more conversion due to new interfaces

This commit is contained in:
Chris PeBenito 2005-05-03 20:44:35 +00:00
parent 3ce6cb4a45
commit b2e0625ca1
2 changed files with 34 additions and 36 deletions

View File

@ -279,6 +279,11 @@ optional_policy(`consoletype.te',`
consoletype_transition(initrc_t) consoletype_transition(initrc_t)
') ')
optional_policy(`modutils.te',`
modutils_depmod_transition(initrc_t)
modutils_update_modules_transition(initrc_t)
')
tunable_policy(`distro_redhat',` tunable_policy(`distro_redhat',`
kernel_set_selinux_enforcement_mode(initrc_t) kernel_set_selinux_enforcement_mode(initrc_t)

View File

@ -75,7 +75,12 @@ files_read_general_system_config(insmod_t)
files_read_general_application_resources(insmod_t) files_read_general_application_resources(insmod_t)
files_execute_system_config_script(insmod_t) files_execute_system_config_script(insmod_t)
init_use_file_descriptors(insmod_t)
init_script_use_file_descriptors(insmod_t)
init_script_use_pseudoterminal(insmod_t)
domain_signal_all_domains(insmod_t) domain_signal_all_domains(insmod_t)
domain_use_widely_inheritable_file_descriptors(insmod_t)
libraries_use_dynamic_loader(insmod_t) libraries_use_dynamic_loader(insmod_t)
libraries_read_shared_libraries(insmod_t) libraries_read_shared_libraries(insmod_t)
@ -92,22 +97,13 @@ optional_policy(`mount.te',`
mount_transition(insmod_t) mount_transition(insmod_t)
') ')
# ifdef(`TODO',`
#
# TODO rules:
#
#
ifdef(`TODO_list',`
# for loading modules at boot time
allow insmod_t { init_t initrc_t }:fd use;
allow insmod_t initrc_t:fifo_file { getattr read write }; allow insmod_t initrc_t:fifo_file { getattr read write };
allow insmod_t lib_t:file { getattr read }; allow insmod_t lib_t:file { getattr read };
allow insmod_t { var_t var_log_t }:dir search; allow insmod_t { var_t var_log_t }:dir search;
allow insmod_t privfd:fd use;
allow insmod_t apm_bios_t:chr_file { read write }; allow insmod_t apm_bios_t:chr_file { read write };
allow insmod_t sound_device_t:chr_file { read ioctl write }; allow insmod_t sound_device_t:chr_file { read ioctl write };
@ -120,8 +116,7 @@ allow insmod_t sysfs_t:dir search;
allow insmod_t usbfs_t:dir search; allow insmod_t usbfs_t:dir search;
allow insmod_t usbfs_t:filesystem mount; allow insmod_t usbfs_t:filesystem mount;
allow insmod_t { initrc_devpts_t admin_tty_type }:chr_file { getattr read write }; allow insmod_t admin_tty_type:chr_file { getattr read write };
allow insmod_t devpts_t:dir { getattr search };
# for when /var is not mounted early in the boot # for when /var is not mounted early in the boot
dontaudit insmod_t file_t:dir search; dontaudit insmod_t file_t:dir search;
@ -129,7 +124,7 @@ dontaudit insmod_t file_t:dir search;
# for nscd # for nscd
dontaudit insmod_t var_run_t:dir search; dontaudit insmod_t var_run_t:dir search;
') dnl if TODO_list ') dnl if TODO
######################################## ########################################
# #
@ -142,11 +137,10 @@ allow depmod_t depmod_exec_t:file { getattr read execute execute_no_trans };
allow depmod_t modules_conf_t:file { getattr read }; allow depmod_t modules_conf_t:file { getattr read };
allow depmod_t modules_dep_t:file { create ioctl read getattr lock write setattr append link unlink rename }; allow depmod_t modules_dep_t:file { create ioctl read getattr lock write setattr append link unlink rename };
bootloader_create_private_module_dir_entry(depmod_t,modules_dep_t)
kernel_read_system_state(depmod_t) kernel_read_system_state(depmod_t)
bootloader_create_private_module_dir_entry(depmod_t,modules_dep_t)
filesystem_get_persistent_filesystem_attributes(depmod_t) filesystem_get_persistent_filesystem_attributes(depmod_t)
terminal_use_console(depmod_t) terminal_use_console(depmod_t)
@ -154,28 +148,27 @@ terminal_use_console(depmod_t)
bootloader_read_kernel_symbol_table(depmod_t) bootloader_read_kernel_symbol_table(depmod_t)
bootloader_read_kernel_modules(depmod_t) bootloader_read_kernel_modules(depmod_t)
init_use_file_descriptors(depmod_t)
init_script_use_file_descriptors(depmod_t)
init_script_use_pseudoterminal(depmod_t)
domain_use_widely_inheritable_file_descriptors(depmod_t)
files_read_runtime_system_config(depmod_t) files_read_runtime_system_config(depmod_t)
files_read_general_system_config(depmod_t) files_read_general_system_config(depmod_t)
files_read_system_source_code(depmod_t)
libraries_use_dynamic_loader(depmod_t) libraries_use_dynamic_loader(depmod_t)
libraries_read_shared_libraries(depmod_t) libraries_read_shared_libraries(depmod_t)
ifdef(`TODO',` ifdef(`TODO',`
r_dir_file(depmod_t, src_t)
domain_auto_trans(initrc_t, depmod_exec_t, depmod_t)
allow depmod_t { bin_t sbin_t }:dir search; allow depmod_t { bin_t sbin_t }:dir search;
domain_auto_trans(sysadm_t, depmod_exec_t, depmod_t) domain_auto_trans(sysadm_t, depmod_exec_t, depmod_t)
# Inherit and use descriptors from init and login programs.
allow depmod_t { init_t privfd }:fd use;
# read system.map
allow depmod_t boot_t:file { getattr read };
# Access terminals. # Access terminals.
allow depmod_t { initrc_devpts_t admin_tty_type }:chr_file rw_file_perms; allow depmod_t admin_tty_type:chr_file rw_file_perms;
ifdef(`gnome-pty-helper.te', `allow depmod_t sysadm_gph_t:fd use;') ifdef(`gnome-pty-helper.te', `allow depmod_t sysadm_gph_t:fd use;')
# Read System.map from home directories. # Read System.map from home directories.
@ -195,9 +188,12 @@ allow update_modules_t modules_dep_t:file { getattr read write };
allow update_modules_t insmod_exec_t:file { getattr read execute execute_no_trans }; allow update_modules_t insmod_exec_t:file { getattr read execute execute_no_trans };
allow update_modules_t update_modules_exec_t:file { getattr read execute execute_no_trans }; allow update_modules_t update_modules_exec_t:file { getattr read execute execute_no_trans };
bootloader_create_private_module_dir_entry(update_modules_t,modules_conf_t) # manage module loading configuration
allow update_modules_t modules_conf_t:file { create ioctl read getattr lock write setattr append link unlink rename }; allow update_modules_t modules_conf_t:file { create ioctl read getattr lock write setattr append link unlink rename };
bootloader_create_private_module_dir_entry(update_modules_t,modules_conf_t)
files_create_private_config(update_modules_t,modules_conf_t)
# transition to depmod
allow update_modules_t depmod_exec_t:file { getattr read execute }; allow update_modules_t depmod_exec_t:file { getattr read execute };
type_transition update_modules_t depmod_exec_t:process depmod_t; type_transition update_modules_t depmod_exec_t:process depmod_t;
@ -214,6 +210,12 @@ filesystem_get_persistent_filesystem_attributes(update_modules_t)
terminal_use_console(update_modules_t) terminal_use_console(update_modules_t)
terminal_use_controlling_terminal(update_modules_t) terminal_use_controlling_terminal(update_modules_t)
init_use_file_descriptors(depmod_t)
init_script_use_file_descriptors(depmod_t)
init_script_use_pseudoterminal(depmod_t)
domain_use_widely_inheritable_file_descriptors(depmod_t)
files_read_runtime_system_config(update_modules_t) files_read_runtime_system_config(update_modules_t)
files_read_general_system_config(update_modules_t) files_read_general_system_config(update_modules_t)
files_execute_system_config_script(update_modules_t) files_execute_system_config_script(update_modules_t)
@ -232,18 +234,9 @@ miscfiles_read_localization(update_modules_t)
ifdef(`TODO',` ifdef(`TODO',`
role sysadm_r types update_modules_t; role sysadm_r types update_modules_t;
domain_auto_trans(sysadm_t, update_modules_exec_t, update_modules_t)
domain_auto_trans({ initrc_t sysadm_t }, update_modules_exec_t, update_modules_t) allow update_modules_t admin_tty_type:chr_file rw_file_perms;
allow update_modules_t privfd:fd use;
allow update_modules_t init_t:fd use;
allow update_modules_t { initrc_devpts_t admin_tty_type }:chr_file rw_file_perms;
allow update_modules_t devpts_t:dir search;
dontaudit update_modules_t sysadm_home_dir_t:dir search; dontaudit update_modules_t sysadm_home_dir_t:dir search;
allow update_modules_t lib_t:file { getattr read }; allow update_modules_t lib_t:file { getattr read };
file_type_auto_trans(update_modules_t, etc_t, modules_conf_t, file)
') dnl endif TODO ') dnl endif TODO