clean up some hacks

This commit is contained in:
Chris PeBenito 2005-11-15 18:47:20 +00:00
parent 7b062eac78
commit c6d4c8f186
13 changed files with 76 additions and 31 deletions

View File

@ -529,6 +529,23 @@ interface(`apache_dontaudit_append_log',`
dontaudit $1 httpd_log_t:file { getattr append }; dontaudit $1 httpd_log_t:file { getattr append };
') ')
########################################
## <summary>
## Do not audit attempts to search Apache
## module directories.
## </summary>
## <param name="domain">
## Domain to not audit.
## </param>
#
interface(`apache_dontaudit_search_modules',`
gen_require(`
type httpd_modules_t;
')
allow $1 httpd_modules_t:dir r_dir_perms;
')
######################################## ########################################
## <summary> ## <summary>
## Allow the specified domain to list ## Allow the specified domain to list

View File

@ -1,5 +1,5 @@
policy_module(apache,1.0) policy_module(apache,1.0.1)
# #
# NOTES: # NOTES:

View File

@ -1,5 +1,5 @@
policy_module(xdm,1.0) policy_module(xdm,1.0.1)
######################################## ########################################
# #
@ -100,6 +100,10 @@ ifdef(`targeted_policy',`
files_create_var_lib(xdm_t,xdm_var_lib_t) files_create_var_lib(xdm_t,xdm_var_lib_t)
') ')
optional_policy(`locallogin.te',`
locallogin_signull(xdm_t)
')
ifdef(`TODO',` ifdef(`TODO',`
# cjp: TODO: integrate strict policy: # cjp: TODO: integrate strict policy:
daemon_domain(xdm, `, privuser, privrole, auth_chkpwd, privowner, privmem, nscd_client_domain') daemon_domain(xdm, `, privuser, privrole, auth_chkpwd, privowner, privmem, nscd_client_domain')

View File

@ -10,17 +10,31 @@
######################################## ########################################
## <summary> ## <summary>
## Create a aliased type to bin_t. ## Create a aliased type to generic bin files.
## </summary> ## </summary>
## <desc>
## <p>
## Create a aliased type to generic bin files.
## </p>
## <p>
## This is added to support targeted policy. Its
## use should be limited. It has no effect
## on the strict policy.
## </p>
## </desc>
## <param name="domain"> ## <param name="domain">
## Alias type for bin_t. ## Alias type for bin_t.
## </param> ## </param>
interface(`corecmd_bin_alias',` interface(`corecmd_bin_alias',`
gen_require(` ifdef(`targeted_policy',`
type bin_t; gen_require(`
') type bin_t;
')
typealias bin_t alias $1; typealias bin_t alias $1;
',`
errprint(`Warning: $0($1) has no effect in strict policy.'__endline__)
')
') ')
######################################## ########################################

View File

@ -1,5 +1,5 @@
policy_module(corecommands,1.0) policy_module(corecommands,1.0.1)
######################################## ########################################
# #

View File

@ -499,7 +499,6 @@ optional_policy(`dbus.te',`
dbus_send_system_bus_msg(initrc_t) dbus_send_system_bus_msg(initrc_t)
# FIXME # FIXME
allow initrc_t system_dbusd_t:dbus { send_msg acquire_svc };
allow initrc_t system_dbusd_t:unix_stream_socket connectto; allow initrc_t system_dbusd_t:unix_stream_socket connectto;
allow initrc_t system_dbusd_var_run_t:sock_file write; allow initrc_t system_dbusd_var_run_t:sock_file write;

View File

@ -1,5 +1,5 @@
policy_module(libraries,1.0) policy_module(libraries,1.0.1)
######################################## ########################################
# #
@ -24,6 +24,9 @@ files_type(ld_so_t)
type lib_t; type lib_t;
files_type(lib_t) files_type(lib_t)
kernel_use_ld_so_from(lib_t,ld_so_t,ld_so_cache_t)
kernel_use_shared_libs_from(lib_t,{ shlib_t texrel_shlib_t })
# #
# shlib_t is the type of shared objects in the system lib # shlib_t is the type of shared objects in the system lib
# directories. # directories.
@ -46,9 +49,6 @@ ifdef(`targeted_policy',`
files_type(texrel_shlib_t) files_type(texrel_shlib_t)
') ')
kernel_use_ld_so_from(lib_t,ld_so_t,ld_so_cache_t)
kernel_use_shared_libs_from(lib_t,{ shlib_t texrel_shlib_t })
######################################## ########################################
# #
# ldconfig local policy # ldconfig local policy
@ -100,5 +100,5 @@ ifdef(`targeted_policy',`
optional_policy(`apache.te',` optional_policy(`apache.te',`
# dontaudit access to /usr/lib/apache, normal programs cannot read these libs anyway # dontaudit access to /usr/lib/apache, normal programs cannot read these libs anyway
dontaudit ldconfig_t httpd_modules_t:dir search; apache_dontaudit_search_modules(ldconfig_t)
') ')

View File

@ -216,11 +216,6 @@ optional_policy(`usermanage.te',`
') ')
ifdef(`TODO',` ifdef(`TODO',`
# this goes to xdm:
optional_policy(`locallogin.te',`
# FIXME: what is this for?
locallogin_signull(xdm_t)
')
# Login can polyinstantiate # Login can polyinstantiate
polyinstantiater(local_login_t) polyinstantiater(local_login_t)

View File

@ -195,7 +195,7 @@ ifdef(`targeted_policy', `
# cjp: temporary hack to cover # cjp: temporary hack to cover
# up stray file descriptors. # up stray file descriptors.
dontaudit load_policy_t selinux_config_t:file write; dontaudit load_policy_t selinux_config_t:file write;
dontaudit load_policy_t unconfined_t:fifo_file read; unconfined_dontaudit_read_pipe(load_policy_t)
######################################## ########################################
# #

View File

@ -256,7 +256,8 @@ interface(`unconfined_dontaudit_rw_tcp_socket',`
## </p> ## </p>
## <p> ## <p>
## This is added to support targeted policy. Its ## This is added to support targeted policy. Its
## use should be very limited. ## use should be limited. It has no effect
## on the strict policy.
## </p> ## </p>
## </desc> ## </desc>
## <param name="domain"> ## <param name="domain">
@ -264,9 +265,13 @@ interface(`unconfined_dontaudit_rw_tcp_socket',`
## </param> ## </param>
# #
interface(`unconfined_alias_domain',` interface(`unconfined_alias_domain',`
gen_require(` ifdef(`targeted_policy',`
type unconfined_t; gen_require(`
') type unconfined_t;
')
typealias unconfined_t alias $1; typealias unconfined_t alias $1;
',`
errprint(`Warning: $0($1) has no effect in strict policy.'__endline__)
')
') ')

View File

@ -1,5 +1,5 @@
policy_module(unconfined,1.0) policy_module(unconfined,1.0.1)
######################################## ########################################
# #
@ -28,10 +28,6 @@ ifdef(`targeted_policy',`
allow unconfined_t self:system syslog_read; allow unconfined_t self:system syslog_read;
dontaudit unconfined_t self:capability sys_module; dontaudit unconfined_t self:capability sys_module;
# Define some type aliases to help with compatibility with
# macros and domains from the "strict" policy.
typealias unconfined_t alias { secadm_t sysadm_t };
files_create_boot_flag(unconfined_t) files_create_boot_flag(unconfined_t)
init_domtrans_script(unconfined_t) init_domtrans_script(unconfined_t)

View File

@ -1,5 +1,5 @@
policy_module(userdomain,1.0) policy_module(userdomain,1.0.1)
######################################## ########################################
# #
@ -53,6 +53,11 @@ define(`role_change',`
') ')
ifdef(`targeted_policy',` ifdef(`targeted_policy',`
# Define some type aliases to help with compatibility with
# macros and domains from the "strict" policy.
unconfined_alias_domain(secadm_t)
unconfined_alias_domain(sysadm_t)
# User home directory type. # User home directory type.
type user_home_t alias { staff_home_t sysadm_home_t }, home_type; type user_home_t alias { staff_home_t sysadm_home_t }, home_type;
files_type(user_home_t) files_type(user_home_t)

View File

@ -11,6 +11,16 @@
# #
define(`shiftn',`ifelse($1,0,`shift($*)',`shiftn(decr($1),shift(shift($*)))')') define(`shiftn',`ifelse($1,0,`shift($*)',`shiftn(decr($1),shift(shift($*)))')')
#
# __endline__
#
# dummy macro to insert a newline. used for
# errprint, so the close parentheses can be
# indented correctly.
#
define(`__endline__',`
')
######################################## ########################################
# #
# gen_user(username, role_set, mls_defaultlevel, mls_range, [mcs_categories]) # gen_user(username, role_set, mls_defaultlevel, mls_range, [mcs_categories])