From 99505c1c89533574bb933a874b8820bad6c6323a Mon Sep 17 00:00:00 2001 From: Chris PeBenito Date: Fri, 7 Oct 2005 18:48:43 +0000 Subject: [PATCH] fix files_exec_usr_src_files --- refpolicy/policy/modules/system/files.if | 71 ++++++++++++++----- refpolicy/policy/modules/system/userdomain.if | 3 +- 2 files changed, 54 insertions(+), 20 deletions(-) diff --git a/refpolicy/policy/modules/system/files.if b/refpolicy/policy/modules/system/files.if index 742d6370..d365295a 100644 --- a/refpolicy/policy/modules/system/files.if +++ b/refpolicy/policy/modules/system/files.if @@ -1968,6 +1968,25 @@ interface(`files_read_usr_files',` allow $1 usr_t:{ file lnk_file } r_file_perms; ') +######################################## +## +## Execute generic programs in /usr in the caller domain. +## +## +## The type of the process performing this action. +## +# +interface(`files_exec_usr_files',` + gen_require(` + type usr_t; + ') + + allow $1 usr_t:dir r_dir_perms; + allow $1 usr_t:lnk_file r_file_perms; + can_exec($1,usr_t) + +') + ######################################## ## ## Relabel a file to the type used in /usr. @@ -2041,18 +2060,15 @@ interface(`files_create_usr',` ## The type of the process performing this action. ## # -interface(`files_exec_usr_files',` +interface(`files_exec_usr_src_files',` gen_require(` type usr_t, src_t; - class dir r_dir_perms; - class lnk_file r_file_perms; ') allow $1 usr_t:dir search; allow $1 src_t:dir r_dir_perms; allow $1 src_t:lnk_file r_file_perms; can_exec($1,src_t) - ') ######################################## @@ -2060,12 +2076,11 @@ interface(`files_exec_usr_files',` # files_dontaudit_search_src(domain) # interface(`files_dontaudit_search_src',` - gen_require(` - type src_t; - class dir search; - ') + gen_require(` + type src_t; + ') - allow $1 src_t:dir search; + allow $1 src_t:dir search; ') ######################################## @@ -2075,9 +2090,6 @@ interface(`files_dontaudit_search_src',` interface(`files_read_usr_src_files',` gen_require(` type usr_t, src_t; - class dir r_dir_perms; - class file r_file_perms; - class lnk_file r_file_perms; ') allow $1 usr_t:dir search; @@ -2086,31 +2098,54 @@ interface(`files_read_usr_src_files',` ') ######################################## -# -# files_search_var(domain) +## +## Search the contents of /var. +## +## +## Domain allowed access. +## # interface(`files_search_var',` gen_require(` type var_t; - class dir search; ') allow $1 var_t:dir search; ') ######################################## -# -# files_dontaudit_search_var(domain) +## +## Do not audit attempts to search +## the contents of /var. +## +## +## Domain to not audit. +## # interface(`files_dontaudit_search_var',` gen_require(` type var_t; - class dir search; ') dontaudit $1 var_t:dir search; ') +######################################## +## +## List the contents of /var. +## +## +## Domain allowed access. +## +# +interface(`files_list_var',` + gen_require(` + type var_t; + ') + + allow $1 var_t:dir r_dir_perms; +') + ######################################## ## ## Create, read, write, and delete directories diff --git a/refpolicy/policy/modules/system/userdomain.if b/refpolicy/policy/modules/system/userdomain.if index 55a87ef3..bcfde858 100644 --- a/refpolicy/policy/modules/system/userdomain.if +++ b/refpolicy/policy/modules/system/userdomain.if @@ -210,7 +210,6 @@ template(`base_user_template',` domain_dontaudit_getsession_all_domains($1_t) files_exec_etc_files($1_t) - files_read_usr_src_files($1_t) files_search_locks($1_t) # old broswer_domain(): files_dontaudit_list_non_security($1_t) @@ -868,7 +867,7 @@ template(`admin_user_template',` # for lsof domain_getattr_all_sockets($1_t) - files_exec_usr_files($1_t) + files_exec_usr_src_files($1_t) init_use_initctl($1_t)