From bff907113d1978edab89dbf36db98b40070a57b7 Mon Sep 17 00:00:00 2001 From: Chris PeBenito Date: Tue, 28 Nov 2006 15:57:22 +0000 Subject: [PATCH] fix dontaudit interface that was allowing instead of dontauditing; thanks to karl for pointing this out. --- policy/modules/kernel/devices.if | 38 +++++++++++++++---------------- policy/modules/kernel/devices.te | 2 +- policy/modules/kernel/terminal.if | 2 -- policy/modules/kernel/terminal.te | 2 +- 4 files changed, 20 insertions(+), 24 deletions(-) diff --git a/policy/modules/kernel/devices.if b/policy/modules/kernel/devices.if index e08e3936..1fd7ed9a 100644 --- a/policy/modules/kernel/devices.if +++ b/policy/modules/kernel/devices.if @@ -181,6 +181,24 @@ interface(`dev_relabel_generic_dev_dirs',` allow $1 device_t:dir { r_dir_perms relabelfrom relabelto }; ') +######################################## +## +## dontaudit getattr generic files in /dev. +## +## +## +## Domain to not audit. +## +## +# +interface(`dev_dontaudit_getattr_generic_files',` + gen_require(` + type device_t; + ') + + dontaudit $1 device_t:file getattr; +') + ######################################## ## ## Read and write generic files in /dev. @@ -3230,23 +3248,3 @@ interface(`dev_unconfined',` typeattribute $1 devices_unconfined_type; ') - -######################################## -## -## dontaudit getattr generic files in /dev. -## -## -## -## Domain to not audit. -## -## -# -interface(`dev_dontaudit_getattr_generic_files',` - gen_require(` - type device_t; - ') - - allow $1 device_t:dir search; - dontaudit $1 device_t:file getattr; -') - diff --git a/policy/modules/kernel/devices.te b/policy/modules/kernel/devices.te index d6695771..dc5668f4 100644 --- a/policy/modules/kernel/devices.te +++ b/policy/modules/kernel/devices.te @@ -1,5 +1,5 @@ -policy_module(devices,1.2.2) +policy_module(devices,1.2.3) ######################################## # diff --git a/policy/modules/kernel/terminal.if b/policy/modules/kernel/terminal.if index 991d70d9..a73376b3 100644 --- a/policy/modules/kernel/terminal.if +++ b/policy/modules/kernel/terminal.if @@ -636,8 +636,6 @@ interface(`term_dontaudit_getattr_all_user_ptys',` attribute ptynode; ') - dev_list_all_dev_nodes($1) - allow $1 devpts_t:dir r_dir_perms; dontaudit $1 ptynode:chr_file getattr; ') diff --git a/policy/modules/kernel/terminal.te b/policy/modules/kernel/terminal.te index b4dbc4a6..06cddf73 100644 --- a/policy/modules/kernel/terminal.te +++ b/policy/modules/kernel/terminal.te @@ -1,5 +1,5 @@ -policy_module(terminal,1.2.1) +policy_module(terminal,1.2.2) ######################################## #