rpms/selinux-policy
5
0
Fork 0
Code Issues Pull Requests Releases Activity

fix most disable_trans errors

Browse Source
This commit is contained in:
Chris PeBenito 2005-10-24 22:08:13 +00:00
parent f470a1e329
commit 69dcd685ad
7 changed files with 50 additions and 12 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
refpolicy/Makefile
View File

@ -71,7 +71,7 @@ MONOLITHIC=y
PREFIX := /usr PREFIX := /usr
BINDIR := $(PREFIX)/bin BINDIR := $(PREFIX)/bin
SBINDIR := $(PREFIX)/sbin SBINDIR := $(PREFIX)/sbin
CHECKPOLICY := $(BINDIR)/checkpolicy CHECKPOLICY := /tmp/$(BINDIR)/checkpolicy
CHECKMODULE := $(BINDIR)/checkmodule CHECKMODULE := $(BINDIR)/checkmodule
SEMOD_PKG := $(BINDIR)/semodule_package SEMOD_PKG := $(BINDIR)/semodule_package
LOADPOLICY := $(SBINDIR)/load_policy LOADPOLICY := $(SBINDIR)/load_policy

12
refpolicy/policy/modules/services/cpucontrol.te
View File

@ -8,14 +8,14 @@ policy_module(cpucontrol,1.0)
type cpucontrol_t; type cpucontrol_t;
type cpucontrol_exec_t; type cpucontrol_exec_t;
init_daemon_domain(cpucontrol_t,cpucontrol_exec_t) init_system_domain(cpucontrol_t,cpucontrol_exec_t)
type cpucontrol_conf_t; type cpucontrol_conf_t;
files_type(cpucontrol_conf_t) files_type(cpucontrol_conf_t)
type cpuspeed_t; type cpuspeed_t;
type cpuspeed_exec_t; type cpuspeed_exec_t;
init_daemon_domain(cpuspeed_t,cpuspeed_exec_t) init_system_domain(cpuspeed_t,cpuspeed_exec_t)
######################################## ########################################
# #
@ -61,6 +61,10 @@ ifdef(`targeted_policy',`
files_dontaudit_read_root_file(cpucontrol_t) files_dontaudit_read_root_file(cpucontrol_t)
') ')
optional_policy(`nscd.te',`
nscd_use_socket(cpucontrol_t)
')
optional_policy(`selinuxutil.te',` optional_policy(`selinuxutil.te',`
seutil_sigchld_newrole(cpucontrol_t) seutil_sigchld_newrole(cpucontrol_t)
') ')
@ -117,6 +121,10 @@ ifdef(`targeted_policy',`
files_dontaudit_read_root_file(cpuspeed_t) files_dontaudit_read_root_file(cpuspeed_t)
') ')
optional_policy(`nscd.te',`
nscd_use_socket(cpuspeed_t)
')
optional_policy(`selinuxutil.te',` optional_policy(`selinuxutil.te',`
seutil_sigchld_newrole(cpuspeed_t) seutil_sigchld_newrole(cpuspeed_t)
') ')

2
refpolicy/policy/modules/services/finger.te
View File

@ -7,7 +7,7 @@ policy_module(finger,1.0)
# #
type fingerd_t; type fingerd_t;
type fingerd_exec_t; type fingerd_exec_t;
init_daemon_domain(fingerd_t,fingerd_exec_t) init_system_domain(fingerd_t,fingerd_exec_t)
inetd_tcp_service_domain(fingerd_t,fingerd_exec_t) inetd_tcp_service_domain(fingerd_t,fingerd_exec_t)
type fingerd_etc_t; type fingerd_etc_t;

37
refpolicy/policy/modules/services/inetd.if
View File

@ -32,14 +32,37 @@ interface(`inetd_core_service_domain',`
role system_r types $1; role system_r types $1;
domain_auto_trans(inetd_t,$2,$1)
allow $1 inetd_t:fd use;
allow inetd_t $1:fd use;
allow $1 inetd_t:fifo_file rw_file_perms;
allow $1 inetd_t:process sigchld;
allow inetd_t $1:process sigkill; allow inetd_t $1:process sigkill;
ifdef(`targeted_policy',`
# this regex is a hack, since it assumes there is a
# _t at the end of the domain type. If there is no _t
# at the end of the type, it returns empty!
bool regexp($1, `\(\w+\)_t', `\1_disable_trans') false;
if(regexp($1, `\(\w+\)_t', `\1_disable_trans') ) {
can_exec(inetd_t,$2)
} else {
domain_auto_trans(inetd_t,$2,$1)
allow inetd_t $1:fd use;
allow $1 inetd_t:fd use;
allow $1 inetd_t:fifo_file rw_file_perms;
allow $1 inetd_t:process sigchld;
dontaudit inetd_t $1:process { noatsecure siginh rlimitinh };
# make sediff happy
allow $1 $2:file { rx_file_perms entrypoint };
}
',`
domain_auto_trans(inetd_t,$2,$1)
allow inetd_t $1:fd use;
allow $1 inetd_t:fd use;
allow $1 inetd_t:fifo_file rw_file_perms;
allow $1 inetd_t:process sigchld;
dontaudit inetd_t $1:process { noatsecure siginh rlimitinh };
# make sediff happy
allow $1 $2:file { rx_file_perms entrypoint };
')
') ')
######################################## ########################################

2
refpolicy/policy/modules/services/tftp.te
View File

@ -8,7 +8,7 @@ policy_module(tftp,1.0)
type tftpd_t; type tftpd_t;
type tftpd_exec_t; type tftpd_exec_t;
init_daemon_domain(tftpd_t,tftpd_exec_t) init_system_domain(tftpd_t,tftpd_exec_t)
inetd_udp_service_domain(tftpd_t,tftpd_exec_t) inetd_udp_service_domain(tftpd_t,tftpd_exec_t)
type tftpd_var_run_t; type tftpd_var_run_t;

6
refpolicy/policy/modules/system/init.if
View File

@ -99,6 +99,9 @@ interface(`init_daemon_domain',`
allow $1 initrc_t:fifo_file rw_file_perms; allow $1 initrc_t:fifo_file rw_file_perms;
allow $1 initrc_t:process sigchld; allow $1 initrc_t:process sigchld;
allow initrc_t $1:process { noatsecure siginh rlimitinh }; allow initrc_t $1:process { noatsecure siginh rlimitinh };
# make sediff happy
allow $1 $2:file { rx_file_perms entrypoint };
} }
',` ',`
domain_auto_trans(initrc_t,$2,$1) domain_auto_trans(initrc_t,$2,$1)
@ -107,6 +110,9 @@ interface(`init_daemon_domain',`
allow $1 initrc_t:fifo_file rw_file_perms; allow $1 initrc_t:fifo_file rw_file_perms;
allow $1 initrc_t:process sigchld; allow $1 initrc_t:process sigchld;
dontaudit initrc_t $1:process { noatsecure siginh rlimitinh }; dontaudit initrc_t $1:process { noatsecure siginh rlimitinh };
# make sediff happy
allow $1 $2:file { rx_file_perms entrypoint };
') ')
optional_policy(`nscd.te',` optional_policy(`nscd.te',`

1
refpolicy/policy/modules/system/unconfined.te
View File

@ -49,4 +49,5 @@ ifdef(`targeted_policy',`
') ')
') dnl end TODO ') dnl end TODO
typeattribute unconfined_t direct_run_init;
') ')