add disable_trans support

This commit is contained in:
Chris PeBenito 2005-09-27 20:17:50 +00:00
parent 1f91e1bfe5
commit b03f960ece
2 changed files with 26 additions and 11 deletions

View File

@ -1,3 +1,4 @@
- Add disable_*_trans bool support for targeted policy.
- Add MLS module to handle MLS constraint exceptions,
such as reading up and writing down.
- Fix errors uncovered by sediff.

View File

@ -57,9 +57,6 @@ interface(`init_daemon_domain',`
attribute direct_run_init, direct_init, direct_init_entry;
type initrc_t;
role system_r;
class fifo_file rw_file_perms;
class fd use;
class process { noatsecure siginh rlimitinh sigchld };
')
domain_type($1)
@ -67,14 +64,6 @@ interface(`init_daemon_domain',`
role system_r types $1;
domain_auto_trans(initrc_t,$2,$1)
allow initrc_t $1:fd use;
allow initrc_t $1:process { noatsecure siginh rlimitinh };
allow $1 initrc_t:fd use;
allow $1 initrc_t:fifo_file rw_file_perms;
allow $1 initrc_t:process sigchld;
ifdef(`direct_sysadm_daemon',`
domain_auto_trans(direct_run_init,$2,$1)
@ -95,6 +84,31 @@ interface(`init_daemon_domain',`
files_dontaudit_read_root_file($1)
')
ifdef(`targeted_policy',`
# this regex is a hack, since it assumes there is a
# _t at the end of the domain type. If there is no _t
# at the end of the type, it returns empty!
bool regexp($1, `\(\w+\)_t', `disable_\1_trans') false;
if(! regexp($1, `\(\w+\)_t', `disable_\1_trans') ) {
domain_auto_trans(initrc_t,$2,$1)
allow initrc_t $1:fd use;
allow initrc_t $1:process { noatsecure siginh rlimitinh };
allow $1 initrc_t:fd use;
allow $1 initrc_t:fifo_file rw_file_perms;
allow $1 initrc_t:process sigchld;
} else {
can_exec(initrc_t,$2)
can_exec(direct_run_init,$2)
}
',`
domain_auto_trans(initrc_t,$2,$1)
allow initrc_t $1:fd use;
allow initrc_t $1:process { noatsecure siginh rlimitinh };
allow $1 initrc_t:fd use;
allow $1 initrc_t:fifo_file rw_file_perms;
allow $1 initrc_t:process sigchld;
')
optional_policy(`nscd.te',`
nscd_use_socket($1)
')