remove raw network, make mta optional, and a little cleanup.

2006-06-16 19:54:21 +00:00 · 2006-06-16 19:54:21 +00:00 · cc0c00d044
commit cc0c00d044
parent e586ecc752
1 changed files with 7 additions and 24 deletions
--- a/refpolicy/policy/modules/system/userdomain.if
+++ b/refpolicy/policy/modules/system/userdomain.if
@ -165,10 +165,8 @@ template(`base_user_template',`
 	corenet_non_ipsec_sendrecv($1_t)
 	corenet_tcp_sendrecv_all_if($1_t)
 	corenet_raw_sendrecv_all_if($1_t)
 	corenet_udp_sendrecv_all_if($1_t)
 	corenet_tcp_sendrecv_all_nodes($1_t)
 	corenet_raw_sendrecv_all_nodes($1_t)
 	corenet_udp_sendrecv_all_nodes($1_t)
 	corenet_tcp_sendrecv_all_ports($1_t)
 	corenet_udp_sendrecv_all_ports($1_t)
@ -256,8 +254,6 @@ template(`base_user_template',`
 	seutil_read_default_contexts($1_t)
 	seutil_run_newrole($1_t,$1_r,{ $1_devpts_t $1_tty_device_t })
 	mta_rw_spool($1_t)
 	tunable_policy(`allow_execmem',`
 		# Allow loading DSOs that require executable stack.
 		allow $1_t self:process execmem;
@ -384,6 +380,10 @@ template(`base_user_template',`
 		jabber_tcp_connect($1_t)
 	')
 	optional_policy(`
 		mta_rw_spool($1_t)
 	')
 	optional_policy(`
 		nis_use_ypbind($1_t)
 	')
@ -643,7 +643,7 @@ template(`unpriv_user_template', `
 	')
 	ifdef(`TODO',`
-	ifdef(`enable_mls',`',`
+	ifndef(`enable_mls',`
 		fs_exec_noxattr($1_t)
 		tunable_policy(`user_rw_noexattrfile',`
@ -654,8 +654,8 @@ template(`unpriv_user_template', `
 			# cjp: what does this have to do with removable devices?
 			allow $1_t usbtty_device_t:chr_file write;
 		',`
 			fs_read_noxattr_files($1_t)
 			r_dir_file($1_t, noexattrfile)
 			r_dir_file($1_t, removable_t)
 			allow $1_t removable_device_t:blk_file r_file_perms;
 		')
 	')
@ -703,14 +703,6 @@ template(`unpriv_user_template', `
 	dontaudit $1_t sysadm_home_t:file { read append };
 	ifdef(`syslogd.te', `
 		# Some programs that are left in $1_t will try to connect
 		# to syslogd, but we do not want to let them generate log messages.
 		# Do not audit.
 		dontaudit $1_t devlog_t:sock_file { read write };
 		dontaudit $1_t syslogd_t:unix_dgram_socket sendto;
 	')
 	allow $1_t initrc_t:fifo_file write;
 	') dnl end TODO
 ')
@ -923,12 +915,6 @@ template(`admin_user_template',`
 		can_pipe_xdm($1_t)
 	')
 	# Connect data port to ftpd.
 	ifdef(`ftpd.te', `can_tcp_connect(ftpd_t, $1_t)')
 	# Connect second port to rshd.
 	ifdef(`rshd.te', `can_tcp_connect(rshd_t, $1_t)')
 	# Allow MAKEDEV to work
 	allow $1_t device_t:dir rw_dir_perms;
 	allow $1_t device_type:{ blk_file chr_file } { create unlink rename };
@ -960,11 +946,8 @@ template(`admin_user_template',`
 		allow $1_t usbtty_device_t:chr_file write;
 	',`
 		r_dir_file($1_t, noexattrfile)
-		r_dir_file($1_t, removable_t)
+		storage_raw_read_removable_device($1_t)
 		allow $1_t removable_device_t:blk_file r_file_perms;
 	')
 	allow $1 removable_t:filesystem getattr;
 	') dnl endif TODO
 ')