From 8b9ebd37693b8abb422f748b4b71e4c8bf5613fe Mon Sep 17 00:00:00 2001 From: Chris PeBenito Date: Tue, 25 Jul 2006 15:23:13 +0000 Subject: [PATCH] some cleanup in the kernel layer --- policy/modules/kernel/devices.te | 10 +--------- policy/modules/kernel/selinux.if | 29 ++++++++++++++--------------- policy/modules/kernel/terminal.if | 1 - 3 files changed, 15 insertions(+), 25 deletions(-) diff --git a/policy/modules/kernel/devices.te b/policy/modules/kernel/devices.te index 8edb0f58..a1940b41 100644 --- a/policy/modules/kernel/devices.te +++ b/policy/modules/kernel/devices.te @@ -20,14 +20,6 @@ files_type(device_t) files_mountpoint(device_t) files_associate_tmp(device_t) -# Only directories and symlinks should be labeled device_t. -# If there are other files with this type, it is wrong. -# Relabelto is allowed for setfiles to function, in case -# a device node has no specific type yet, but is for some -# reason labeled with a specific type -#cjp: want this, but udev policy breaks this -#neverallow domain device_t:{ file fifo_file sock_file chr_file blk_file } ~{ getattr setattr relabelfrom relabelto }; - # # Type for /dev/agpgart # @@ -206,4 +198,4 @@ files_associate_tmp(device_node) allow devices_unconfined_type self:capability sys_rawio; allow devices_unconfined_type device_node:{ blk_file chr_file } *; -allow devices_unconfined_type mtrr_device_t:{ dir file } *; +allow devices_unconfined_type mtrr_device_t:file *; diff --git a/policy/modules/kernel/selinux.if b/policy/modules/kernel/selinux.if index f080e2a0..c4f9d7e3 100644 --- a/policy/modules/kernel/selinux.if +++ b/policy/modules/kernel/selinux.if @@ -55,7 +55,7 @@ interface(`selinux_search_fs',` type security_t; ') - allow $1 security_t:dir search; + allow $1 security_t:dir search_dir_perms; ') ######################################## @@ -73,7 +73,7 @@ interface(`selinux_dontaudit_search_fs',` type security_t; ') - dontaudit $1 security_t:dir search; + dontaudit $1 security_t:dir search_dir_perms; ') ######################################## @@ -92,7 +92,7 @@ interface(`selinux_dontaudit_read_fs',` type security_t; ') - dontaudit $1 security_t:dir search; + dontaudit $1 security_t:dir search_dir_perms; dontaudit $1 security_t:file { getattr read }; ') @@ -112,7 +112,7 @@ interface(`selinux_get_enforce_mode',` type security_t; ') - allow $1 security_t:dir { read search getattr }; + allow $1 security_t:dir list_dir_perms; allow $1 security_t:file { getattr read }; ') @@ -144,7 +144,7 @@ interface(`selinux_set_enforce_mode',` bool secure_mode_policyload; ') - allow $1 security_t:dir { read search getattr }; + allow $1 security_t:dir list_dir_perms; allow $1 security_t:file { getattr read write }; typeattribute $1 can_setenforce; @@ -171,7 +171,7 @@ interface(`selinux_load_policy',` bool secure_mode_policyload; ') - allow $1 security_t:dir { read search getattr }; + allow $1 security_t:dir list_dir_perms; allow $1 security_t:file { getattr read write }; typeattribute $1 can_load_policy; @@ -208,8 +208,7 @@ interface(`selinux_set_boolean',` bool secure_mode_policyload; ') - allow $1 security_t:dir search; - allow $1 security_t:dir { getattr search read }; + allow $1 security_t:dir list_dir_perms; allow $1 security_t:file { getattr read write }; if(!secure_mode_policyload) { @@ -249,7 +248,7 @@ interface(`selinux_set_parameters',` attribute can_setsecparam; ') - allow $1 security_t:dir { read search getattr }; + allow $1 security_t:dir list_dir_perms; allow $1 security_t:file { getattr read write }; allow $1 security_t:security setsecparam; auditallow $1 security_t:security setsecparam; @@ -271,7 +270,7 @@ interface(`selinux_validate_context',` type security_t; ') - allow $1 security_t:dir { read search getattr }; + allow $1 security_t:dir list_dir_perms; allow $1 security_t:file { getattr read write }; allow $1 security_t:security check_context; ') @@ -291,7 +290,7 @@ interface(`selinux_compute_access_vector',` type security_t; ') - allow $1 security_t:dir { read search getattr }; + allow $1 security_t:dir list_dir_perms; allow $1 security_t:file { getattr read write }; allow $1 security_t:security compute_av; ') @@ -311,7 +310,7 @@ interface(`selinux_compute_create_context',` type security_t; ') - allow $1 security_t:dir { read search getattr }; + allow $1 security_t:dir list_dir_perms; allow $1 security_t:file { getattr read write }; allow $1 security_t:security compute_create; ') @@ -332,7 +331,7 @@ interface(`selinux_compute_member',` type security_t; ') - allow $1 security_t:dir { read search getattr }; + allow $1 security_t:dir list_dir_perms; allow $1 security_t:file { getattr read write }; allow $1 security_t:security compute_member; ') @@ -361,7 +360,7 @@ interface(`selinux_compute_relabel_context',` type security_t; ') - allow $1 security_t:dir { read search getattr }; + allow $1 security_t:dir list_dir_perms; allow $1 security_t:file { getattr read write }; allow $1 security_t:security compute_relabel; ') @@ -381,7 +380,7 @@ interface(`selinux_compute_user_contexts',` type security_t; ') - allow $1 security_t:dir { read search getattr }; + allow $1 security_t:dir list_dir_perms; allow $1 security_t:file { getattr read write }; allow $1 security_t:security compute_user; ') diff --git a/policy/modules/kernel/terminal.if b/policy/modules/kernel/terminal.if index 04b2dc25..f0a216c1 100644 --- a/policy/modules/kernel/terminal.if +++ b/policy/modules/kernel/terminal.if @@ -308,7 +308,6 @@ interface(`term_dontaudit_search_ptys',` type devpts_t; ') - dev_dontaudit_list_all_dev_nodes($1) dontaudit $1 devpts_t:dir search; ')