easy fixes

2005-10-25 19:03:15 +00:00 · 2005-10-25 19:03:15 +00:00 · ccfd7b19cf
commit ccfd7b19cf
parent 2526a44dea
4 changed files with 24 additions and 8 deletions
--- a/refpolicy/policy/global_tunables
+++ b/refpolicy/policy/global_tunables
@ -33,6 +33,10 @@ gen_tunable(allow_httpd_anon_write,false)
 ## Allow system to run with kerberos
 gen_tunable(allow_kerberos,false)

+## Allow rsync to modify public files
+## used for public file transfer services.
+gen_tunable(allow_rsync_anon_write,false)
+
 ## Allow sasl to read shadow
 gen_tunable(allow_saslauthd_read_shadow,false)

--- a/refpolicy/policy/modules/services/rsync.te
+++ b/refpolicy/policy/modules/services/rsync.te
@ -78,9 +78,14 @@ libs_use_shared_libs(rsync_t)
 logging_send_syslog_msg(rsync_t)

 miscfiles_read_localization(rsync_t)
+miscfiles_read_public_files(rsync_t)

 sysnet_read_config(rsync_t)

+tunable_policy(`allow_rsync_anon_write',`
+	miscfiles_manage_public_files(rsync_t)
+')
+
 optional_policy(`kerberos.te',`
 	kerberos_use(rsync_t)
 ')
@ -92,7 +97,3 @@ optional_policy(`nis.te',`
 optional_policy(`nscd.te',`
 	nscd_use_socket(rsync_t)
 ')
-
-ifdef(`TODO',`
-anonymous_domain(rsync)
-') dnl end TODO
--- a/refpolicy/policy/modules/system/modutils.te
+++ b/refpolicy/policy/modules/system/modutils.te
@ -215,6 +215,10 @@ files_create_etc_config(update_modules_t,modules_conf_t)

 # transition to depmod
 domain_auto_trans(update_modules_t, depmod_exec_t, depmod_t)
+allow update_modules_t depmod_t:fd use;
+allow depmod_t update_modules_t:fd use;
+allow depmod_t update_modules_t:fifo_file rw_file_perms;
+allow depmod_t update_modules_t:process sigchld;

 allow update_modules_t update_modules_tmp_t:dir create_dir_perms;
 allow update_modules_t update_modules_tmp_t:file create_file_perms;
@ -229,11 +233,11 @@ fs_getattr_xattr_fs(update_modules_t)

 term_use_console(update_modules_t)

-init_use_fd(depmod_t)
-init_use_script_fd(depmod_t)
-init_use_script_pty(depmod_t)
+init_use_fd(update_modules_t)
+init_use_script_fd(update_modules_t)
+init_use_script_pty(update_modules_t)

-domain_use_wide_inherit_fd(depmod_t)
+domain_use_wide_inherit_fd(update_modules_t)

 files_read_etc_runtime_files(update_modules_t)
 files_read_etc_files(update_modules_t)
--- a/refpolicy/policy/modules/system/unconfined.te
+++ b/refpolicy/policy/modules/system/unconfined.te
@ -34,6 +34,13 @@ ifdef(`targeted_policy',`
 	init_domtrans_script(unconfined_t)

 	userdom_unconfined(unconfined_t)
+	userdom_priveleged_home_dir_manager(unconfined_t)
+
+	optional_policy(`modutils.te',`
+		modutils_domtrans_depmod(unconfined_t)
+		modutils_domtrans_insmod(unconfined_t)
+		modutils_domtrans_update_mods(unconfined_t)
+	')

 	optional_policy(`postfix.te',`
 		postfix_domtrans_map(unconfined_t)