rpms/selinux-policy
5
0
Fork 0
Code Issues Pull Requests Releases Activity

change transition from run_init to initrc to spec.

Browse Source
This commit is contained in:
Chris PeBenito 2006-10-09 18:52:19 +00:00
parent f76d07072a
commit 93ddc66983
3 changed files with 82 additions and 54 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

33
policy/modules/system/init.if
View File

@ -579,7 +579,38 @@ interface(`init_script_file_entry_type',`
######################################## ########################################
## <summary> ## <summary>
## Execute init scripts with a domain transition. ## Execute init scripts with a specified domain transition.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`init_spec_domtrans_script',`
gen_require(`
type initrc_t, initrc_exec_t;
')
files_list_etc($1)
domain_trans($1,initrc_exec_t,initrc_t)
allow $1 self:process setexec;
allow initrc_t $1:fd use;
allow initrc_t $1:fifo_file rw_file_perms;
allow initrc_t $1:process sigchld;
ifdef(`enable_mcs',`
range_transition $1 initrc_exec_t:process s0;
')
ifdef(`enable_mls',`
range_transition $1 initrc_exec_t:process s0 - mls_systemhigh;
')
')
########################################
## <summary>
## Execute init scripts with an automatic domain transition.
## </summary> ## </summary>
## <param name="domain"> ## <param name="domain">
## <summary> ## <summary>

2
policy/modules/system/init.te
View File

@ -1,5 +1,5 @@
policy_module(init,1.3.28) policy_module(init,1.3.29)
gen_require(` gen_require(`
class passwd rootok; class passwd rootok;

101
policy/modules/system/selinuxutil.te
View File

@ -1,5 +1,5 @@
policy_module(selinuxutil,1.2.16) policy_module(selinuxutil,1.2.17)
ifdef(`strict_policy',` ifdef(`strict_policy',`
gen_require(` gen_require(`
@ -480,6 +480,33 @@ optional_policy(`
# Run_init local policy # Run_init local policy
# #
allow run_init_t self:process setexec;
allow run_init_t self:capability setuid;
allow run_init_t self:fifo_file rw_file_perms;
allow run_init_t self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay };
# often the administrator runs such programs from a directory that is owned
# by a different user or has restrictive SE permissions, do not want to audit
# the failed access to the current directory
dontaudit run_init_t self:capability { dac_override dac_read_search };
fs_getattr_xattr_fs(run_init_t)
dev_dontaudit_list_all_dev_nodes(run_init_t)
term_dontaudit_list_ptys(run_init_t)
auth_domtrans_chk_passwd(run_init_t)
auth_dontaudit_read_shadow(run_init_t)
corecmd_exec_bin(run_init_t)
corecmd_exec_shell(run_init_t)
domain_use_interactive_fds(run_init_t)
files_read_etc_files(run_init_t)
files_dontaudit_search_all_dirs(run_init_t)
selinux_get_fs_mount(run_init_t) selinux_get_fs_mount(run_init_t)
selinux_validate_context(run_init_t) selinux_validate_context(run_init_t)
selinux_compute_access_vector(run_init_t) selinux_compute_access_vector(run_init_t)
@ -489,64 +516,34 @@ selinux_compute_user_contexts(run_init_t)
mls_rangetrans_source(run_init_t) mls_rangetrans_source(run_init_t)
ifdef(`direct_sysadm_daemon',`',` init_spec_domtrans_script(run_init_t)
# for utmp
init_rw_utmp(run_init_t)
libs_use_ld_so(run_init_t)
libs_use_shared_libs(run_init_t)
seutil_read_config(run_init_t)
seutil_read_default_contexts(run_init_t)
miscfiles_read_localization(run_init_t)
logging_send_syslog_msg(run_init_t)
ifndef(`direct_sysadm_daemon',`
ifdef(`distro_gentoo',` ifdef(`distro_gentoo',`
# Gentoo integrated run_init: # Gentoo integrated run_init:
init_script_file_entry_type(run_init_t) init_script_file_entry_type(run_init_t)
') ')
') ')
ifdef(`targeted_policy',`',` optional_policy(`
allow run_init_t self:process setexec; daemontools_domtrans_start(run_init_t)
allow run_init_t self:capability setuid; ')
allow run_init_t self:fifo_file rw_file_perms;
allow run_init_t self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay };
# often the administrator runs such programs from a directory that is owned optional_policy(`
# by a different user or has restrictive SE permissions, do not want to audit nscd_socket_use(run_init_t)
# the failed access to the current directory ')
dontaudit run_init_t self:capability { dac_override dac_read_search };
fs_getattr_xattr_fs(run_init_t)
dev_dontaudit_list_all_dev_nodes(run_init_t)
term_dontaudit_list_ptys(run_init_t)
auth_domtrans_chk_passwd(run_init_t)
auth_dontaudit_read_shadow(run_init_t)
corecmd_exec_bin(run_init_t)
corecmd_exec_shell(run_init_t)
domain_use_interactive_fds(run_init_t)
files_read_etc_files(run_init_t)
files_dontaudit_search_all_dirs(run_init_t)
init_domtrans_script(run_init_t)
# for utmp
init_rw_utmp(run_init_t)
libs_use_ld_so(run_init_t)
libs_use_shared_libs(run_init_t)
seutil_read_config(run_init_t)
seutil_read_default_contexts(run_init_t)
miscfiles_read_localization(run_init_t)
logging_send_syslog_msg(run_init_t)
optional_policy(`
daemontools_domtrans_start(run_init_t)
')
optional_policy(`
nscd_socket_use(run_init_t)
')
') dnl end ifdef targeted policy
######################################## ########################################
# #