# init_dontaudit_write_script_pid(domain)
# init_dontaudit_write_utmp(domain)
#
interface(`init_dontaudit_write_script_pid',`
interface(`init_dontaudit_write_utmp',`
gen_require(`
type initrc_var_run_t;
class file { write lock };
@ -819,7 +819,7 @@ interface(`init_dontaudit_write_script_pid',`
## Domain allowed access.
## </param>
#
interface(`init_dontaudit_lock_pid',`
interface(`init_dontaudit_lock_utmp',`
gen_require(`
type initrc_var_run_t;
')
@ -829,9 +829,9 @@ interface(`init_dontaudit_lock_pid',`
########################################
#
# init_rw_script_pid(domain)
# init_rw_utmp(domain)
#
interface(`init_rw_script_pid',`
interface(`init_rw_utmp',`
gen_require(`
type initrc_var_run_t;
class file rw_file_perms;
@ -843,9 +843,9 @@ interface(`init_rw_script_pid',`
########################################
#
# init_dontaudit_rw_script_pid(domain)
# init_dontaudit_rw_utmp(domain)
#
interface(`init_dontaudit_rw_script_pid',`
interface(`init_dontaudit_rw_utmp',`
gen_require(`
type initrc_var_run_t;
class file rw_file_perms;
@ -856,7 +856,7 @@ interface(`init_dontaudit_rw_script_pid',`
########################################
## <summary>
## Manage init files like utmp.
## Create, read, write, and delete utmp.
## </summary>
## <param name="domain">
## Domain access allowed.

View File

@ -142,7 +142,7 @@ files_read_world_readable_sockets(local_login_t)
# for when /var/mail is a symlink
files_read_var_symlink(local_login_t)
init_rw_script_pid(local_login_t)
init_rw_utmp(local_login_t)
init_dontaudit_use_fd(local_login_t)
libs_use_ld_so(local_login_t)

View File

@ -313,8 +313,8 @@ term_dontaudit_use_console(syslogd_t)
term_write_unallocated_ttys(syslogd_t)
# for sending messages to logged in users
init_read_script_pid(syslogd_t)
init_dontaudit_write_script_pid(syslogd_t)
init_read_utmp(syslogd_t)
init_dontaudit_write_utmp(syslogd_t)
term_write_all_user_ttys(syslogd_t)
corenet_raw_sendrecv_all_if(syslogd_t)

View File

@ -264,7 +264,7 @@ domain_use_wide_inherit_fd(newrole_t)
domain_sigchld_wide_inherit_fd(newrole_t)
# Write to utmp.
init_rw_script_pid(newrole_t)
init_rw_utmp(newrole_t)
files_read_etc_files(newrole_t)
files_read_var_files(newrole_t)
@ -439,7 +439,7 @@ ifdef(`targeted_policy',`',`
init_domtrans_script(run_init_t)
# for utmp
init_rw_script_pid(run_init_t)
init_rw_utmp(run_init_t)
libs_use_ld_so(run_init_t)
libs_use_shared_libs(run_init_t)

View File

@ -133,7 +133,7 @@ files_dontaudit_search_locks(dhcpc_t)
init_use_fd(dhcpc_t)
init_use_script_pty(dhcpc_t)
init_rw_script_pid(dhcpc_t)
init_rw_utmp(dhcpc_t)
logging_send_syslog_msg(dhcpc_t)

View File

@ -115,8 +115,8 @@ files_getattr_generic_locks(udev_t)
files_search_mnt(udev_t)
init_use_fd(udev_t)
init_read_script_pid(udev_t)
init_dontaudit_write_script_pid(udev_t)
init_read_utmp(udev_t)
init_dontaudit_write_utmp(udev_t)
libs_use_ld_so(udev_t)
libs_use_shared_libs(udev_t)

View File

@ -588,10 +588,10 @@ template(`unpriv_user_template', `
files_read_world_readable_pipes($1_t)
files_read_world_readable_sockets($1_t)
init_read_script_pid($1_t)
init_read_utmp($1_t)
# The library functions always try to open read-write first,
# then fall back to read-only if it fails.
init_dontaudit_write_script_pid($1_t)
init_dontaudit_write_utmp($1_t)
# Stop warnings about access to /dev/console
init_dontaudit_use_fd($1_t)
init_dontaudit_use_script_fd($1_t)