aliasing

2005-06-08 21:07:03 +00:00 · 2005-06-08 21:07:03 +00:00 · 7edd02d4f1
commit 7edd02d4f1
parent 0350b1dc7f
4 changed files with 40 additions and 51 deletions
--- a/refpolicy/policy/modules/system/sysnetwork.if
+++ b/refpolicy/policy/modules/system/sysnetwork.if
@ -15,10 +15,7 @@
 define(`sysnetwork_dhcpc_transition',`
 	requires_block_template(`$0'_depend)

-	allow $1 dhcpc_exec_t:file { getattr read execute };
-	allow $1 dhcpc_t:process transition;
-	type_transition $1 dhcpc_exec_t:process dhcpc_t;
-	dontaudit $1 dhcpc_t:process { noatsecure siginh rlimitinh };
+	domain_auto_trans($1, dhcp_exec_t, dhcp_t)

 	allow $1 dhcpc_t:fd use;
 	allow dhcpc_t $1:fd use;
@ -49,10 +46,7 @@ define(`sysnetwork_dhcpc_transition_depend',`
 define(`sysnetwork_ifconfig_transition',`
 	requires_block_template(`$0'_depend)

-	allow $1 ifconfig_exec_t:file { getattr read execute };
-	allow $1 ifconfig_t:process transition;
-	type_transition $1 ifconfig_exec_t:process ifconfig_t;
-	dontaudit $1 ifconfig_t:process { noatsecure siginh rlimitinh };
+	domain_auto_trans($1, ifconfig_exec_t, ifconfig_t)

 	allow $1 ifconfig_t:fd use;
 	allow ifconfig_t $1:fd use;
@ -117,13 +111,13 @@ define(`sysnetwork_read_network_config',`
 	requires_block_template(`$0'_depend)

 	files_search_general_system_config_directory($1)
-	allow $1 net_conf_t:file { getattr read };
+	allow $1 net_conf_t:file r_file_perms;
 ')

 define(`sysnetwork_read_network_config_depend',`
 	type net_conf_t;

-	class file { getattr read };
+	class file r_file_perms;
 ')

 ## </module>
--- a/refpolicy/policy/modules/system/sysnetwork.te
+++ b/refpolicy/policy/modules/system/sysnetwork.te
@ -46,11 +46,11 @@ dontaudit dhcpc_t self:capability sys_tty_config;
 # for access("/etc/bashrc", X_OK) on Red Hat
 dontaudit dhcpc_t self:capability { dac_read_search sys_module };

-allow dhcpc_t self:tcp_socket { create ioctl read getattr write setattr append bind getopt setopt shutdown };
-allow dhcpc_t self:udp_socket { create ioctl read getattr write setattr append bind getopt setopt shutdown };
-allow dhcpc_t self:packet_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown };
-allow dhcpc_t self:netlink_route_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown nlmsg_read };
-allow dhcpc_t self:fifo_file { ioctl read getattr lock write append };
+allow dhcpc_t self:tcp_socket create_socket_perms;
+allow dhcpc_t self:udp_socket create_socket_perms;
+allow dhcpc_t self:packet_socket create_socket_perms;
+allow dhcpc_t self:netlink_route_socket { create_socket_perms nlmsg_read };
+allow dhcpc_t self:fifo_file rw_file_perms;

 allow dhcpc_t dhcp_etc_t:dir r_dir_perms;
 allow dhcpc_t dhcp_etc_t:lnk_file r_file_perms;
@ -61,26 +61,23 @@ allow dhcpc_t dhcpc_state_t:file create_file_perms;
 type_transition dhcpc_t dhcp_state_t:file dhcpc_state_t;

 # create pid file
-allow dhcpc_t dhcpc_var_run_t:file { getattr create read write append setattr unlink };
+allow dhcpc_t dhcpc_var_run_t:file create_file_perms;
 files_create_daemon_runtime_data(dhcpc_t,dhcpc_var_run_t)

 # Allow read/write to /etc/resolv.conf and /etc/ntp.conf. Note that any files
 # in /etc created by dhcpcd will be labelled net_conf_t.
-allow dhcpc_t net_conf_t:file { create ioctl read getattr lock write setattr append link unlink rename };
+allow dhcpc_t net_conf_t:file create_file_perms;
 files_create_private_config(dhcpc_t,net_conf_t,file)

 # create temp files
-allow dhcpc_t dhcpc_tmp_t:dir { create read getattr lock setattr ioctl link unlink rename search add_name remove_name reparent write rmdir };
-allow dhcpc_t dhcpc_tmp_t:file { create ioctl read getattr lock write setattr append link unlink rename };
+allow dhcpc_t dhcpc_tmp_t:dir create_dir_perms;
+allow dhcpc_t dhcpc_tmp_t:file create_file_perms;
 files_create_private_tmp_data(dhcpc_t, dhcpc_tmp_t, { file dir })

-allow dhcpc_t dhcpc_exec_t:file { getattr read execute execute_no_trans };
+can_exec(dhcpc_t, dhcpc_exec_t)

 # transition to ifconfig
-allow dhcpc_t ifconfig_exec_t:file { getattr read execute };
-allow dhcpc_t ifconfig_t:process transition;
-type_transition dhcpc_t ifconfig_exec_t:process ifconfig_t;
-dontaudit dhcpc_t ifconfig_t:process { noatsecure siginh rlimitinh };
+domain_auto_trans(dhcp_t, ifconfig_exec_t, ifconfig_t)
 allow dhcpc_t ifconfig_t:fd use;
 allow ifconfig_t dhcpc_t:fd use;
 allow ifconfig_t dhcpc_t:fifo_file rw_file_perms;
@ -244,21 +241,21 @@ allow ifconfig_t self:capability net_admin;
 dontaudit ifconfig_t self:capability sys_module;

 allow ifconfig_t self:fd use;
-allow ifconfig_t self:fifo_file { read getattr lock ioctl write append };
-allow ifconfig_t self:unix_dgram_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown };
-allow ifconfig_t self:unix_stream_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown listen accept };
+allow ifconfig_t self:fifo_file rw_file_perms;
+allow ifconfig_t self:unix_dgram_socket create_socket_perms;
+allow ifconfig_t self:unix_stream_socket create_stream_socket_perms;
 allow ifconfig_t self:unix_dgram_socket sendto;
 allow ifconfig_t self:unix_stream_socket connectto;
-allow ifconfig_t self:shm { associate getattr setattr create destroy read write lock unix_read unix_write };
-allow ifconfig_t self:sem { associate getattr setattr create destroy read write unix_read unix_write };
-allow ifconfig_t self:msgq { associate getattr setattr create destroy read write enqueue unix_read unix_write };
+allow ifconfig_t self:shm create_shm_perms;
+allow ifconfig_t self:sem create_sem_perms;
+allow ifconfig_t self:msgq create_msgq_perms;
 allow ifconfig_t self:msg { send receive };

 # Create UDP sockets, necessary when called from dhcpc
-allow ifconfig_t self:udp_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown };
+allow ifconfig_t self:udp_socket create_socket_perms;

 # for /sbin/ip
-allow ifconfig_t self:netlink_route_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown nlmsg_read nlmsg_write };
+allow ifconfig_t self:netlink_route_socket create_netlink_socket_perms;
 allow ifconfig_t self:tcp_socket { create ioctl };
 files_read_general_system_config(ifconfig_t);

--- a/refpolicy/policy/modules/system/udev.if
+++ b/refpolicy/policy/modules/system/udev.if
@ -15,10 +15,7 @@
 define(`udev_transition',`
 	requires_block_template(`$0'_depend)

-	allow $1 udev_exec_t:file { getattr read execute };
-	allow $1 udev_t:process transition;
-	type_transition $1 udev_exec_t:process udev_t;
-	dontaudit $1 udev_t:process { noatsecure siginh rlimitinh };
+	domain_auto_trans($1, udev_exec_t, udev_t)

 	allow $1 udev_t:fd use;
 	allow udev_t $1:fd use;
@ -49,13 +46,13 @@ define(`udev_transition_depend',`
 define(`udev_read_database',`
 	requires_block_template(`$0'_depend)

-	allow $1 udev_tdb_t:file { getattr read };
+	allow $1 udev_tdb_t:file r_file_perms;
 ')

 define(`udev_read_database_depend',`
 	type udev_tdb_t;

-	class file { getattr read };
+	class file r_file_perms;
 ')

 ########################################
@ -72,13 +69,13 @@ define(`udev_read_database_depend',`
 define(`udev_modify_database',`
 	requires_block_template(`$0'_depend)

-	allow $1 udev_tdb_t:file { getattr read write append };
+	allow $1 udev_tdb_t:file rw_file_perms;
 ')

 define(`udev_modify_database_depend',`
 	type udev_tdb_t;

-	class file { getattr read write append };
+	class file rw_file_perms;
 ')

 ## </module>
--- a/refpolicy/policy/modules/system/udev.te
+++ b/refpolicy/policy/modules/system/udev.te
@ -38,29 +38,30 @@ allow udev_t self:capability { chown dac_override dac_read_search fowner fsetid
 allow udev_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem dyntransition };
 allow udev_t self:process { execmem setfscreate };
 allow udev_t self:fd use;
-allow udev_t self:fifo_file { read getattr lock ioctl write append };
+allow udev_t self:fifo_file rw_file_perms;
 allow udev_t self:unix_stream_socket { listen accept };
 allow udev_t self:unix_dgram_socket sendto;
 allow udev_t self:unix_stream_socket connectto;
-allow udev_t self:shm { associate getattr setattr create destroy read write lock unix_read unix_write };
-allow udev_t self:sem { associate getattr setattr create destroy read write unix_read unix_write };
-allow udev_t self:msgq { associate getattr setattr create destroy read write enqueue unix_read unix_write };
+allow udev_t self:shm create_shm_perms;
+allow udev_t self:sem create_sem_perms;
+allow udev_t self:msgq create_msgq_perms;
 allow udev_t self:msg { send receive };
-allow udev_t self:rawip_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown };
+allow udev_t self:rawip_socket create_socket_perms;

-allow udev_t udev_exec_t:file { getattr read write ioctl execute execute_no_trans };
+allow udev_t udev_exec_t:file write;
+can_exec(udev_t, udev_exec_t)

-allow udev_t udev_helper_exec_t:dir { read getattr lock search ioctl };
+allow udev_t udev_helper_exec_t:dir r_dir_perms;

 # read udev config
-allow udev_t udev_etc_t:file { read getattr lock ioctl };
+allow udev_t udev_etc_t:file r_file_perms;

 # create udev database in /dev/.udevdb
-allow udev_t udev_tbl_t:file { create ioctl read getattr lock write setattr append link unlink rename };
+allow udev_t udev_tbl_t:file create_file_perms;
 devices_create_dev_entry(udev_t,udev_tbl_t,file)

-allow udev_t udev_var_run_t : dir { read getattr lock search ioctl add_name remove_name write };
-allow udev_t udev_var_run_t : file { create ioctl read getattr lock write setattr append link unlink rename };
+allow udev_t udev_var_run_t : dir rw_file_perms;
+allow udev_t udev_var_run_t : file create_file_perms;

 kernel_read_system_state(udev_t)
 kernel_get_core_interface_attributes(udev_t)