remove disable_trans booleans
This commit is contained in:
Chris PeBenito
parent
e9b0042f35
commit
ab514d6a89
|
|
@ -1,3 +1,4 @@
|
|||
- Remove disable_trans booleans.
|
||||
- Output different header sets for kernel and userland from flask headers.
|
||||
- Marked the pax class as deprecated, changed it to userland so
|
||||
it will be removed from the kernel.
|
||||
|
|
|
|||
|
|
@ -35,32 +35,9 @@ interface(`inetd_core_service_domain',`
|
|||
|
||||
role system_r types $1;
|
||||
|
||||
ifdef(`targeted_policy',`
|
||||
# this regex is a hack, since it assumes there is a
|
||||
# _t at the end of the domain type. If there is no _t
|
||||
# at the end of the type, it returns empty!
|
||||
ifdef(`__define_'regexp($1, `\(\w+\)_t', `\1_disable_trans'),`',`
|
||||
bool regexp($1, `\(\w+\)_t', `\1_disable_trans') false;
|
||||
define(`__define_'regexp($1, `\(\w+\)_t', `\1_disable_trans'))
|
||||
')
|
||||
if(regexp($1, `\(\w+\)_t', `\1_disable_trans') ) {
|
||||
# can_exec(inetd_t,$2)
|
||||
# cjp: this must be wrong
|
||||
gen_require(`
|
||||
type initrc_t, unconfined_t;
|
||||
')
|
||||
can_exec({ unconfined_t initrc_t },$2)
|
||||
} else {
|
||||
domtrans_pattern(inetd_t,$2,$1)
|
||||
dontaudit inetd_t $1:process { noatsecure siginh rlimitinh };
|
||||
allow inetd_t $1:process sigkill;
|
||||
}
|
||||
',`
|
||||
domtrans_pattern(inetd_t,$2,$1)
|
||||
dontaudit inetd_t $1:process { noatsecure siginh rlimitinh };
|
||||
domtrans_pattern(inetd_t,$2,$1)
|
||||
|
||||
allow inetd_t $1:process sigkill;
|
||||
')
|
||||
allow inetd_t $1:process sigkill;
|
||||
')
|
||||
|
||||
########################################
|
||||
|
|
|
|||
|
|
@ -1,5 +1,5 @@
|
|||
|
||||
policy_module(inetd,1.2.2)
|
||||
policy_module(inetd,1.2.3)
|
||||
|
||||
########################################
|
||||
#
|
||||
|
|
|
|||
|
|
@ -105,6 +105,8 @@ interface(`init_daemon_domain',`
|
|||
|
||||
role system_r types $1;
|
||||
|
||||
domtrans_pattern(initrc_t,$2,$1)
|
||||
|
||||
# daemons started from init will
|
||||
# inherit fds from init for the console
|
||||
init_dontaudit_use_fds($1)
|
||||
|
|
@ -130,25 +132,6 @@ interface(`init_daemon_domain',`
|
|||
')
|
||||
')
|
||||
|
||||
ifdef(`targeted_policy',`
|
||||
# this regex is a hack, since it assumes there is a
|
||||
# _t at the end of the domain type. If there is no _t
|
||||
# at the end of the type, it returns empty!
|
||||
ifdef(`__define_'regexp($1, `\(\w+\)_t', `\1_disable_trans'),`',`
|
||||
bool regexp($1, `\(\w+\)_t', `\1_disable_trans') false;
|
||||
define(`__define_'regexp($1, `\(\w+\)_t', `\1_disable_trans'))
|
||||
')
|
||||
if(regexp($1, `\(\w+\)_t', `\1_disable_trans') ) {
|
||||
can_exec(initrc_t,$2)
|
||||
can_exec(direct_run_init,$2)
|
||||
} else {
|
||||
domtrans_pattern(initrc_t,$2,$1)
|
||||
allow initrc_t $1:process { noatsecure siginh rlimitinh };
|
||||
}
|
||||
',`
|
||||
domtrans_pattern(initrc_t,$2,$1)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
nscd_socket_use($1)
|
||||
')
|
||||
|
|
|
|||
|
|
@ -1,5 +1,5 @@
|
|||
|
||||
policy_module(init,1.5.3)
|
||||
policy_module(init,1.5.4)
|
||||
|
||||
gen_require(`
|
||||
class passwd rootok;
|
||||
|
|
|
|||
Loading…
Reference in New Issue