fixes just so sediff is easier to handle

This commit is contained in:
Chris PeBenito 2005-11-01 21:15:11 +00:00
parent b488014fd7
commit 73ef293bc5
4 changed files with 34 additions and 16 deletions

View File

@ -206,18 +206,25 @@ template(`su_per_userdomain_template',`
userdom_use_user_terminals($1,$1_su_t)
userdom_search_user_home($1,$1_su_t)
if(secure_mode) {
# Only allow transitions to unprivileged user domains.
userdom_spec_domtrans_unpriv_users($1_su_t)
} else {
# Allow transitions to all user domains
userdom_spec_domtrans_all_users($1_su_t)
}
ifdef(`targeted_policy',`
corecmd_exec_bin($1_su_t)
userdom_manage_all_user_files($1_su_t)
userdom_manage_all_user_symlinks($1_su_t)
# newrole does not make any sense in
# the targeted policy. This is to
# make sediff easier.
if(!secure_mode) {
unconfined_domtrans($1_su_t)
}
',`
if(secure_mode) {
# Only allow transitions to unprivileged user domains.
userdom_spec_domtrans_unpriv_users($1_su_t)
} else {
# Allow transitions to all user domains
userdom_spec_domtrans_all_users($1_su_t)
}
')
tunable_policy(`use_nfs_home_dirs',`

View File

@ -660,7 +660,7 @@ interface(`fs_execute_cifs_files',`
## The type of the domain to not audit.
## </param>
#
interface(`fs_read_cifs_files',`
interface(`fs_dontaudit_read_cifs_files',`
gen_require(`
type cifs_t;
class file { read write };

View File

@ -184,6 +184,8 @@ optional_policy(`inetd.te',`
# inetd_tcp_service_domain(ftpd_t,ftpd_exec_t)
#')
inetd_tcp_service_domain(ftpd_t,ftpd_exec_t)
optional_policy(`tcpd.te',`
tunable_policy(`! ftpd_is_daemon',`
tcpd_domtrans(tcpd_t)

View File

@ -263,13 +263,22 @@ userdom_use_unpriv_users_fd(newrole_t)
# for some PAM modules and for cwd
userdom_dontaudit_search_all_users_home(newrole_t)
# if secure mode is enabled, then newrole
# can only transition to unprivileged users
if(secure_mode) {
userdom_spec_domtrans_unpriv_users(newrole_t)
} else {
userdom_spec_domtrans_all_users(newrole_t)
}
ifdef(`targeted_policy',`
# newrole does not make any sense in
# the targeted policy. This is to
# make sediff easier.
if(!secure_mode) {
unconfined_domtrans(newrole_t)
}
',`
# if secure mode is enabled, then newrole
# can only transition to unprivileged users
if(secure_mode) {
userdom_spec_domtrans_unpriv_users(newrole_t)
} else {
userdom_spec_domtrans_all_users(newrole_t)
}
')
optional_policy(`nis.te',`
nis_use_ypbind(newrole_t)