some cleanup in the kernel layer

2006-07-25 15:23:13 +00:00 · 2006-07-25 15:23:13 +00:00 · 8b9ebd3769
commit 8b9ebd3769
parent 19ebf01d6a
3 changed files with 15 additions and 25 deletions
--- a/policy/modules/kernel/devices.te
+++ b/policy/modules/kernel/devices.te
@ -20,14 +20,6 @@ files_type(device_t)
 files_mountpoint(device_t)
 files_associate_tmp(device_t)
 # Only directories and symlinks should be labeled device_t.
 # If there are other files with this type, it is wrong.
 # Relabelto is allowed for setfiles to function, in case
 # a device node has no specific type yet, but is for some
 # reason labeled with a specific type
 #cjp: want this, but udev policy breaks this
 #neverallow domain device_t:{ file fifo_file sock_file chr_file blk_file } ~{ getattr setattr relabelfrom relabelto };
 #
 # Type for /dev/agpgart
 #
@ -206,4 +198,4 @@ files_associate_tmp(device_node)
 allow devices_unconfined_type self:capability sys_rawio;
 allow devices_unconfined_type device_node:{ blk_file chr_file } *;
-allow devices_unconfined_type mtrr_device_t:{ dir file } *;
+allow devices_unconfined_type mtrr_device_t:file *;
--- a/policy/modules/kernel/selinux.if
+++ b/policy/modules/kernel/selinux.if
@ -55,7 +55,7 @@ interface(`selinux_search_fs',`
 		type security_t;
 	')
-	allow $1 security_t:dir search;
+	allow $1 security_t:dir search_dir_perms;
 ')
 ########################################
@ -73,7 +73,7 @@ interface(`selinux_dontaudit_search_fs',`
 		type security_t;
 	')
-	dontaudit $1 security_t:dir search;
+	dontaudit $1 security_t:dir search_dir_perms;
 ')
 ########################################
@ -92,7 +92,7 @@ interface(`selinux_dontaudit_read_fs',`
 		type security_t;
 	')
-	dontaudit $1 security_t:dir search;
+	dontaudit $1 security_t:dir search_dir_perms;
 	dontaudit $1 security_t:file { getattr read };
 ')
@ -112,7 +112,7 @@ interface(`selinux_get_enforce_mode',`
 		type security_t;
 	')
-	allow $1 security_t:dir { read search getattr };
+	allow $1 security_t:dir list_dir_perms;
 	allow $1 security_t:file { getattr read };
 ')
@ -144,7 +144,7 @@ interface(`selinux_set_enforce_mode',`
 		bool secure_mode_policyload;
 	')
-	allow $1 security_t:dir { read search getattr };
+	allow $1 security_t:dir list_dir_perms;
 	allow $1 security_t:file { getattr read write };
 	typeattribute $1 can_setenforce;
@ -171,7 +171,7 @@ interface(`selinux_load_policy',`
 		bool secure_mode_policyload;
 	')
-	allow $1 security_t:dir { read search getattr };
+	allow $1 security_t:dir list_dir_perms;
 	allow $1 security_t:file { getattr read write };
 	typeattribute $1 can_load_policy;
@ -208,8 +208,7 @@ interface(`selinux_set_boolean',`
 		bool secure_mode_policyload;
 	')
-	allow $1 security_t:dir search;
+	allow $1 security_t:dir list_dir_perms;
 	allow $1 security_t:dir { getattr search read };
 	allow $1 security_t:file { getattr read write };
 	if(!secure_mode_policyload) {
@ -249,7 +248,7 @@ interface(`selinux_set_parameters',`
 		attribute can_setsecparam;
 	')
-	allow $1 security_t:dir { read search getattr };
+	allow $1 security_t:dir list_dir_perms;
 	allow $1 security_t:file { getattr read write };
 	allow $1 security_t:security setsecparam;
 	auditallow $1 security_t:security setsecparam;
@ -271,7 +270,7 @@ interface(`selinux_validate_context',`
 		type security_t;
 	')
-	allow $1 security_t:dir { read search getattr };
+	allow $1 security_t:dir list_dir_perms;
 	allow $1 security_t:file { getattr read write };
 	allow $1 security_t:security check_context;
 ')
@ -291,7 +290,7 @@ interface(`selinux_compute_access_vector',`
 		type security_t;
 	')
-	allow $1 security_t:dir { read search getattr };
+	allow $1 security_t:dir list_dir_perms;
 	allow $1 security_t:file { getattr read write };
 	allow $1 security_t:security compute_av;
 ')
@ -311,7 +310,7 @@ interface(`selinux_compute_create_context',`
 		type security_t;
 	')
-	allow $1 security_t:dir { read search getattr };
+	allow $1 security_t:dir list_dir_perms;
 	allow $1 security_t:file { getattr read write };
 	allow $1 security_t:security compute_create;
 ')
@ -332,7 +331,7 @@ interface(`selinux_compute_member',`
 		type security_t;
 	')
-	allow $1 security_t:dir { read search getattr };
+	allow $1 security_t:dir list_dir_perms;
 	allow $1 security_t:file { getattr read write };
 	allow $1 security_t:security compute_member;
 ')
@ -361,7 +360,7 @@ interface(`selinux_compute_relabel_context',`
 		type security_t;
 	')
-	allow $1 security_t:dir { read search getattr };
+	allow $1 security_t:dir list_dir_perms;
 	allow $1 security_t:file { getattr read write };
 	allow $1 security_t:security compute_relabel;
 ')
@ -381,7 +380,7 @@ interface(`selinux_compute_user_contexts',`
 		type security_t;
 	')
-	allow $1 security_t:dir { read search getattr };
+	allow $1 security_t:dir list_dir_perms;
 	allow $1 security_t:file { getattr read write };
 	allow $1 security_t:security compute_user;
 ')
--- a/policy/modules/kernel/terminal.if
+++ b/policy/modules/kernel/terminal.if
@ -308,7 +308,6 @@ interface(`term_dontaudit_search_ptys',`
 		type devpts_t;
 	')
 	dev_dontaudit_list_all_dev_nodes($1)
 	dontaudit $1 devpts_t:dir search;
 ')