fix files_exec_usr_src_files

2005-10-07 18:48:43 +00:00 · 2005-10-07 18:48:43 +00:00 · 99505c1c89
commit 99505c1c89
parent 4f9f30c8df
2 changed files with 54 additions and 20 deletions
--- a/refpolicy/policy/modules/system/files.if
+++ b/refpolicy/policy/modules/system/files.if
@ -1968,6 +1968,25 @@ interface(`files_read_usr_files',`
 	allow $1 usr_t:{ file lnk_file } r_file_perms;
 ')

+########################################
+## <summary>
+##	Execute generic programs in /usr in the caller domain.
+## </summary>
+## <param name="domain">
+##	The type of the process performing this action.
+## </param>
+#
+interface(`files_exec_usr_files',`
+	gen_require(`
+		type usr_t;
+	')
+
+	allow $1 usr_t:dir r_dir_perms;
+	allow $1 usr_t:lnk_file r_file_perms;
+	can_exec($1,usr_t)
+
+')
+
 ########################################
 ## <summary>
 ##	Relabel a file to the type used in /usr.
@ -2041,18 +2060,15 @@ interface(`files_create_usr',`
 ##	The type of the process performing this action.
 ## </param>
 #
-interface(`files_exec_usr_files',`
+interface(`files_exec_usr_src_files',`
 	gen_require(`
 		type usr_t, src_t;
-		class dir r_dir_perms;
-		class lnk_file r_file_perms;
 	')

 	allow $1 usr_t:dir search;
 	allow $1 src_t:dir r_dir_perms;
 	allow $1 src_t:lnk_file r_file_perms;
 	can_exec($1,src_t)
-
 ')

 ########################################
@ -2062,7 +2078,6 @@ interface(`files_exec_usr_files',`
 interface(`files_dontaudit_search_src',`
 	gen_require(`
 		type src_t;
-                class dir search;
 	')

 	allow $1 src_t:dir search;
@ -2075,9 +2090,6 @@ interface(`files_dontaudit_search_src',`
 interface(`files_read_usr_src_files',`
 	gen_require(`
 		type usr_t, src_t;
-		class dir r_dir_perms;
-		class file r_file_perms;
-		class lnk_file r_file_perms;
 	')

 	allow $1 usr_t:dir search;
@ -2086,31 +2098,54 @@ interface(`files_read_usr_src_files',`
 ')

 ########################################
-#
-# files_search_var(domain)
+## <summary>
+##	Search the contents of /var.
+## </summary>
+## <param name="domain">
+##	Domain allowed access.
+## </param>
 #
 interface(`files_search_var',`
 	gen_require(`
 		type var_t;
-		class dir search;
 	')

 	allow $1 var_t:dir search;
 ')

 ########################################
-#
-# files_dontaudit_search_var(domain)
+## <summary>
+##	Do not audit attempts to search
+##	the contents of /var.
+## </summary>
+## <param name="domain">
+##	Domain to not audit.
+## </param>
 #
 interface(`files_dontaudit_search_var',`
 	gen_require(`
 		type var_t;
-		class dir search;
 	')

 	dontaudit $1 var_t:dir search;
 ')

+########################################
+## <summary>
+##	List the contents of /var.
+## </summary>
+## <param name="domain">
+##	Domain allowed access.
+## </param>
+#
+interface(`files_list_var',`
+	gen_require(`
+		type var_t;
+	')
+
+	allow $1 var_t:dir r_dir_perms;
+')
+
 ########################################
 ## <summary>
 ##	Create, read, write, and delete directories
--- a/refpolicy/policy/modules/system/userdomain.if
+++ b/refpolicy/policy/modules/system/userdomain.if
@ -210,7 +210,6 @@ template(`base_user_template',`
 	domain_dontaudit_getsession_all_domains($1_t)

 	files_exec_etc_files($1_t)
-	files_read_usr_src_files($1_t)
 	files_search_locks($1_t)
 	# old broswer_domain():
 	files_dontaudit_list_non_security($1_t)
@ -868,7 +867,7 @@ template(`admin_user_template',`
 	# for lsof
 	domain_getattr_all_sockets($1_t)

-	files_exec_usr_files($1_t)
+	files_exec_usr_src_files($1_t)

 	init_use_initctl($1_t)