remove disable_trans booleans

This commit is contained in:
Chris PeBenito 2007-03-23 21:01:49 +00:00
parent e9b0042f35
commit ab514d6a89
5 changed files with 7 additions and 46 deletions

View File

@ -1,3 +1,4 @@
- Remove disable_trans booleans.
- Output different header sets for kernel and userland from flask headers. - Output different header sets for kernel and userland from flask headers.
- Marked the pax class as deprecated, changed it to userland so - Marked the pax class as deprecated, changed it to userland so
it will be removed from the kernel. it will be removed from the kernel.

View File

@ -35,32 +35,9 @@ interface(`inetd_core_service_domain',`
role system_r types $1; role system_r types $1;
ifdef(`targeted_policy',` domtrans_pattern(inetd_t,$2,$1)
# this regex is a hack, since it assumes there is a
# _t at the end of the domain type. If there is no _t
# at the end of the type, it returns empty!
ifdef(`__define_'regexp($1, `\(\w+\)_t', `\1_disable_trans'),`',`
bool regexp($1, `\(\w+\)_t', `\1_disable_trans') false;
define(`__define_'regexp($1, `\(\w+\)_t', `\1_disable_trans'))
')
if(regexp($1, `\(\w+\)_t', `\1_disable_trans') ) {
# can_exec(inetd_t,$2)
# cjp: this must be wrong
gen_require(`
type initrc_t, unconfined_t;
')
can_exec({ unconfined_t initrc_t },$2)
} else {
domtrans_pattern(inetd_t,$2,$1)
dontaudit inetd_t $1:process { noatsecure siginh rlimitinh };
allow inetd_t $1:process sigkill;
}
',`
domtrans_pattern(inetd_t,$2,$1)
dontaudit inetd_t $1:process { noatsecure siginh rlimitinh };
allow inetd_t $1:process sigkill; allow inetd_t $1:process sigkill;
')
') ')
######################################## ########################################

View File

@ -1,5 +1,5 @@
policy_module(inetd,1.2.2) policy_module(inetd,1.2.3)
######################################## ########################################
# #

View File

@ -105,6 +105,8 @@ interface(`init_daemon_domain',`
role system_r types $1; role system_r types $1;
domtrans_pattern(initrc_t,$2,$1)
# daemons started from init will # daemons started from init will
# inherit fds from init for the console # inherit fds from init for the console
init_dontaudit_use_fds($1) init_dontaudit_use_fds($1)
@ -130,25 +132,6 @@ interface(`init_daemon_domain',`
') ')
') ')
ifdef(`targeted_policy',`
# this regex is a hack, since it assumes there is a
# _t at the end of the domain type. If there is no _t
# at the end of the type, it returns empty!
ifdef(`__define_'regexp($1, `\(\w+\)_t', `\1_disable_trans'),`',`
bool regexp($1, `\(\w+\)_t', `\1_disable_trans') false;
define(`__define_'regexp($1, `\(\w+\)_t', `\1_disable_trans'))
')
if(regexp($1, `\(\w+\)_t', `\1_disable_trans') ) {
can_exec(initrc_t,$2)
can_exec(direct_run_init,$2)
} else {
domtrans_pattern(initrc_t,$2,$1)
allow initrc_t $1:process { noatsecure siginh rlimitinh };
}
',`
domtrans_pattern(initrc_t,$2,$1)
')
optional_policy(` optional_policy(`
nscd_socket_use($1) nscd_socket_use($1)
') ')

View File

@ -1,5 +1,5 @@
policy_module(init,1.5.3) policy_module(init,1.5.4)
gen_require(` gen_require(`
class passwd rootok; class passwd rootok;