diff --git a/refpolicy/policy/modules/kernel/bootloader.te b/refpolicy/policy/modules/kernel/bootloader.te index cebff466..098053bc 100644 --- a/refpolicy/policy/modules/kernel/bootloader.te +++ b/refpolicy/policy/modules/kernel/bootloader.te @@ -1,5 +1,7 @@ # Copyright (C) 2005 Tresys Technology, LLC +policy_module(bootloader,1.0) + attribute can_modify_kernel_modules; # diff --git a/refpolicy/policy/modules/kernel/corenetwork.te b/refpolicy/policy/modules/kernel/corenetwork.te index cbaba0b3..e3412775 100644 --- a/refpolicy/policy/modules/kernel/corenetwork.te +++ b/refpolicy/policy/modules/kernel/corenetwork.te @@ -1,5 +1,7 @@ # Copyright (C) 2005 Tresys Technology, LLC +policy_module(corenetwork,1.0) + attribute netif_type; attribute node_type; attribute port_type; diff --git a/refpolicy/policy/modules/kernel/devices.te b/refpolicy/policy/modules/kernel/devices.te index 1f067dd1..3fc8adff 100644 --- a/refpolicy/policy/modules/kernel/devices.te +++ b/refpolicy/policy/modules/kernel/devices.te @@ -1,5 +1,7 @@ # Copyright (C) 2005 Tresys Technology, LLC +policy_module(devices,1.0) + # # Device types # diff --git a/refpolicy/policy/modules/kernel/filesystem.te b/refpolicy/policy/modules/kernel/filesystem.te index 12fd268a..be8788ab 100644 --- a/refpolicy/policy/modules/kernel/filesystem.te +++ b/refpolicy/policy/modules/kernel/filesystem.te @@ -1,5 +1,7 @@ # Copyright (C) 2005 Tresys Technology, LLC +policy_module(filesystem,1.0) + attribute fs_type; ######################################## diff --git a/refpolicy/policy/modules/kernel/kernel.if b/refpolicy/policy/modules/kernel/kernel.if index 67dd5f6a..0ed2dc53 100644 --- a/refpolicy/policy/modules/kernel/kernel.if +++ b/refpolicy/policy/modules/kernel/kernel.if @@ -207,7 +207,7 @@ class security setbool; # # kernel_setsecparam(domain,[`optional']) # -define(`kernel_security_setsecparam',` +define(`kernel_setsecparam',` requires_block_template(kernel_setsecparam_depend,$2) allow $1 security_t:dir { read search getattr }; allow $1 security_t:file { getattr read write }; diff --git a/refpolicy/policy/modules/kernel/kernel.te b/refpolicy/policy/modules/kernel/kernel.te index 727cb743..a8173ef0 100644 --- a/refpolicy/policy/modules/kernel/kernel.te +++ b/refpolicy/policy/modules/kernel/kernel.te @@ -1,5 +1,7 @@ # Copyright (C) 2005 Tresys Technology, LLC +policy_module(kernel,1.0) + attribute can_load_policy; attribute can_setenforce; attribute can_setsecparam; diff --git a/refpolicy/policy/modules/kernel/storage.te b/refpolicy/policy/modules/kernel/storage.te index ee2a6177..786adcc9 100644 --- a/refpolicy/policy/modules/kernel/storage.te +++ b/refpolicy/policy/modules/kernel/storage.te @@ -1,5 +1,7 @@ # Copyright (C) 2005 Tresys Technology, LLC +policy_module(storage,1.0) + # # fixed_disk_device_t is the type of # /dev/hd* and /dev/sd*. diff --git a/refpolicy/policy/modules/kernel/terminal.if b/refpolicy/policy/modules/kernel/terminal.if index 40dad0e7..3887e741 100644 --- a/refpolicy/policy/modules/kernel/terminal.if +++ b/refpolicy/policy/modules/kernel/terminal.if @@ -11,6 +11,7 @@ allow $1 ptmx_t:chr_file { getattr read write }; allow $1 devpts_t:dir { getattr search read }; allow $1 devpts_t:filesystem getattr; allow $2 devpts_t:filesystem associate; +dontaudit $1 bsdpty_device_t:chr_file { getattr read write }; type_transition $1 devpts_t:chr_file $2; typeattribute $2 ptynode; ') diff --git a/refpolicy/policy/modules/kernel/terminal.te b/refpolicy/policy/modules/kernel/terminal.te index 5990aba2..8b1323ab 100644 --- a/refpolicy/policy/modules/kernel/terminal.te +++ b/refpolicy/policy/modules/kernel/terminal.te @@ -1,5 +1,7 @@ # Copyright (C) 2005 Tresys Technology, LLC +policy_module(terminal,1.0) + attribute ttynode; attribute ptynode; diff --git a/refpolicy/policy/modules/system/authlogin.te b/refpolicy/policy/modules/system/authlogin.te index 7ef6f120..100c4a72 100644 --- a/refpolicy/policy/modules/system/authlogin.te +++ b/refpolicy/policy/modules/system/authlogin.te @@ -1,5 +1,7 @@ # Copyright (C) 2005 Tresys Technology, LLC +policy_module(authlogin,1.0) + ######################################## # # Declarations diff --git a/refpolicy/policy/modules/system/corecommands.te b/refpolicy/policy/modules/system/corecommands.te index 07c87cf6..025f600e 100644 --- a/refpolicy/policy/modules/system/corecommands.te +++ b/refpolicy/policy/modules/system/corecommands.te @@ -1,5 +1,7 @@ # Copyright (C) 2005 Tresys Technology, LLC +policy_module(corecommands,1.0) + # # bin_t is the type of files in the system bin directories. # diff --git a/refpolicy/policy/modules/system/domain.if b/refpolicy/policy/modules/system/domain.if index ebcb4d25..de4070bc 100644 --- a/refpolicy/policy/modules/system/domain.if +++ b/refpolicy/policy/modules/system/domain.if @@ -53,9 +53,11 @@ requires_block_template(domain_make_entrypoint_file_depend,$3) allow $1 $2:file entrypoint; neverallow $1 ~{ $2 }:file entrypoint; files_make_file($2,$3) +typeattribute $1 entry_type; ') define(`domain_make_entrypoint_file_depend',` +attribute entry_type; class file entrypoint; ') @@ -196,3 +198,17 @@ class lnk_file { getattr read }; class file { getattr read }; class process { getattr getsession }; ') + +######################################## +# +# domain_execute_all_entrypoint_programs(domain,[`optional']) +# +define(`domain_execute_all_entrypoint_programs',` +requires_block_template(domain_execute_all_entrypoint_programs_depend,$2) +allow $1 entry_type:file { getattr read execute execute_no_trans }; +') + +define(`domain_execute_all_entrypoint_programs_depend',` +attribute entry_type; +class file { getattr read execute execute_no_trans }; +') diff --git a/refpolicy/policy/modules/system/domain.te b/refpolicy/policy/modules/system/domain.te index 4457c438..9eb85903 100644 --- a/refpolicy/policy/modules/system/domain.te +++ b/refpolicy/policy/modules/system/domain.te @@ -1,8 +1,13 @@ # Copyright (C) 2005 Tresys Technology, LLC +policy_module(domain,1.0) + # Mark process types as domains attribute domain; +# entrypoint executables +attribute entry_type; + # processes started by init itself attribute init_domain; attribute init_domain_entry; diff --git a/refpolicy/policy/modules/system/files.te b/refpolicy/policy/modules/system/files.te index 6cbfc072..66e22470 100644 --- a/refpolicy/policy/modules/system/files.te +++ b/refpolicy/policy/modules/system/files.te @@ -1,5 +1,7 @@ # Copyright (C) 2005 Tresys Technology, LLC +policy_module(files,1.0) + attribute file_type; attribute lockfile; attribute pidfile; diff --git a/refpolicy/policy/modules/system/getty.te b/refpolicy/policy/modules/system/getty.te index 4f6335d9..c97fdcb2 100644 --- a/refpolicy/policy/modules/system/getty.te +++ b/refpolicy/policy/modules/system/getty.te @@ -1,5 +1,7 @@ # Copyright (C) 2005 Tresys Technology, LLC +policy_module(getty,1.0) + type getty_t; #, privfd type getty_exec_t; domain_make_init_domain(getty_t,getty_exec_t) diff --git a/refpolicy/policy/modules/system/init.te b/refpolicy/policy/modules/system/init.te index 9b53826a..f0003769 100644 --- a/refpolicy/policy/modules/system/init.te +++ b/refpolicy/policy/modules/system/init.te @@ -1,5 +1,7 @@ # Copyright (C) 2005 Tresys Technology, LLC +policy_module(init,1.0) + # # init_t is the domain of the init process. # diff --git a/refpolicy/policy/modules/system/libraries.te b/refpolicy/policy/modules/system/libraries.te index d8c5a939..5e071cca 100644 --- a/refpolicy/policy/modules/system/libraries.te +++ b/refpolicy/policy/modules/system/libraries.te @@ -1,5 +1,7 @@ # Copyright (C) 2005 Tresys Technology, LLC +policy_module(libraries,1.0) + # # ld_so_cache_t is the type of /etc/ld.so.cache. # diff --git a/refpolicy/policy/modules/system/logging.te b/refpolicy/policy/modules/system/logging.te index de0a6e34..19870f30 100644 --- a/refpolicy/policy/modules/system/logging.te +++ b/refpolicy/policy/modules/system/logging.te @@ -1,5 +1,7 @@ # Copyright (C) 2005 Tresys Technology, LLC +policy_module(logging,1.0) + attribute logfile; type devlog_t; diff --git a/refpolicy/policy/modules/system/miscfiles.te b/refpolicy/policy/modules/system/miscfiles.te index 9a20e6f6..c019681e 100644 --- a/refpolicy/policy/modules/system/miscfiles.te +++ b/refpolicy/policy/modules/system/miscfiles.te @@ -1,5 +1,7 @@ # Copyright (C) 2005 Tresys Technology, LLC +policy_module(miscfiles,1.0) + # # catman_t is the type for /var/catman. # diff --git a/refpolicy/policy/modules/system/modutils.te b/refpolicy/policy/modules/system/modutils.te index 4b35f818..adcf70ef 100644 --- a/refpolicy/policy/modules/system/modutils.te +++ b/refpolicy/policy/modules/system/modutils.te @@ -1,5 +1,7 @@ # Copyright (C) 2005 Tresys Technology, LLC +policy_module(modutils,1.0) + # module loading config type modules_conf_t; files_make_file(modules_conf_t) diff --git a/refpolicy/policy/modules/system/selinux.te b/refpolicy/policy/modules/system/selinux.te index 788beae7..7a2fece9 100644 --- a/refpolicy/policy/modules/system/selinux.te +++ b/refpolicy/policy/modules/system/selinux.te @@ -1,5 +1,7 @@ # Copyright (C) 2005 Tresys Technology, LLC +policy_module(selinux,1.0) + # # selinux_config_t is the type applied to # /etc/selinux/config diff --git a/refpolicy/policy/modules/system/selinuxutil.te b/refpolicy/policy/modules/system/selinuxutil.te index 788beae7..7a2fece9 100644 --- a/refpolicy/policy/modules/system/selinuxutil.te +++ b/refpolicy/policy/modules/system/selinuxutil.te @@ -1,5 +1,7 @@ # Copyright (C) 2005 Tresys Technology, LLC +policy_module(selinux,1.0) + # # selinux_config_t is the type applied to # /etc/selinux/config diff --git a/refpolicy/policy/modules/system/sysnetwork.te b/refpolicy/policy/modules/system/sysnetwork.te index c60908ab..31ad590b 100644 --- a/refpolicy/policy/modules/system/sysnetwork.te +++ b/refpolicy/policy/modules/system/sysnetwork.te @@ -1,2 +1,6 @@ +# Copyright (C) 2005 Tresys Technology, LLC + +policy_module(sysnetwork,1.0) + type net_conf_t alias resolv_conf_t; files_make_file(net_conf_t)