* Rename ipsec connect interface for consistency.

* Add missing parts of unix stream socket connect interface of ipsec. * Rename inetd connect interface for consistency.
2005-08-03 15:16:33 +00:00 · 2005-08-03 15:16:33 +00:00 · 81343a6f90
commit 81343a6f90
parent 80a63c7a98
5 changed files with 16 additions and 6 deletions
--- a/refpolicy/Changelog
+++ b/refpolicy/Changelog
@ -1,3 +1,8 @@
+	* Rename ipsec connect interface for consistency.
+	* Add missing parts of unix stream socket connect interface
+	  of ipsec.
+	* Rename inetd connect interface for consistency.
+
 20050802 (2 Aug 2005)
 	* Fix comparison bug in fc_sort.
 	* Fix handling of ordered and unordered HTML lists.
--- a/refpolicy/policy/modules/services/inetd.if
+++ b/refpolicy/policy/modules/services/inetd.if
@ -119,7 +119,7 @@ interface(`inetd_service_domain',`
 ##	Domain allowed access.
 ## </param>
 #
-interface(`inetd_tcp_connectto',`
+interface(`inetd_tcp_connect',`
 	gen_require(`
 		type inetd_t;
 		class tcp_socket { connectto acceptfrom recvfrom };
--- a/refpolicy/policy/modules/system/ipsec.if
+++ b/refpolicy/policy/modules/system/ipsec.if
@ -26,18 +26,23 @@ interface(`ipsec_domtrans',`

 ########################################
 ## <summary>
-##	Connect to an IPSEC unix domain stream socket.
+##	Connect to IPSEC using a unix domain stream socket.
 ## </summary>
 ## <param name="domain">
 ##	The type of the process performing this action.
 ## </param>
 #
-interface(`ipsec_connectto_unix_stream_socket',`
+interface(`ipsec_stream_connect',`
 	gen_require(`
-		type ipsec_t;
+		type ipsec_t, ipsec_var_run_t;
+		class dir search;
+		class sock_file write;
 		class unix_stream_socket connectto;
 	')

+	files_search_pids($1)
+	allow $1 ipsec_var_run_t:dir search;
+	allow $1 ipsec_var_run_t:sock_file write;
 	allow $1 ipsec_t:unix_stream_socket connectto;
 ')

--- a/refpolicy/policy/modules/system/userdomain.if
+++ b/refpolicy/policy/modules/system/userdomain.if
@ -241,7 +241,7 @@ template(`base_user_template',`
 	')

 	optional_policy(`inetd.te',`
-		inetd_tcp_connectto($1_t)
+		inetd_tcp_connect($1_t)
 	')

 	optional_policy(`nis.te',`
--- a/refpolicy/policy/modules/system/userdomain.te
+++ b/refpolicy/policy/modules/system/userdomain.te
@ -130,7 +130,7 @@ ifdef(`targeted_policy',`
 		# at things (e.g., ipsec auto --status)
 		# probably should create an ipsec_admin role for this kind of thing
 		ipsec_exec_mgmt(sysadm_t)
-		ipsec_connectto_unix_stream_socket(sysadm_t)
+		ipsec_stream_connect(sysadm_t)
 		# for lsof
 		ipsec_getattr_key_socket(sysadm_t)
 	')