diff --git a/refpolicy/policy/modules/admin/consoletype.te b/refpolicy/policy/modules/admin/consoletype.te index be05fd9b..1b117a0d 100644 --- a/refpolicy/policy/modules/admin/consoletype.te +++ b/refpolicy/policy/modules/admin/consoletype.te @@ -8,11 +8,10 @@ policy_module(consoletype, 1.0) # type consoletype_t; -domain_make_domain(consoletype_t) -role system_r types consoletype_t; - type consoletype_exec_t; -domain_make_entrypoint_file(consoletype_t,consoletype_exec_t) +domain_make_init_domain(consoletype_t,consoletype_exec_t) +domain_make_system_domain(consoletype_t,consoletype_exec_t) +role system_r types consoletype_t; ######################################## # diff --git a/refpolicy/policy/modules/admin/usermanage.te b/refpolicy/policy/modules/admin/usermanage.te index d00bcaaa..7d0bb6cc 100644 --- a/refpolicy/policy/modules/admin/usermanage.te +++ b/refpolicy/policy/modules/admin/usermanage.te @@ -30,11 +30,9 @@ type crack_tmp_t; files_make_file(crack_tmp_t) type groupadd_t; #, privowner, nscd_client_domain; -domain_make_domain(groupadd_t) -role system_r types groupadd_t; - type groupadd_exec_t; -domain_make_entrypoint_file(groupadd_t,groupadd_exec_t) +domain_make_system_domain(groupadd_t,groupadd_exec_t) +role system_r types groupadd_t; type passwd_t; #,auth_write, privowner; domain_make_domain(passwd_t) @@ -51,11 +49,9 @@ type sysadm_passwd_tmp_t; files_make_file(sysadm_passwd_tmp_t) type useradd_t; #, privowner, nscd_client_domain; -domain_make_domain(useradd_t) -role system_r types useradd_t; - type useradd_exec_t; -domain_make_entrypoint_file(useradd_t,useradd_exec_t) +domain_make_system_domain(useradd_t,useradd_exec_t) +role system_r types useradd_t; ######################################## # diff --git a/refpolicy/policy/modules/system/authlogin.te b/refpolicy/policy/modules/system/authlogin.te index 90a305cf..fc9b5406 100644 --- a/refpolicy/policy/modules/system/authlogin.te +++ b/refpolicy/policy/modules/system/authlogin.te @@ -20,7 +20,7 @@ files_make_file(login_exec_t) type pam_console_t; type pam_console_exec_t; -domain_make_daemon_domain(pam_console_t,pam_console_exec_t) +domain_make_system_domain(pam_console_t,pam_console_exec_t) role system_r types pam_console_t; domain_make_entrypoint_file(pam_console_t,pam_console_exec_t) diff --git a/refpolicy/policy/modules/system/hotplug.te b/refpolicy/policy/modules/system/hotplug.te index 9b499e83..988aa866 100644 --- a/refpolicy/policy/modules/system/hotplug.te +++ b/refpolicy/policy/modules/system/hotplug.te @@ -9,7 +9,7 @@ policy_module(hotplug, 1.0) type hotplug_t; type hotplug_exec_t; -domain_make_daemon_domain(hotplug_t,hotplug_exec_t) +domain_make_system_domain(hotplug_t,hotplug_exec_t) type hotplug_etc_t; #, usercanread; files_make_file(hotplug_etc_t) diff --git a/refpolicy/policy/modules/system/init.te b/refpolicy/policy/modules/system/init.te index 6111e34f..a3d32e4b 100644 --- a/refpolicy/policy/modules/system/init.te +++ b/refpolicy/policy/modules/system/init.te @@ -2,6 +2,11 @@ policy_module(init,1.0) +######################################## +# +# Declarations +# + # # init_t is the domain of the init process. # @@ -30,7 +35,6 @@ devices_create_dev_entry(init_t,initctl_t,fifo_file) # type init_var_run_t; files_make_file(init_var_run_t) -files_create_daemon_runtime_data(init_t,init_var_run_t) type initrc_t; domain_make_domain(initrc_t) @@ -53,7 +57,6 @@ files_make_file(initrc_state_t) type initrc_tmp_t; files_make_file(initrc_tmp_t) -files_create_private_tmp_data(initrc_t,initrc_tmp_t) type run_init_t; domain_make_domain(run_init_t) @@ -71,6 +74,7 @@ allow init_t init_exec_t:file { getattr read execute execute_no_trans }; # For /var/run/shutdown.pid. allow init_t init_var_run_t:file { create getattr read append write setattr unlink }; +files_create_daemon_runtime_data(init_t,init_var_run_t) # Run init scripts. this is ok since initrc # is also in this module @@ -140,21 +144,13 @@ allow init_t self:capability ~sys_module; # Modify utmp. allow init_t initrc_var_run_t:file { getattr read write setattr }; -optional_policy(`consoletype.te',` -consoletype_execute(init_t,optional) -') - -######################################## -# -# the following still need to be converted over -# - +ifdef(`TODO',` # something other then static libs allow init_t lib_t:file { getattr read }; # for mount points allow init_t file_t:dir search; - +') dnl end TODO ######################################## # @@ -179,6 +175,10 @@ allow initrc_t initrc_state_t:lnk_file { create read getattr setattr unlink rena allow initrc_t self:tcp_socket { connect listen accept create ioctl read getattr write setattr append bind getopt setopt shutdown }; allow initrc_t self:udp_socket { connect create ioctl read getattr write setattr append bind getopt setopt shutdown }; +allow initrc_t initrc_tmp_t : file { create ioctl read getattr lock write setattr append link unlink rename }; +allow initrc_t initrc_tmp_t : dir { create read getattr lock setattr ioctl link unlink rename search add_name remove_name reparent write rmdir }; +files_create_private_tmp_data(initrc_t,initrc_tmp_t, { file dir }) + kernel_read_system_state(initrc_t) kernel_read_software_raid_state(initrc_t) kernel_read_network_state(initrc_t) @@ -280,23 +280,6 @@ authlogin_pam_read_runtime_data(initrc_t) authlogin_pam_remove_runtime_data(initrc_t) ') -optional_policy(`consoletype.te',` -consoletype_transition(initrc_t) -') - -optional_policy(`modutils.te',` -modutils_depmod_transition(initrc_t) -modutils_update_modules_transition(initrc_t) -') - -optional_policy(`mount.te',` -mount_transition(initrc_t) -') - -optional_policy(`sysnetwork.te',` -sysnetwork_ifconfig_transition(initrc_t) -') - tunable_policy(`distro_redhat',` kernel_set_selinux_enforcement_mode(initrc_t) diff --git a/refpolicy/policy/modules/system/iptables.te b/refpolicy/policy/modules/system/iptables.te index aea9ca7f..e9e4b2c6 100644 --- a/refpolicy/policy/modules/system/iptables.te +++ b/refpolicy/policy/modules/system/iptables.te @@ -9,7 +9,7 @@ policy_module(iptables, 1.0) type iptables_t; type iptables_exec_t; -domain_make_daemon_domain(iptables_t,iptables_exec_t) +domain_make_system_domain(iptables_t,iptables_exec_t) role system_r types iptables_t; type iptables_tmp_t; diff --git a/refpolicy/policy/modules/system/modutils.te b/refpolicy/policy/modules/system/modutils.te index 8a315b23..9b363651 100644 --- a/refpolicy/policy/modules/system/modutils.te +++ b/refpolicy/policy/modules/system/modutils.te @@ -11,25 +11,19 @@ type modules_dep_t; files_make_file(modules_dep_t) type insmod_t; -domain_make_domain(insmod_t) +type insmod_exec_t; +domain_make_system_domain(insmod_t,insmod_exec_t) role system_r types insmod_t; -type insmod_exec_t; -domain_make_entrypoint_file(insmod_t,insmod_exec_t) - type depmod_t; -domain_make_domain(depmod_t) +type depmod_exec_t; +domain_make_system_domain(depmod_t,depmod_exec_t) role system_r types depmod_t; -type depmod_exec_t; -domain_make_entrypoint_file(depmod_t,depmod_exec_t) - type update_modules_t; -domain_make_domain(update_modules_t) -role system_r types update_modules_t; - type update_modules_exec_t; -domain_make_entrypoint_file(update_modules_t,update_modules_exec_t) +domain_make_system_domain(update_modules_t,update_modules_exec_t) +role system_r types update_modules_t; type update_modules_tmp_t; files_make_file(update_modules_tmp_t) diff --git a/refpolicy/policy/modules/system/mount.te b/refpolicy/policy/modules/system/mount.te index 60653599..e2921093 100644 --- a/refpolicy/policy/modules/system/mount.te +++ b/refpolicy/policy/modules/system/mount.te @@ -1,11 +1,9 @@ # Copyright (C) 2005 Tresys Technology, LLC type mount_t; -domain_make_domain(mount_t) -role system_r types mount_t; - type mount_exec_t; -domain_make_entrypoint_file(mount_t,mount_exec_t) +domain_make_system_domain(mount_t,mount_exec_t) +role system_r types mount_t; type mount_tmp_t; files_make_file(mount_tmp_t) diff --git a/refpolicy/policy/modules/system/sysnetwork.te b/refpolicy/policy/modules/system/sysnetwork.te index ddd1f26c..26e78176 100644 --- a/refpolicy/policy/modules/system/sysnetwork.te +++ b/refpolicy/policy/modules/system/sysnetwork.te @@ -10,6 +10,7 @@ policy_module(sysnetwork,1.0) type dhcpc_t; type dhcpc_exec_t; domain_make_daemon_domain(dhcpc_t,dhcpc_exec_t) +role system_r types dhcpc_t; type dhcpc_state_t; files_make_file(dhcpc_state_t) @@ -21,11 +22,9 @@ type dhcpc_var_run_t; files_make_file(dhcpc_var_run_t) type ifconfig_t; -domain_make_domain(ifconfig_t) -role system_r types ifconfig_t; - type ifconfig_exec_t; -domain_make_entrypoint_file(ifconfig_t, ifconfig_exec_t) +domain_make_system_domain(ifconfig_t, ifconfig_exec_t) +role system_r types ifconfig_t; type net_conf_t alias resolv_conf_t; files_make_file(net_conf_t)