From d46cfe45cd12c73980f74ef2ad61ce5b840c93e4 Mon Sep 17 00:00:00 2001 From: Chris PeBenito Date: Thu, 19 Jul 2007 18:57:48 +0000 Subject: [PATCH] trunk: add application module --- Changelog | 2 + policy/modules/admin/alsa.te | 5 +- policy/modules/admin/amanda.te | 5 +- policy/modules/admin/bootloader.te | 8 +-- policy/modules/admin/certwatch.te | 3 +- policy/modules/admin/consoletype.te | 3 +- policy/modules/admin/ddcprobe.te | 5 +- policy/modules/admin/dmidecode.te | 8 +-- policy/modules/admin/logwatch.te | 5 +- policy/modules/admin/portage.te | 17 ++--- policy/modules/admin/readahead.te | 3 +- policy/modules/admin/sudo.if | 3 +- policy/modules/admin/sudo.te | 4 +- policy/modules/admin/sxid.te | 5 +- policy/modules/admin/tmpreaper.te | 8 +-- policy/modules/admin/tripwire.te | 14 ++--- policy/modules/admin/tzdata.te | 3 +- policy/modules/admin/usermanage.te | 25 +++----- policy/modules/admin/vpn.te | 6 +- policy/modules/apps/ada.te | 5 +- policy/modules/apps/authbind.te | 5 +- policy/modules/apps/cdrecord.if | 3 +- policy/modules/apps/cdrecord.te | 4 +- policy/modules/apps/ethereal.if | 3 +- policy/modules/apps/ethereal.te | 7 +-- policy/modules/apps/evolution.if | 15 ++--- policy/modules/apps/evolution.te | 12 ++-- policy/modules/apps/games.if | 3 +- policy/modules/apps/games.te | 2 +- policy/modules/apps/gift.if | 6 +- policy/modules/apps/gift.te | 6 +- policy/modules/apps/gnome.if | 3 +- policy/modules/apps/gnome.te | 4 +- policy/modules/apps/gpg.if | 12 ++-- policy/modules/apps/gpg.te | 10 +-- policy/modules/apps/irc.if | 5 +- policy/modules/apps/irc.te | 4 +- policy/modules/apps/java.if | 3 +- policy/modules/apps/java.te | 2 +- policy/modules/apps/lockdev.if | 3 +- policy/modules/apps/lockdev.te | 4 +- policy/modules/apps/mozilla.if | 3 +- policy/modules/apps/mozilla.te | 4 +- policy/modules/apps/mplayer.if | 6 +- policy/modules/apps/mplayer.te | 6 +- policy/modules/apps/rssh.if | 3 +- policy/modules/apps/rssh.te | 4 +- policy/modules/apps/screen.if | 3 +- policy/modules/apps/screen.te | 4 +- policy/modules/apps/thunderbird.if | 3 +- policy/modules/apps/thunderbird.te | 4 +- policy/modules/apps/tvtime.if | 3 +- policy/modules/apps/tvtime.te | 4 +- policy/modules/apps/uml.if | 6 +- policy/modules/apps/uml.te | 4 +- policy/modules/apps/userhelper.if | 3 +- policy/modules/apps/userhelper.te | 4 +- policy/modules/apps/usernetctl.te | 5 +- policy/modules/apps/webalizer.te | 5 +- policy/modules/apps/wine.te | 6 +- policy/modules/apps/yam.te | 5 +- policy/modules/services/aide.te | 5 +- policy/modules/services/apm.te | 7 +-- policy/modules/services/clockspeed.te | 5 +- policy/modules/services/cron.if | 3 +- policy/modules/services/cron.te | 6 +- policy/modules/services/dcc.te | 11 ++-- policy/modules/services/lpd.if | 3 +- policy/modules/services/lpd.te | 4 +- policy/modules/services/mta.if | 3 +- policy/modules/services/mta.te | 4 +- policy/modules/services/ntop.te | 3 +- policy/modules/services/oav.te | 5 +- policy/modules/services/postfix.te | 7 +-- policy/modules/services/procmail.te | 5 +- policy/modules/services/publicfile.te | 5 +- policy/modules/services/pyzor.te | 5 +- policy/modules/services/qmail.te | 5 +- policy/modules/services/spamassassin.if | 6 +- policy/modules/services/spamassassin.te | 6 +- policy/modules/services/ssh.if | 9 +-- policy/modules/services/ssh.te | 6 +- policy/modules/services/timidity.te | 3 +- policy/modules/services/uucp.te | 5 +- policy/modules/services/xserver.te | 6 +- policy/modules/system/application.fc | 1 + policy/modules/system/application.if | 83 +++++++++++++++++++++++++ policy/modules/system/application.te | 14 +++++ policy/modules/system/authlogin.if | 3 +- policy/modules/system/authlogin.te | 10 ++- policy/modules/system/daemontools.te | 8 +-- policy/modules/system/init.if | 3 +- policy/modules/system/init.te | 7 ++- policy/modules/system/locallogin.if | 18 ++++++ policy/modules/system/locallogin.te | 3 +- policy/modules/system/modutils.te | 5 +- policy/modules/system/mount.te | 5 +- policy/modules/system/netlabel.te | 5 +- policy/modules/system/pcmcia.te | 4 +- policy/modules/system/selinuxutil.te | 26 +++----- policy/modules/system/xen.te | 4 +- 101 files changed, 344 insertions(+), 320 deletions(-) create mode 100644 policy/modules/system/application.fc create mode 100644 policy/modules/system/application.if create mode 100644 policy/modules/system/application.te diff --git a/Changelog b/Changelog index 82e6e13a..ccb10c53 100644 --- a/Changelog +++ b/Changelog @@ -1,4 +1,6 @@ - Add debian apcupsd binary location, from Stefan Schulze Frielinghaus. +- Added modules: + application * Fri Jun 29 2007 Chris PeBenito - 20070629 - Fix incorrectly named files_lib_filetrans_shared_lib() interface in the diff --git a/policy/modules/admin/alsa.te b/policy/modules/admin/alsa.te index d4f222c2..90b170c9 100644 --- a/policy/modules/admin/alsa.te +++ b/policy/modules/admin/alsa.te @@ -1,5 +1,5 @@ -policy_module(alsa,1.1.0) +policy_module(alsa,1.1.1) ######################################## # @@ -8,8 +8,7 @@ policy_module(alsa,1.1.0) type alsa_t; type alsa_exec_t; -domain_type(alsa_t) -domain_entry_file(alsa_t, alsa_exec_t) +application_domain(alsa_t, alsa_exec_t) role system_r types alsa_t; type alsa_etc_rw_t; diff --git a/policy/modules/admin/amanda.te b/policy/modules/admin/amanda.te index ed3d5236..19da8dfd 100644 --- a/policy/modules/admin/amanda.te +++ b/policy/modules/admin/amanda.te @@ -1,5 +1,5 @@ -policy_module(amanda,1.6.0) +policy_module(amanda,1.6.1) ####################################### # @@ -51,8 +51,7 @@ files_type(amanda_data_t) # type for amrecover type amanda_recover_t; type amanda_recover_exec_t; -domain_type(amanda_recover_t) -domain_entry_file(amanda_recover_t,amanda_recover_exec_t) +application_domain(amanda_recover_t,amanda_recover_exec_t) role system_r types amanda_recover_t; # type for recover files ( restored data ) diff --git a/policy/modules/admin/bootloader.te b/policy/modules/admin/bootloader.te index 11b7b19a..11d26ed7 100644 --- a/policy/modules/admin/bootloader.te +++ b/policy/modules/admin/bootloader.te @@ -1,5 +1,5 @@ -policy_module(bootloader,1.5.0) +policy_module(bootloader,1.5.1) ######################################## # @@ -15,11 +15,9 @@ type boot_runtime_t; files_type(boot_runtime_t) type bootloader_t; -domain_type(bootloader_t) -role system_r types bootloader_t; - type bootloader_exec_t; -domain_entry_file(bootloader_t,bootloader_exec_t) +application_domain(bootloader_t,bootloader_exec_t) +role system_r types bootloader_t; # # bootloader_etc_t is the configuration file, diff --git a/policy/modules/admin/certwatch.te b/policy/modules/admin/certwatch.te index daca9e17..24ffe6c6 100644 --- a/policy/modules/admin/certwatch.te +++ b/policy/modules/admin/certwatch.te @@ -8,8 +8,7 @@ policy_module(certwatch,1.0) type certwatch_t; type certwatch_exec_t; -domain_type(certwatch_t) -domain_entry_file(certwatch_t,certwatch_exec_t) +application_domain(certwatch_t,certwatch_exec_t) role system_r types certwatch_t; ######################################## diff --git a/policy/modules/admin/consoletype.te b/policy/modules/admin/consoletype.te index b3cf7a8e..bc5172d6 100644 --- a/policy/modules/admin/consoletype.te +++ b/policy/modules/admin/consoletype.te @@ -1,5 +1,5 @@ -policy_module(consoletype,1.3.0) +policy_module(consoletype,1.3.1) ######################################## # @@ -8,6 +8,7 @@ policy_module(consoletype,1.3.0) type consoletype_t; type consoletype_exec_t; +application_executable_file(consoletype_exec_t) init_domain(consoletype_t,consoletype_exec_t) mls_file_read_up(consoletype_t) mls_file_write_down(consoletype_t) diff --git a/policy/modules/admin/ddcprobe.te b/policy/modules/admin/ddcprobe.te index 4b22c6bc..01da41d0 100644 --- a/policy/modules/admin/ddcprobe.te +++ b/policy/modules/admin/ddcprobe.te @@ -1,5 +1,5 @@ -policy_module(ddcprobe,1.0.0) +policy_module(ddcprobe,1.0.1) ######################################## # @@ -8,8 +8,7 @@ policy_module(ddcprobe,1.0.0) type ddcprobe_t; type ddcprobe_exec_t; -domain_type(ddcprobe_t) -domain_entry_file(ddcprobe_t,ddcprobe_exec_t) +application_domain(ddcprobe_t,ddcprobe_exec_t) role system_r types ddcprobe_t; ######################################## diff --git a/policy/modules/admin/dmidecode.te b/policy/modules/admin/dmidecode.te index 4e16706a..ffbca64f 100644 --- a/policy/modules/admin/dmidecode.te +++ b/policy/modules/admin/dmidecode.te @@ -1,5 +1,5 @@ -policy_module(dmidecode,1.1.0) +policy_module(dmidecode,1.1.1) ######################################## # @@ -7,11 +7,9 @@ policy_module(dmidecode,1.1.0) # type dmidecode_t; -domain_type(dmidecode_t) -role system_r types dmidecode_t; - type dmidecode_exec_t; -domain_entry_file(dmidecode_t,dmidecode_exec_t) +application_domain(dmidecode_t,dmidecode_exec_t) +role system_r types dmidecode_t; ######################################## # diff --git a/policy/modules/admin/logwatch.te b/policy/modules/admin/logwatch.te index 0053ce3a..4f569278 100644 --- a/policy/modules/admin/logwatch.te +++ b/policy/modules/admin/logwatch.te @@ -1,5 +1,5 @@ -policy_module(logwatch,1.5.0) +policy_module(logwatch,1.5.1) ################################# # @@ -8,8 +8,7 @@ policy_module(logwatch,1.5.0) type logwatch_t; type logwatch_exec_t; -domain_type(logwatch_t) -domain_entry_file(logwatch_t,logwatch_exec_t) +application_domain(logwatch_t,logwatch_exec_t) role system_r types logwatch_t; type logwatch_cache_t; diff --git a/policy/modules/admin/portage.te b/policy/modules/admin/portage.te index 57266402..25bec9ac 100644 --- a/policy/modules/admin/portage.te +++ b/policy/modules/admin/portage.te @@ -1,5 +1,5 @@ -policy_module(portage,1.3.0) +policy_module(portage,1.3.1) ######################################## # @@ -8,35 +8,30 @@ policy_module(portage,1.3.0) type gcc_config_t; type gcc_config_exec_t; -domain_type(gcc_config_t) -domain_entry_file(gcc_config_t,gcc_config_exec_t) +application_domain(gcc_config_t,gcc_config_exec_t) # constraining type type portage_t; type portage_exec_t; -domain_type(portage_t) -domain_entry_file(portage_t,portage_exec_t) +application_domain(portage_t,portage_exec_t) rsync_entry_type(portage_t) corecmd_shell_entry_type(portage_t) -domain_entry_file(portage_t,portage_exec_t) # portage domain for merging packages to the live fs type portage_t.merge; -domain_type(portage_t.merge) -domain_entry_file(portage_t.merge,portage_exec_t) +application_domain(portage_t.merge,portage_exec_t) domain_obj_id_change_exemption(portage_t.merge) # portage compile sandbox domain type portage_t.sandbox alias portage_sandbox_t; -domain_type(portage_t.sandbox) +application_domain(portage_t.sandbox,portage_exec_t) # the shell is the entrypoint if regular sandbox is disabled # portage_exec_t is the entrypoint if regular sandbox is enabled corecmd_shell_entry_type(portage_t.sandbox) -domain_entry_file(portage_t.sandbox,portage_exec_t) # portage package fetching domain type portage_t.fetch alias portage_fetch_t; -domain_type(portage_t.fetch) +application_type(portage_t.fetch) corecmd_shell_entry_type(portage_t.fetch) rsync_entry_type(portage_t.fetch) diff --git a/policy/modules/admin/readahead.te b/policy/modules/admin/readahead.te index 92230358..13efda9b 100644 --- a/policy/modules/admin/readahead.te +++ b/policy/modules/admin/readahead.te @@ -1,5 +1,5 @@ -policy_module(readahead,1.3.0) +policy_module(readahead,1.3.1) ######################################## # @@ -9,6 +9,7 @@ policy_module(readahead,1.3.0) type readahead_t; type readahead_exec_t; init_daemon_domain(readahead_t,readahead_exec_t) +application_domain(readahead_t,readahead_exec_t) type readahead_var_run_t; files_pid_file(readahead_var_run_t) diff --git a/policy/modules/admin/sudo.if b/policy/modules/admin/sudo.if index f3dfaa44..8780a205 100644 --- a/policy/modules/admin/sudo.if +++ b/policy/modules/admin/sudo.if @@ -45,8 +45,7 @@ template(`sudo_per_role_template',` # type $1_sudo_t; - domain_type($1_sudo_t) - domain_entry_file($1_sudo_t,sudo_exec_t) + application_domain($1_sudo_t,sudo_exec_t) domain_interactive_fd($1_sudo_t) role $3 types $1_sudo_t; diff --git a/policy/modules/admin/sudo.te b/policy/modules/admin/sudo.te index d5af36f3..5d497bc3 100644 --- a/policy/modules/admin/sudo.te +++ b/policy/modules/admin/sudo.te @@ -1,11 +1,11 @@ -policy_module(sudo,1.1.0) +policy_module(sudo,1.1.1) ######################################## # # Declarations type sudo_exec_t; -corecmd_executable_file(sudo_exec_t) +application_executable_file(sudo_exec_t) # Remaining policy in per user domain template. diff --git a/policy/modules/admin/sxid.te b/policy/modules/admin/sxid.te index 017e229c..4ce9f515 100644 --- a/policy/modules/admin/sxid.te +++ b/policy/modules/admin/sxid.te @@ -1,5 +1,5 @@ -policy_module(sxid,1.2.0) +policy_module(sxid,1.2.1) ######################################## # @@ -8,8 +8,7 @@ policy_module(sxid,1.2.0) type sxid_t; type sxid_exec_t; -domain_type(sxid_t) -domain_entry_file(sxid_t,sxid_exec_t) +application_domain(sxid_t,sxid_exec_t) type sxid_log_t; logging_log_file(sxid_log_t) diff --git a/policy/modules/admin/tmpreaper.te b/policy/modules/admin/tmpreaper.te index 8809dafc..5057e7a3 100644 --- a/policy/modules/admin/tmpreaper.te +++ b/policy/modules/admin/tmpreaper.te @@ -1,5 +1,5 @@ -policy_module(tmpreaper,1.2.0) +policy_module(tmpreaper,1.2.1) ######################################## # @@ -7,11 +7,9 @@ policy_module(tmpreaper,1.2.0) # type tmpreaper_t; -role system_r types tmpreaper_t; -domain_type(tmpreaper_t) - type tmpreaper_exec_t; -domain_entry_file(tmpreaper_t,tmpreaper_exec_t) +application_domain(tmpreaper_t,tmpreaper_exec_t) +role system_r types tmpreaper_t; ######################################## # diff --git a/policy/modules/admin/tripwire.te b/policy/modules/admin/tripwire.te index ba031267..0afd91cc 100644 --- a/policy/modules/admin/tripwire.te +++ b/policy/modules/admin/tripwire.te @@ -1,5 +1,5 @@ -policy_module(tripwire,1.0.0) +policy_module(tripwire,1.0.1) ######################################## # @@ -8,13 +8,11 @@ policy_module(tripwire,1.0.0) type siggen_t; type siggen_exec_t; -domain_type(siggen_t) -domain_entry_file(siggen_t,siggen_exec_t) +application_domain(siggen_t,siggen_exec_t) type tripwire_t; type tripwire_exec_t; -domain_type(tripwire_t) -domain_entry_file(tripwire_t,tripwire_exec_t) +application_domain(tripwire_t,tripwire_exec_t) role system_r types tripwire_t; type tripwire_etc_t; @@ -31,13 +29,11 @@ files_type(tripwire_var_lib_t) type twadmin_t; type twadmin_exec_t; -domain_type(twadmin_t) -domain_entry_file(twadmin_t,twadmin_exec_t) +application_domain(twadmin_t,twadmin_exec_t) type twprint_t; type twprint_exec_t; -domain_type(twprint_t) -domain_entry_file(twprint_t,twprint_exec_t) +application_domain(twprint_t,twprint_exec_t) ######################################## # diff --git a/policy/modules/admin/tzdata.te b/policy/modules/admin/tzdata.te index b4c48f60..182d9d3d 100644 --- a/policy/modules/admin/tzdata.te +++ b/policy/modules/admin/tzdata.te @@ -1,5 +1,5 @@ -policy_module(tzdata,1.0.0) +policy_module(tzdata,1.0.1) ######################################## # @@ -9,6 +9,7 @@ policy_module(tzdata,1.0.0) type tzdata_t; type tzdata_exec_t; init_daemon_domain(tzdata_t, tzdata_exec_t) +application_domain(tzdata_t, tzdata_exec_t) ######################################## # diff --git a/policy/modules/admin/usermanage.te b/policy/modules/admin/usermanage.te index 65fe70b7..d03e3175 100644 --- a/policy/modules/admin/usermanage.te +++ b/policy/modules/admin/usermanage.te @@ -1,5 +1,5 @@ -policy_module(usermanage,1.7.0) +policy_module(usermanage,1.7.1) ######################################## # @@ -10,19 +10,15 @@ type admin_passwd_exec_t; files_type(admin_passwd_exec_t) type chfn_t; +type chfn_exec_t; domain_obj_id_change_exemption(chfn_t) -domain_type(chfn_t) +application_domain(chfn_t,chfn_exec_t) role system_r types chfn_t; -type chfn_exec_t; -domain_entry_file(chfn_t,chfn_exec_t) - type crack_t; -domain_type(crack_t) -role system_r types crack_t; - type crack_exec_t; -domain_entry_file(crack_t,crack_exec_t) +application_domain(crack_t,crack_exec_t) +role system_r types crack_t; type crack_db_t; files_type(crack_db_t) @@ -37,17 +33,14 @@ init_system_domain(groupadd_t,groupadd_exec_t) role system_r types groupadd_t; type passwd_t; -domain_obj_id_change_exemption(passwd_t) -domain_type(passwd_t) -role system_r types passwd_t; - type passwd_exec_t; -domain_entry_file(passwd_t,passwd_exec_t) +domain_obj_id_change_exemption(passwd_t) +application_domain(passwd_t,passwd_exec_t) +role system_r types passwd_t; type sysadm_passwd_t; domain_obj_id_change_exemption(sysadm_passwd_t) -domain_type(sysadm_passwd_t) -domain_entry_file(sysadm_passwd_t,admin_passwd_exec_t) +application_domain(sysadm_passwd_t,admin_passwd_exec_t) role system_r types sysadm_passwd_t; type sysadm_passwd_tmp_t; diff --git a/policy/modules/admin/vpn.te b/policy/modules/admin/vpn.te index 624cfbee..13f90b9a 100644 --- a/policy/modules/admin/vpn.te +++ b/policy/modules/admin/vpn.te @@ -1,5 +1,5 @@ -policy_module(vpn,1.5.0) +policy_module(vpn,1.5.1) ######################################## # @@ -7,10 +7,8 @@ policy_module(vpn,1.5.0) # type vpnc_t; -domain_type(vpnc_t) - type vpnc_exec_t; -domain_entry_file(vpnc_t,vpnc_exec_t) +application_domain(vpnc_t,vpnc_exec_t) role system_r types vpnc_t; type vpnc_tmp_t; diff --git a/policy/modules/apps/ada.te b/policy/modules/apps/ada.te index f8167b8d..7e0b9e6d 100644 --- a/policy/modules/apps/ada.te +++ b/policy/modules/apps/ada.te @@ -1,5 +1,5 @@ -policy_module(ada,1.0.0) +policy_module(ada,1.0.1) ######################################## # @@ -8,8 +8,7 @@ policy_module(ada,1.0.0) type ada_t; type ada_exec_t; -domain_type(ada_t) -domain_entry_file(ada_t,ada_exec_t) +application_domain(ada_t,ada_exec_t) ######################################## # diff --git a/policy/modules/apps/authbind.te b/policy/modules/apps/authbind.te index 2fd4f95a..3fa4fb52 100644 --- a/policy/modules/apps/authbind.te +++ b/policy/modules/apps/authbind.te @@ -1,5 +1,5 @@ -policy_module(authbind,1.0.0) +policy_module(authbind,1.0.1) ######################################## # @@ -8,8 +8,7 @@ policy_module(authbind,1.0.0) type authbind_t; type authbind_exec_t; -domain_type(authbind_t) -domain_entry_file(authbind_t,authbind_exec_t) +application_domain(authbind_t,authbind_exec_t) role system_r types authbind_t; type authbind_etc_t; diff --git a/policy/modules/apps/cdrecord.if b/policy/modules/apps/cdrecord.if index 09ea3c90..5d07b9ee 100644 --- a/policy/modules/apps/cdrecord.if +++ b/policy/modules/apps/cdrecord.if @@ -44,8 +44,7 @@ template(`cdrecord_per_role_template', ` # type $1_cdrecord_t; - domain_type($1_cdrecord_t) - domain_entry_file($1_cdrecord_t,cdrecord_exec_t) + application_domain($1_cdrecord_t,cdrecord_exec_t) role $3 types $1_cdrecord_t; ######################################## diff --git a/policy/modules/apps/cdrecord.te b/policy/modules/apps/cdrecord.te index cc6ae897..5e2f2f30 100644 --- a/policy/modules/apps/cdrecord.te +++ b/policy/modules/apps/cdrecord.te @@ -1,5 +1,5 @@ -policy_module(cdrecord,1.2.0) +policy_module(cdrecord,1.2.1) ######################################## # @@ -18,4 +18,4 @@ gen_tunable(cdrecord_read_content,false) ') type cdrecord_exec_t; -corecmd_executable_file(cdrecord_exec_t) +application_executable_file(cdrecord_exec_t) diff --git a/policy/modules/apps/ethereal.if b/policy/modules/apps/ethereal.if index ed8d8975..c9dd4f33 100644 --- a/policy/modules/apps/ethereal.if +++ b/policy/modules/apps/ethereal.if @@ -45,8 +45,7 @@ template(`ethereal_per_role_template',` # Type for program type $1_ethereal_t; - domain_type($1_ethereal_t) - domain_entry_file($1_ethereal_t,ethereal_exec_t) + application_domain($1_ethereal_t,ethereal_exec_t) role $3 types $1_ethereal_t; type $1_ethereal_home_t alias $1_ethereal_rw_t; diff --git a/policy/modules/apps/ethereal.te b/policy/modules/apps/ethereal.te index ee7f9301..6247f5ab 100644 --- a/policy/modules/apps/ethereal.te +++ b/policy/modules/apps/ethereal.te @@ -1,5 +1,5 @@ -policy_module(ethereal,1.2.0) +policy_module(ethereal,1.2.1) ######################################## # @@ -7,12 +7,11 @@ policy_module(ethereal,1.2.0) # type ethereal_exec_t; -corecmd_executable_file(ethereal_exec_t) +application_executable_file(ethereal_exec_t) type tethereal_t; type tethereal_exec_t; -domain_type(tethereal_t) -domain_entry_file(tethereal_t,tethereal_exec_t) +application_domain(tethereal_t,tethereal_exec_t) type tethereal_tmp_t; files_tmp_file(tethereal_tmp_t) diff --git a/policy/modules/apps/evolution.if b/policy/modules/apps/evolution.if index 0e22c033..681ea930 100644 --- a/policy/modules/apps/evolution.if +++ b/policy/modules/apps/evolution.if @@ -41,8 +41,7 @@ template(`evolution_per_role_template',` # type $1_evolution_t; - domain_type($1_evolution_t) - domain_entry_file($1_evolution_t,evolution_exec_t) + application_domain($1_evolution_t,evolution_exec_t) role $3 types $1_evolution_t; type $1_evolution_tmpfs_t; @@ -56,8 +55,7 @@ template(`evolution_per_role_template',` files_tmp_file($1_evolution_orbit_tmp_t) type $1_evolution_alarm_t; - domain_type($1_evolution_alarm_t) - domain_entry_file($1_evolution_alarm_t,evolution_alarm_exec_t) + application_domain($1_evolution_alarm_t,evolution_alarm_exec_t) role $3 types $1_evolution_alarm_t; type $1_evolution_alarm_tmpfs_t; @@ -67,8 +65,7 @@ template(`evolution_per_role_template',` files_tmp_file($1_evolution_alarm_orbit_tmp_t) type $1_evolution_exchange_t; - domain_type($1_evolution_exchange_t) - domain_entry_file($1_evolution_exchange_t,evolution_exchange_exec_t) + application_domain($1_evolution_exchange_t,evolution_exchange_exec_t) role $3 types $1_evolution_exchange_t; type $1_evolution_exchange_tmpfs_t; @@ -81,16 +78,14 @@ template(`evolution_per_role_template',` files_tmp_file($1_evolution_exchange_orbit_tmp_t) type $1_evolution_server_t; - domain_type($1_evolution_server_t) - domain_entry_file($1_evolution_server_t,evolution_server_exec_t) + application_domain($1_evolution_server_t,evolution_server_exec_t) role $3 types $1_evolution_server_t; type $1_evolution_server_orbit_tmp_t; files_tmp_file($1_evolution_server_orbit_tmp_t) type $1_evolution_webcal_t; - domain_type($1_evolution_webcal_t) - domain_entry_file($1_evolution_webcal_t,evolution_webcal_exec_t) + application_domain($1_evolution_webcal_t,evolution_webcal_exec_t) role $3 types $1_evolution_webcal_t; type $1_evolution_webcal_tmpfs_t; diff --git a/policy/modules/apps/evolution.te b/policy/modules/apps/evolution.te index 77798610..70e2b494 100644 --- a/policy/modules/apps/evolution.te +++ b/policy/modules/apps/evolution.te @@ -1,5 +1,5 @@ -policy_module(evolution,1.3.0) +policy_module(evolution,1.3.1) ######################################## # @@ -7,16 +7,16 @@ policy_module(evolution,1.3.0) # type evolution_exec_t; -corecmd_executable_file(evolution_exec_t) +application_executable_file(evolution_exec_t) type evolution_alarm_exec_t; -corecmd_executable_file(evolution_alarm_exec_t) +application_executable_file(evolution_alarm_exec_t) type evolution_exchange_exec_t; -corecmd_executable_file(evolution_exchange_exec_t) +application_executable_file(evolution_exchange_exec_t) type evolution_server_exec_t; -corecmd_executable_file(evolution_server_exec_t) +application_executable_file(evolution_server_exec_t) type evolution_webcal_exec_t; -corecmd_executable_file(evolution_webcal_exec_t) +application_executable_file(evolution_webcal_exec_t) diff --git a/policy/modules/apps/games.if b/policy/modules/apps/games.if index ed79d9fb..130c3898 100644 --- a/policy/modules/apps/games.if +++ b/policy/modules/apps/games.if @@ -44,8 +44,7 @@ template(`games_per_role_template',` # type $1_games_t; - domain_type($1_games_t) - domain_entry_file($1_games_t,games_exec_t) + application_domain($1_games_t,games_exec_t) role $3 types $1_games_t; type $1_games_devpts_t; diff --git a/policy/modules/apps/games.te b/policy/modules/apps/games.te index 07f22844..863d8b05 100644 --- a/policy/modules/apps/games.te +++ b/policy/modules/apps/games.te @@ -1,5 +1,5 @@ -policy_module(games,1.3.0) +policy_module(games,1.3.1) ######################################## # diff --git a/policy/modules/apps/gift.if b/policy/modules/apps/gift.if index 1bdc35f6..8d034ae0 100644 --- a/policy/modules/apps/gift.if +++ b/policy/modules/apps/gift.if @@ -40,8 +40,7 @@ template(`gift_per_role_template',` # type $1_gift_t; - domain_type($1_gift_t) - domain_entry_file($1_gift_t,gift_exec_t) + application_domain($1_gift_t,gift_exec_t) role $3 types $1_gift_t; type $1_gift_home_t alias $1_gift_rw_t; @@ -52,8 +51,7 @@ template(`gift_per_role_template',` files_tmpfs_file($1_gift_tmpfs_t) type $1_giftd_t; - domain_type($1_giftd_t) - domain_entry_file($1_giftd_t,giftd_exec_t) + application_domain($1_giftd_t,giftd_exec_t) role $3 types $1_giftd_t; ############################## diff --git a/policy/modules/apps/gift.te b/policy/modules/apps/gift.te index 80bb2180..0acf45f4 100644 --- a/policy/modules/apps/gift.te +++ b/policy/modules/apps/gift.te @@ -1,5 +1,5 @@ -policy_module(gift,1.1.0) +policy_module(gift,1.1.1) ######################################## # @@ -7,7 +7,7 @@ policy_module(gift,1.1.0) # type gift_exec_t; -corecmd_executable_file(gift_exec_t) +application_executable_file(gift_exec_t) type giftd_exec_t; -corecmd_executable_file(giftd_exec_t) +application_executable_file(giftd_exec_t) diff --git a/policy/modules/apps/gnome.if b/policy/modules/apps/gnome.if index a0e35fce..4da44420 100644 --- a/policy/modules/apps/gnome.if +++ b/policy/modules/apps/gnome.if @@ -44,8 +44,7 @@ template(`gnome_per_role_template',` # type $1_gconfd_t, gnomedomain; - domain_type($1_gconfd_t) - domain_entry_file($1_gconfd_t, gconfd_exec_t) + application_domain($1_gconfd_t, gconfd_exec_t) role $3 types $1_gconfd_t; type $1_gconf_home_t; diff --git a/policy/modules/apps/gnome.te b/policy/modules/apps/gnome.te index 09c9177b..87cfb3b3 100644 --- a/policy/modules/apps/gnome.te +++ b/policy/modules/apps/gnome.te @@ -1,5 +1,5 @@ -policy_module(gnome,1.1.0) +policy_module(gnome,1.1.1) ############################## # @@ -12,4 +12,4 @@ type gconf_etc_t; files_type(gconf_etc_t) type gconfd_exec_t; -corecmd_executable_file(gconfd_exec_t) +application_executable_file(gconfd_exec_t) diff --git a/policy/modules/apps/gpg.if b/policy/modules/apps/gpg.if index d2382c4f..d6078331 100644 --- a/policy/modules/apps/gpg.if +++ b/policy/modules/apps/gpg.if @@ -46,13 +46,11 @@ template(`gpg_per_role_template',` # type $1_gpg_t; - domain_type($1_gpg_t) - domain_entry_file($1_gpg_t,gpg_exec_t) + application_domain($1_gpg_t,gpg_exec_t) role $3 types $1_gpg_t; type $1_gpg_agent_t; - domain_type($1_gpg_agent_t) - domain_entry_file($1_gpg_agent_t,gpg_agent_exec_t) + application_domain($1_gpg_agent_t,gpg_agent_exec_t) role $3 types $1_gpg_agent_t; type $1_gpg_agent_tmp_t; @@ -62,13 +60,11 @@ template(`gpg_per_role_template',` userdom_user_home_content($1,$1_gpg_secret_t) type $1_gpg_helper_t; - domain_type($1_gpg_helper_t) - domain_entry_file($1_gpg_helper_t,gpg_helper_exec_t) + application_domain($1_gpg_helper_t,gpg_helper_exec_t) role $3 types $1_gpg_helper_t; type $1_gpg_pinentry_t; - domain_type($1_gpg_pinentry_t) - domain_entry_file($1_gpg_pinentry_t,pinentry_exec_t) + application_domain($1_gpg_pinentry_t,pinentry_exec_t) role $3 types $1_gpg_pinentry_t; ######################################## diff --git a/policy/modules/apps/gpg.te b/policy/modules/apps/gpg.te index b04bbde1..381f4935 100644 --- a/policy/modules/apps/gpg.te +++ b/policy/modules/apps/gpg.te @@ -1,5 +1,5 @@ -policy_module(gpg, 1.3.0) +policy_module(gpg, 1.3.1) ######################################## # @@ -9,13 +9,13 @@ policy_module(gpg, 1.3.0) # Type for gpg or pgp executables. type gpg_exec_t; type gpg_helper_exec_t; -corecmd_executable_file(gpg_exec_t) -corecmd_executable_file(gpg_helper_exec_t) +application_executable_file(gpg_exec_t) +application_executable_file(gpg_helper_exec_t) # Type for the gpg-agent executable. type gpg_agent_exec_t; -corecmd_executable_file(gpg_agent_exec_t) +application_executable_file(gpg_agent_exec_t) # type for the pinentry executable type pinentry_exec_t; -corecmd_executable_file(pinentry_exec_t) +application_executable_file(pinentry_exec_t) diff --git a/policy/modules/apps/irc.if b/policy/modules/apps/irc.if index 8fbbc043..3d0e9fca 100644 --- a/policy/modules/apps/irc.if +++ b/policy/modules/apps/irc.if @@ -43,13 +43,12 @@ template(`irc_per_role_template',` # type $1_irc_t; - domain_type($1_irc_t) - domain_entry_file($1_irc_t,irc_exec_t) + application_domain($1_irc_t,irc_exec_t) role $3 types $1_irc_t; type $1_irc_exec_t; userdom_user_home_content($1,$1_irc_exec_t) - domain_entry_file($1_irc_t,$1_irc_exec_t) + application_domain($1_irc_t,$1_irc_exec_t) type $1_irc_home_t; userdom_user_home_content($1,$1_irc_home_t) diff --git a/policy/modules/apps/irc.te b/policy/modules/apps/irc.te index 89cbc10a..47228b45 100644 --- a/policy/modules/apps/irc.te +++ b/policy/modules/apps/irc.te @@ -1,5 +1,5 @@ -policy_module(irc,1.2.0) +policy_module(irc,1.2.1) ######################################## # @@ -7,4 +7,4 @@ policy_module(irc,1.2.0) # type irc_exec_t; -corecmd_executable_file(irc_exec_t) +application_executable_file(irc_exec_t) diff --git a/policy/modules/apps/java.if b/policy/modules/apps/java.if index 80770b17..a2c4011d 100644 --- a/policy/modules/apps/java.if +++ b/policy/modules/apps/java.if @@ -43,8 +43,7 @@ template(`java_per_role_template',` # type $1_javaplugin_t; - domain_type($1_javaplugin_t) - domain_entry_file($1_javaplugin_t,java_exec_t) + application_domain($1_javaplugin_t,java_exec_t) role $3 types $1_javaplugin_t; type $1_javaplugin_tmp_t; diff --git a/policy/modules/apps/java.te b/policy/modules/apps/java.te index aef79250..d87dd18b 100644 --- a/policy/modules/apps/java.te +++ b/policy/modules/apps/java.te @@ -1,5 +1,5 @@ -policy_module(java,1.5.0) +policy_module(java,1.5.1) ######################################## # diff --git a/policy/modules/apps/lockdev.if b/policy/modules/apps/lockdev.if index 3230ffa8..d9d61c0b 100644 --- a/policy/modules/apps/lockdev.if +++ b/policy/modules/apps/lockdev.if @@ -44,8 +44,7 @@ template(`lockdev_per_role_template',` # type $1_lockdev_t; - domain_type($1_lockdev_t) - domain_entry_file($1_lockdev_t,lockdev_exec_t) + application_domain($1_lockdev_t,lockdev_exec_t) role $3 types $1_lockdev_t; type $1_lockdev_lock_t; diff --git a/policy/modules/apps/lockdev.te b/policy/modules/apps/lockdev.te index 80b7b437..728a4eb8 100644 --- a/policy/modules/apps/lockdev.te +++ b/policy/modules/apps/lockdev.te @@ -1,5 +1,5 @@ -policy_module(lockdev,1.1.0) +policy_module(lockdev,1.1.1) ######################################## # @@ -7,4 +7,4 @@ policy_module(lockdev,1.1.0) # type lockdev_exec_t; -corecmd_executable_file(lockdev_exec_t) +application_executable_file(lockdev_exec_t) diff --git a/policy/modules/apps/mozilla.if b/policy/modules/apps/mozilla.if index 7a1802e2..2450078b 100644 --- a/policy/modules/apps/mozilla.if +++ b/policy/modules/apps/mozilla.if @@ -42,8 +42,7 @@ template(`mozilla_per_role_template',` # Declarations # type $1_mozilla_t; - domain_type($1_mozilla_t) - domain_entry_file($1_mozilla_t,mozilla_exec_t) + application_domain($1_mozilla_t,mozilla_exec_t) role $3 types $1_mozilla_t; type $1_mozilla_home_t alias $1_mozilla_rw_t; diff --git a/policy/modules/apps/mozilla.te b/policy/modules/apps/mozilla.te index e86553fd..f286f6b4 100644 --- a/policy/modules/apps/mozilla.te +++ b/policy/modules/apps/mozilla.te @@ -1,5 +1,5 @@ -policy_module(mozilla,1.3.0) +policy_module(mozilla,1.3.1) ######################################## # @@ -19,4 +19,4 @@ type mozilla_conf_t; files_config_file(mozilla_conf_t) type mozilla_exec_t; -corecmd_executable_file(mozilla_exec_t) +application_executable_file(mozilla_exec_t) diff --git a/policy/modules/apps/mplayer.if b/policy/modules/apps/mplayer.if index 99bc933d..39b1bf4f 100644 --- a/policy/modules/apps/mplayer.if +++ b/policy/modules/apps/mplayer.if @@ -43,13 +43,11 @@ template(`mplayer_per_role_template',` # type $1_mencoder_t; - domain_type($1_mencoder_t) - domain_entry_file($1_mencoder_t,mencoder_exec_t) + application_domain($1_mencoder_t,mencoder_exec_t) role $3 types $1_mencoder_t; type $1_mplayer_t; - domain_type($1_mplayer_t) - domain_entry_file($1_mplayer_t,mplayer_exec_t) + application_domain($1_mplayer_t,mplayer_exec_t) role $3 types $1_mplayer_t; type $1_mplayer_home_t alias $1_mplayer_rw_t; diff --git a/policy/modules/apps/mplayer.te b/policy/modules/apps/mplayer.te index 1aeb1765..ebead618 100644 --- a/policy/modules/apps/mplayer.te +++ b/policy/modules/apps/mplayer.te @@ -1,5 +1,5 @@ -policy_module(mplayer,1.2.0) +policy_module(mplayer,1.2.1) ######################################## # @@ -20,10 +20,10 @@ files_config_file(mplayer_etc_t) ifdef(`strict_policy',` type mencoder_exec_t; - corecmd_executable_file(mencoder_exec_t) + application_executable_file(mencoder_exec_t) type mplayer_exec_t; - corecmd_executable_file(mplayer_exec_t) + application_executable_file(mplayer_exec_t) ') ifdef(`targeted_policy',` diff --git a/policy/modules/apps/rssh.if b/policy/modules/apps/rssh.if index 8ed37fbc..32659b70 100644 --- a/policy/modules/apps/rssh.if +++ b/policy/modules/apps/rssh.if @@ -31,8 +31,7 @@ template(`rssh_per_role_template',` # type $1_rssh_t alias rssh_$1_t, rssh_domain_type; - domain_type($1_rssh_t) - domain_entry_file($1_rssh_t,rssh_exec_t) + application_domain($1_rssh_t,rssh_exec_t) domain_user_exemption_target($1_t) domain_interactive_fd($1_rssh_t) role system_r types $1_rssh_t; diff --git a/policy/modules/apps/rssh.te b/policy/modules/apps/rssh.te index 8419801e..8c03d966 100644 --- a/policy/modules/apps/rssh.te +++ b/policy/modules/apps/rssh.te @@ -1,5 +1,5 @@ -policy_module(rssh,1.0.0) +policy_module(rssh,1.0.1) ######################################## # @@ -10,4 +10,4 @@ attribute rssh_domain_type; attribute rssh_ro_content_type; type rssh_exec_t; -corecmd_executable_file(rssh_exec_t) +application_executable_file(rssh_exec_t) diff --git a/policy/modules/apps/screen.if b/policy/modules/apps/screen.if index 73b396cc..0d05795d 100644 --- a/policy/modules/apps/screen.if +++ b/policy/modules/apps/screen.if @@ -43,8 +43,7 @@ template(`screen_per_role_template',` # type $1_screen_t; - domain_type($1_screen_t) - domain_entry_file($1_screen_t,screen_exec_t) + application_domain($1_screen_t,screen_exec_t) domain_interactive_fd($1_screen_t) role $3 types $1_screen_t; diff --git a/policy/modules/apps/screen.te b/policy/modules/apps/screen.te index 59cab14b..8009b822 100644 --- a/policy/modules/apps/screen.te +++ b/policy/modules/apps/screen.te @@ -1,5 +1,5 @@ -policy_module(screen,1.2.0) +policy_module(screen,1.2.1) ######################################## # @@ -10,4 +10,4 @@ type screen_dir_t; files_pid_file(screen_dir_t) type screen_exec_t; -corecmd_executable_file(screen_exec_t) +application_executable_file(screen_exec_t) diff --git a/policy/modules/apps/thunderbird.if b/policy/modules/apps/thunderbird.if index fb1ab3ff..68a97e61 100644 --- a/policy/modules/apps/thunderbird.if +++ b/policy/modules/apps/thunderbird.if @@ -40,8 +40,7 @@ template(`thunderbird_per_role_template',` # type $1_thunderbird_t; - domain_type($1_thunderbird_t) - domain_entry_file($1_thunderbird_t,thunderbird_exec_t) + application_domain($1_thunderbird_t,thunderbird_exec_t) role $3 types $1_thunderbird_t; type $1_thunderbird_home_t alias $1_thunderbird_rw_t; diff --git a/policy/modules/apps/thunderbird.te b/policy/modules/apps/thunderbird.te index afff0712..67cf5272 100644 --- a/policy/modules/apps/thunderbird.te +++ b/policy/modules/apps/thunderbird.te @@ -1,5 +1,5 @@ -policy_module(thunderbird,1.3.0) +policy_module(thunderbird,1.3.1) ######################################## # @@ -7,4 +7,4 @@ policy_module(thunderbird,1.3.0) # type thunderbird_exec_t; -corecmd_executable_file(thunderbird_exec_t) +application_executable_file(thunderbird_exec_t) diff --git a/policy/modules/apps/tvtime.if b/policy/modules/apps/tvtime.if index ef67d5eb..2c65aada 100644 --- a/policy/modules/apps/tvtime.if +++ b/policy/modules/apps/tvtime.if @@ -43,8 +43,7 @@ template(`tvtime_per_role_template',` # type $1_tvtime_t; - domain_type($1_tvtime_t) - domain_entry_file($1_tvtime_t,tvtime_exec_t) + application_domain($1_tvtime_t,tvtime_exec_t) role $3 types $1_tvtime_t; type $1_tvtime_home_t alias $1_tvtime_rw_t; diff --git a/policy/modules/apps/tvtime.te b/policy/modules/apps/tvtime.te index 4c211eb4..82c7f87d 100644 --- a/policy/modules/apps/tvtime.te +++ b/policy/modules/apps/tvtime.te @@ -1,5 +1,5 @@ -policy_module(tvtime,1.2.0) +policy_module(tvtime,1.2.1) ######################################## # @@ -7,7 +7,7 @@ policy_module(tvtime,1.2.0) # type tvtime_exec_t; -corecmd_executable_file(tvtime_exec_t) +application_executable_file(tvtime_exec_t) type tvtime_dir_t; files_pid_file(tvtime_dir_t) diff --git a/policy/modules/apps/uml.if b/policy/modules/apps/uml.if index ac9cae15..0336e7bc 100644 --- a/policy/modules/apps/uml.if +++ b/policy/modules/apps/uml.if @@ -43,11 +43,9 @@ template(`uml_per_role_template',` # type $1_uml_t; - domain_type($1_uml_t) - role $3 types $1_uml_t; - type $1_uml_exec_t; - domain_entry_file($1_uml_t,$1_uml_exec_t) + application_domain($1_uml_t,$1_uml_exec_t) + role $3 types $1_uml_t; type $1_uml_ro_t; files_type($1_uml_ro_t) diff --git a/policy/modules/apps/uml.te b/policy/modules/apps/uml.te index d47dd576..a0727ffc 100644 --- a/policy/modules/apps/uml.te +++ b/policy/modules/apps/uml.te @@ -1,5 +1,5 @@ -policy_module(uml,1.3.0) +policy_module(uml,1.3.1) ######################################## # @@ -7,7 +7,7 @@ policy_module(uml,1.3.0) # type uml_exec_t; -corecmd_executable_file(uml_exec_t) +application_executable_file(uml_exec_t) type uml_ro_t; files_type(uml_ro_t) diff --git a/policy/modules/apps/userhelper.if b/policy/modules/apps/userhelper.if index dac7b45a..8cfca3cd 100644 --- a/policy/modules/apps/userhelper.if +++ b/policy/modules/apps/userhelper.if @@ -43,8 +43,7 @@ template(`userhelper_per_role_template',` # type $1_userhelper_t; - domain_type($1_userhelper_t) - domain_entry_file($1_userhelper_t,userhelper_exec_t) + application_domain($1_userhelper_t,userhelper_exec_t) domain_role_change_exemption($1_userhelper_t) domain_obj_id_change_exemption($1_userhelper_t) domain_interactive_fd($1_userhelper_t) diff --git a/policy/modules/apps/userhelper.te b/policy/modules/apps/userhelper.te index bb0a268b..d225542d 100644 --- a/policy/modules/apps/userhelper.te +++ b/policy/modules/apps/userhelper.te @@ -1,5 +1,5 @@ -policy_module(userhelper,1.2.0) +policy_module(userhelper,1.2.1) ######################################## # @@ -10,4 +10,4 @@ type userhelper_conf_t; files_type(userhelper_conf_t) type userhelper_exec_t; -corecmd_executable_file(userhelper_exec_t) +application_executable_file(userhelper_exec_t) diff --git a/policy/modules/apps/usernetctl.te b/policy/modules/apps/usernetctl.te index 7830a065..72aa5af5 100644 --- a/policy/modules/apps/usernetctl.te +++ b/policy/modules/apps/usernetctl.te @@ -1,5 +1,5 @@ -policy_module(usernetctl,1.1.0) +policy_module(usernetctl,1.1.1) ######################################## # @@ -18,8 +18,7 @@ gen_tunable(user_net_control,false) type usernetctl_t; type usernetctl_exec_t; -domain_type(usernetctl_t) -domain_entry_file(usernetctl_t,usernetctl_exec_t) +application_domain(usernetctl_t,usernetctl_exec_t) domain_interactive_fd(usernetctl_t) ######################################## diff --git a/policy/modules/apps/webalizer.te b/policy/modules/apps/webalizer.te index cd5915ef..c7254e1f 100644 --- a/policy/modules/apps/webalizer.te +++ b/policy/modules/apps/webalizer.te @@ -1,5 +1,5 @@ -policy_module(webalizer,1.5.0) +policy_module(webalizer,1.5.1) ######################################## # @@ -8,8 +8,7 @@ policy_module(webalizer,1.5.0) type webalizer_t; type webalizer_exec_t; -domain_type(webalizer_t) -domain_entry_file(webalizer_t,webalizer_exec_t) +application_domain(webalizer_t,webalizer_exec_t) role system_r types webalizer_t; type webalizer_etc_t; diff --git a/policy/modules/apps/wine.te b/policy/modules/apps/wine.te index 3bf101f3..511f135b 100644 --- a/policy/modules/apps/wine.te +++ b/policy/modules/apps/wine.te @@ -1,5 +1,5 @@ -policy_module(wine,1.3.0) +policy_module(wine,1.3.1) ######################################## # @@ -7,10 +7,8 @@ policy_module(wine,1.3.0) # type wine_t; -domain_type(wine_t) - type wine_exec_t; -domain_entry_file(wine_t,wine_exec_t) +application_domain(wine_t,wine_exec_t) ######################################## # diff --git a/policy/modules/apps/yam.te b/policy/modules/apps/yam.te index 88d15820..5c1f5104 100644 --- a/policy/modules/apps/yam.te +++ b/policy/modules/apps/yam.te @@ -1,5 +1,5 @@ -policy_module(yam,1.1.0) +policy_module(yam,1.1.1) ######################################## # @@ -8,8 +8,7 @@ policy_module(yam,1.1.0) type yam_t alias yam_crond_t; type yam_exec_t; -domain_type(yam_t) -domain_entry_file(yam_t,yam_exec_t) +application_domain(yam_t,yam_exec_t) type yam_content_t; files_mountpoint(yam_content_t) diff --git a/policy/modules/services/aide.te b/policy/modules/services/aide.te index d93b300a..b3e45f4a 100644 --- a/policy/modules/services/aide.te +++ b/policy/modules/services/aide.te @@ -1,5 +1,5 @@ -policy_module(aide,1.1.0) +policy_module(aide,1.1.1) ######################################## # @@ -8,8 +8,7 @@ policy_module(aide,1.1.0) type aide_t; type aide_exec_t; -domain_type(aide_t) -domain_entry_file(aide_t,aide_exec_t) +application_domain(aide_t,aide_exec_t) # log files type aide_log_t; diff --git a/policy/modules/services/apm.te b/policy/modules/services/apm.te index 42536baf..6516aefa 100644 --- a/policy/modules/services/apm.te +++ b/policy/modules/services/apm.te @@ -1,5 +1,5 @@ -policy_module(apm,1.4.0) +policy_module(apm,1.4.1) ######################################## # @@ -10,11 +10,10 @@ type apmd_exec_t; init_daemon_domain(apmd_t,apmd_exec_t) type apm_t; -domain_type(apm_t) +type apm_exec_t; +application_domain(apm_t,apm_exec_t) role system_r types apm_t; -type apm_exec_t; -domain_entry_file(apm_t,apm_exec_t) type apmd_log_t; logging_log_file(apmd_log_t) diff --git a/policy/modules/services/clockspeed.te b/policy/modules/services/clockspeed.te index ceeaec93..8f3ba426 100644 --- a/policy/modules/services/clockspeed.te +++ b/policy/modules/services/clockspeed.te @@ -1,5 +1,5 @@ -policy_module(clockspeed,1.2.0) +policy_module(clockspeed,1.2.1) ######################################## # @@ -8,8 +8,7 @@ policy_module(clockspeed,1.2.0) type clockspeed_cli_t; type clockspeed_cli_exec_t; -domain_type(clockspeed_cli_t) -domain_entry_file(clockspeed_cli_t,clockspeed_cli_exec_t) +application_domain(clockspeed_cli_t,clockspeed_cli_exec_t) type clockspeed_srv_t; type clockspeed_srv_exec_t; diff --git a/policy/modules/services/cron.if b/policy/modules/services/cron.if index 765ffe68..da245f0a 100644 --- a/policy/modules/services/cron.if +++ b/policy/modules/services/cron.if @@ -50,8 +50,7 @@ template(`cron_per_role_template',` role $3 types $1_crond_t; type $1_crontab_t; - domain_type($1_crontab_t) - domain_entry_file($1_crontab_t,crontab_exec_t) + application_domain($1_crontab_t,crontab_exec_t) role $3 types $1_crontab_t; type $1_crontab_tmp_t; diff --git a/policy/modules/services/cron.te b/policy/modules/services/cron.te index 91640535..d5cc2068 100644 --- a/policy/modules/services/cron.te +++ b/policy/modules/services/cron.te @@ -1,5 +1,5 @@ -policy_module(cron,1.7.0) +policy_module(cron,1.7.1) gen_require(` class passwd rootok; @@ -29,7 +29,7 @@ gen_tunable(fcron_crond,false) attribute cron_spool_type; type anacron_exec_t; -corecmd_executable_file(anacron_exec_t) +application_executable_file(anacron_exec_t) type cron_spool_t; files_type(cron_spool_t) @@ -55,7 +55,7 @@ type crond_var_run_t; files_pid_file(crond_var_run_t) type crontab_exec_t; -corecmd_executable_file(crontab_exec_t) +application_executable_file(crontab_exec_t) type system_cron_spool_t, cron_spool_type; files_type(system_cron_spool_t) diff --git a/policy/modules/services/dcc.te b/policy/modules/services/dcc.te index 12ade937..3db0fad8 100644 --- a/policy/modules/services/dcc.te +++ b/policy/modules/services/dcc.te @@ -1,5 +1,5 @@ -policy_module(dcc,1.3.0) +policy_module(dcc,1.3.1) ######################################## # @@ -8,8 +8,7 @@ policy_module(dcc,1.3.0) type cdcc_t; type cdcc_exec_t; -domain_type(cdcc_t) -domain_entry_file(cdcc_t,cdcc_exec_t) +application_domain(cdcc_t,cdcc_exec_t) role system_r types cdcc_t; type cdcc_tmp_t; @@ -17,8 +16,7 @@ files_tmp_file(cdcc_tmp_t) type dcc_client_t; type dcc_client_exec_t; -domain_type(dcc_client_t) -domain_entry_file(dcc_client_t,dcc_client_exec_t) +application_domain(dcc_client_t,dcc_client_exec_t) role system_r types dcc_client_t; type dcc_client_map_t; @@ -29,8 +27,7 @@ files_tmp_file(dcc_client_tmp_t) type dcc_dbclean_t; type dcc_dbclean_exec_t; -domain_type(dcc_dbclean_t) -domain_entry_file(dcc_dbclean_t,dcc_dbclean_exec_t) +application_domain(dcc_dbclean_t,dcc_dbclean_exec_t) role system_r types dcc_dbclean_t; type dcc_dbclean_tmp_t; diff --git a/policy/modules/services/lpd.if b/policy/modules/services/lpd.if index 0214664a..e48ba2af 100644 --- a/policy/modules/services/lpd.if +++ b/policy/modules/services/lpd.if @@ -43,8 +43,7 @@ template(`lpd_per_role_template',` # # Derived domain based on the calling user domain and the program type $1_lpr_t; - domain_type($1_lpr_t) - domain_entry_file($1_lpr_t,lpr_exec_t) + application_domain($1_lpr_t,lpr_exec_t) role $3 types $1_lpr_t; type $1_lpr_tmp_t; diff --git a/policy/modules/services/lpd.te b/policy/modules/services/lpd.te index cdccfb2c..4d94288c 100644 --- a/policy/modules/services/lpd.te +++ b/policy/modules/services/lpd.te @@ -1,5 +1,5 @@ -policy_module(lpd,1.6.0) +policy_module(lpd,1.6.1) ######################################## # @@ -32,7 +32,7 @@ type lpd_var_run_t; files_pid_file(lpd_var_run_t) type lpr_exec_t; -corecmd_executable_file(lpr_exec_t) +application_executable_file(lpr_exec_t) type print_spool_t; files_tmp_file(print_spool_t) diff --git a/policy/modules/services/mta.if b/policy/modules/services/mta.if index dd5d77d4..905dbbc2 100644 --- a/policy/modules/services/mta.if +++ b/policy/modules/services/mta.if @@ -51,8 +51,7 @@ template(`mta_base_mail_template',` # type $1_mail_t, user_mail_domain; - domain_type($1_mail_t) - domain_entry_file($1_mail_t,sendmail_exec_t) + application_domain($1_mail_t,sendmail_exec_t) type $1_mail_tmp_t; files_tmp_file($1_mail_tmp_t) diff --git a/policy/modules/services/mta.te b/policy/modules/services/mta.te index 4c1560ce..d0dbd59b 100644 --- a/policy/modules/services/mta.te +++ b/policy/modules/services/mta.te @@ -1,5 +1,5 @@ -policy_module(mta,1.7.0) +policy_module(mta,1.7.1) ######################################## # @@ -26,7 +26,7 @@ type mail_spool_t; files_type(mail_spool_t) type sendmail_exec_t; -files_type(sendmail_exec_t) +application_executable_file(sendmail_exec_t) mta_base_mail_template(system) role system_r types system_mail_t; diff --git a/policy/modules/services/ntop.te b/policy/modules/services/ntop.te index a2071980..b15991f3 100644 --- a/policy/modules/services/ntop.te +++ b/policy/modules/services/ntop.te @@ -1,5 +1,5 @@ -policy_module(ntop,1.3.0) +policy_module(ntop,1.3.1) ######################################## # @@ -9,6 +9,7 @@ policy_module(ntop,1.3.0) type ntop_t; type ntop_exec_t; init_daemon_domain(ntop_t,ntop_exec_t) +application_domain(ntop_t,ntop_exec_t) type ntop_etc_t; files_config_file(ntop_etc_t) diff --git a/policy/modules/services/oav.te b/policy/modules/services/oav.te index 0a45cbda..fd9b207a 100644 --- a/policy/modules/services/oav.te +++ b/policy/modules/services/oav.te @@ -1,5 +1,5 @@ -policy_module(oav,1.3.0) +policy_module(oav,1.3.1) ######################################## # @@ -8,8 +8,7 @@ policy_module(oav,1.3.0) type oav_update_t; type oav_update_exec_t; -domain_type(oav_update_t) -domain_entry_file(oav_update_t,oav_update_exec_t) +application_domain(oav_update_t,oav_update_exec_t) # cjp: may be collapsable to etc_t type oav_update_etc_t; diff --git a/policy/modules/services/postfix.te b/policy/modules/services/postfix.te index 2d6b44dd..bbd50028 100644 --- a/policy/modules/services/postfix.te +++ b/policy/modules/services/postfix.te @@ -1,5 +1,5 @@ -policy_module(postfix,1.6.0) +policy_module(postfix,1.6.1) ######################################## # @@ -22,7 +22,7 @@ type postfix_etc_t; files_type(postfix_etc_t) type postfix_exec_t; -corecmd_executable_file(postfix_exec_t) +application_executable_file(postfix_exec_t) postfix_server_domain_template(local) mta_mailserver_delivery(postfix_local_t) @@ -33,8 +33,7 @@ files_tmp_file(postfix_local_tmp_t) # Program for creating database files type postfix_map_t; type postfix_map_exec_t; -domain_type(postfix_map_t) -domain_entry_file(postfix_map_t,postfix_map_exec_t) +application_domain(postfix_map_t,postfix_map_exec_t) type postfix_map_tmp_t; files_tmp_file(postfix_map_tmp_t) diff --git a/policy/modules/services/procmail.te b/policy/modules/services/procmail.te index a1968fe6..490eed46 100644 --- a/policy/modules/services/procmail.te +++ b/policy/modules/services/procmail.te @@ -1,5 +1,5 @@ -policy_module(procmail,1.6.0) +policy_module(procmail,1.6.1) ######################################## # @@ -8,8 +8,7 @@ policy_module(procmail,1.6.0) type procmail_t; type procmail_exec_t; -domain_type(procmail_t) -domain_entry_file(procmail_t,procmail_exec_t) +application_domain(procmail_t,procmail_exec_t) role system_r types procmail_t; type procmail_tmp_t; diff --git a/policy/modules/services/publicfile.te b/policy/modules/services/publicfile.te index 42a09bc1..a3510ac1 100644 --- a/policy/modules/services/publicfile.te +++ b/policy/modules/services/publicfile.te @@ -1,5 +1,5 @@ -policy_module(publicfile,1.0.0) +policy_module(publicfile,1.0.1) ######################################## # @@ -8,8 +8,7 @@ policy_module(publicfile,1.0.0) type publicfile_t; type publicfile_exec_t; -init_system_domain(publicfile_t,publicfile_exec_t) -role system_r types publicfile_t; +init_daemon_domain(publicfile_t,publicfile_exec_t) type publicfile_content_t; files_type(publicfile_content_t) diff --git a/policy/modules/services/pyzor.te b/policy/modules/services/pyzor.te index 9dde1ce8..6e9799d7 100644 --- a/policy/modules/services/pyzor.te +++ b/policy/modules/services/pyzor.te @@ -1,5 +1,5 @@ -policy_module(pyzor,1.3.0) +policy_module(pyzor,1.3.1) ######################################## # @@ -8,8 +8,7 @@ policy_module(pyzor,1.3.0) type pyzor_t; type pyzor_exec_t; -domain_type(pyzor_t) -domain_entry_file(pyzor_t,pyzor_exec_t) +application_domain(pyzor_t,pyzor_exec_t) role system_r types pyzor_t; type pyzord_t; diff --git a/policy/modules/services/qmail.te b/policy/modules/services/qmail.te index 9b59c6ab..67af7365 100644 --- a/policy/modules/services/qmail.te +++ b/policy/modules/services/qmail.te @@ -1,5 +1,5 @@ -policy_module(qmail,1.2.0) +policy_module(qmail,1.2.1) ######################################## # @@ -56,8 +56,7 @@ init_daemon_domain(qmail_start_t,qmail_start_exec_t) type qmail_tcp_env_t; type qmail_tcp_env_exec_t; -domain_type(qmail_tcp_env_t) -domain_entry_file(qmail_tcp_env_t,qmail_tcp_env_exec_t) +application_domain(qmail_tcp_env_t,qmail_tcp_env_exec_t) ######################################## # diff --git a/policy/modules/services/spamassassin.if b/policy/modules/services/spamassassin.if index 7a374fd2..c2802e17 100644 --- a/policy/modules/services/spamassassin.if +++ b/policy/modules/services/spamassassin.if @@ -46,16 +46,14 @@ template(`spamassassin_per_role_template',` # type $1_spamc_t; - domain_type($1_spamc_t) - domain_entry_file($1_spamc_t,spamc_exec_t) + application_domain($1_spamc_t,spamc_exec_t) role $3 types $1_spamc_t; type $1_spamc_tmp_t; files_tmp_file($1_spamc_tmp_t) type $1_spamassassin_t; - domain_type($1_spamassassin_t) - domain_entry_file($1_spamassassin_t,spamassassin_exec_t) + application_domain($1_spamassassin_t,spamassassin_exec_t) role $3 types $1_spamassassin_t; type $1_spamassassin_home_t alias $1_spamassassin_rw_t; diff --git a/policy/modules/services/spamassassin.te b/policy/modules/services/spamassassin.te index 7baf5904..78e3b8ed 100644 --- a/policy/modules/services/spamassassin.te +++ b/policy/modules/services/spamassassin.te @@ -1,5 +1,5 @@ -policy_module(spamassassin,1.7.0) +policy_module(spamassassin,1.7.1) ######################################## # @@ -26,7 +26,7 @@ gen_tunable(spamd_enable_home_dirs,true) # spamassassin client executable type spamc_exec_t; -corecmd_executable_file(spamc_exec_t) +application_executable_file(spamc_exec_t) type spamd_t; type spamd_exec_t; @@ -46,7 +46,7 @@ type spamd_var_run_t; files_pid_file(spamd_var_run_t) type spamassassin_exec_t; -corecmd_executable_file(spamassassin_exec_t) +application_executable_file(spamassassin_exec_t) ######################################## # diff --git a/policy/modules/services/ssh.if b/policy/modules/services/ssh.if index 623cdd03..22fa0940 100644 --- a/policy/modules/services/ssh.if +++ b/policy/modules/services/ssh.if @@ -44,8 +44,7 @@ template(`ssh_basic_client_template',` # type $1_ssh_t; - domain_type($1_ssh_t) - domain_entry_file($1_ssh_t,ssh_exec_t) + application_domain($1_ssh_t,ssh_exec_t) role $3 types $1_ssh_t; type $1_home_ssh_t; @@ -216,8 +215,7 @@ template(`ssh_per_role_template',` userdom_user_home_content($1,$1_home_ssh_t) type $1_ssh_agent_t; - domain_type($1_ssh_agent_t) - domain_entry_file($1_ssh_agent_t,ssh_agent_exec_t) + application_domain($1_ssh_agent_t,ssh_agent_exec_t) domain_interactive_fd($1_ssh_agent_t) role $3 types $1_ssh_agent_t; @@ -225,8 +223,7 @@ template(`ssh_per_role_template',` files_tmp_file($1_ssh_agent_tmp_t) type $1_ssh_keysign_t; - domain_type($1_ssh_keysign_t) - domain_entry_file($1_ssh_keysign_t,ssh_keysign_exec_t) + application_domain($1_ssh_keysign_t,ssh_keysign_exec_t) role $3 types $1_ssh_keysign_t; type $1_ssh_tmpfs_t; diff --git a/policy/modules/services/ssh.te b/policy/modules/services/ssh.te index dd89416d..b8ca2f57 100644 --- a/policy/modules/services/ssh.te +++ b/policy/modules/services/ssh.te @@ -1,5 +1,5 @@ -policy_module(ssh,1.7.0) +policy_module(ssh,1.7.1) ######################################## # @@ -28,7 +28,7 @@ files_type(ssh_agent_exec_t) # ssh client executable. type ssh_exec_t; -corecmd_executable_file(ssh_exec_t) +application_executable_file(ssh_exec_t) type ssh_keygen_t; type ssh_keygen_exec_t; @@ -36,7 +36,7 @@ init_system_domain(ssh_keygen_t,ssh_keygen_exec_t) role system_r types ssh_keygen_t; type ssh_keysign_exec_t; -corecmd_executable_file(ssh_keysign_exec_t) +application_executable_file(ssh_keysign_exec_t) type sshd_exec_t; corecmd_executable_file(sshd_exec_t) diff --git a/policy/modules/services/timidity.te b/policy/modules/services/timidity.te index 8215198a..31ff5afe 100644 --- a/policy/modules/services/timidity.te +++ b/policy/modules/services/timidity.te @@ -1,5 +1,5 @@ -policy_module(timidity,1.4.0) +policy_module(timidity,1.4.1) # Note: You only need this policy if you want to run timidity as a server @@ -11,6 +11,7 @@ policy_module(timidity,1.4.0) type timidity_t; type timidity_exec_t; init_daemon_domain(timidity_t,timidity_exec_t) +application_domain(timidity_t,timidity_exec_t) type timidity_tmpfs_t; files_tmpfs_file(timidity_tmpfs_t) diff --git a/policy/modules/services/uucp.te b/policy/modules/services/uucp.te index 4cd9971b..d89a801c 100644 --- a/policy/modules/services/uucp.te +++ b/policy/modules/services/uucp.te @@ -1,5 +1,5 @@ -policy_module(uucp,1.4.0) +policy_module(uucp,1.4.1) ######################################## # @@ -30,8 +30,7 @@ logging_log_file(uucpd_log_t) type uux_t; type uux_exec_t; -domain_type(uux_t) -domain_entry_file(uux_t,uux_exec_t) +application_domain(uux_t,uux_exec_t) role system_r types uux_t; ######################################## diff --git a/policy/modules/services/xserver.te b/policy/modules/services/xserver.te index e082648c..27475d89 100644 --- a/policy/modules/services/xserver.te +++ b/policy/modules/services/xserver.te @@ -1,5 +1,5 @@ -policy_module(xserver,1.5.0) +policy_module(xserver,1.5.1) ######################################## # @@ -29,10 +29,10 @@ attribute fonts_config_type; attribute xauth_home_type; type iceauth_exec_t; -corecmd_executable_file(iceauth_exec_t) +application_executable_file(iceauth_exec_t) type xauth_exec_t; -corecmd_executable_file(xauth_exec_t) +application_executable_file(xauth_exec_t) # this is not actually a device, its a pipe type xconsole_device_t; diff --git a/policy/modules/system/application.fc b/policy/modules/system/application.fc new file mode 100644 index 00000000..08133f3c --- /dev/null +++ b/policy/modules/system/application.fc @@ -0,0 +1 @@ +# No application file contexts. diff --git a/policy/modules/system/application.if b/policy/modules/system/application.if new file mode 100644 index 00000000..3816dac7 --- /dev/null +++ b/policy/modules/system/application.if @@ -0,0 +1,83 @@ +## Policy for user executable applications. + +######################################## +## +## Make the specified type usable as an application domain. +## +## +## +## Type to be used as a domain type. +## +## +# +interface(`application_type',` + gen_require(` + attribute application_domain_type; + ') + + typeattribute $1 application_domain_type; + + # start with basic domain + domain_type($1) +') + +######################################## +## +## Make the specified type usable for files +## that are exectuables, such as binary programs. +## This does not include shared libraries. +## +## +## +## Type to be used for files. +## +## +# +interface(`application_executable_file',` + gen_require(` + attribute application_exec_type; + ') + + typeattribute $1 application_exec_type; + + corecmd_executable_file($1) +') + +######################################## +## +## Execute application executables in the caller domain. +## +## +## +## Domain allowed access. +## +## +# +interface(`application_exec',` + gen_require(` + attribute application_exec_type; + ') + + can_exec($1, application_exec_type) +') + +######################################## +## +## Create a domain which can be started by users +## +## +## +## Type to be used as a domain. +## +## +## +## +## Type of the program to be used as an entry point to this domain. +## +## +# +interface(`application_domain',` + application_type($1) + application_executable_file($2) + domain_entry_file($1,$2) +') diff --git a/policy/modules/system/application.te b/policy/modules/system/application.te new file mode 100644 index 00000000..94c7aac4 --- /dev/null +++ b/policy/modules/system/application.te @@ -0,0 +1,14 @@ + +policy_module(application,1.0.0) + +# Attribute of user applications +attribute application_domain_type; + +# Executables to be run by user +attribute application_exec_type; + +optional_policy(` + ssh_sigchld(application_domain_type) + ssh_rw_stream_sockets(application_domain_type) +') + diff --git a/policy/modules/system/authlogin.if b/policy/modules/system/authlogin.if index 892032fb..753ffed3 100644 --- a/policy/modules/system/authlogin.if +++ b/policy/modules/system/authlogin.if @@ -24,8 +24,7 @@ template(`authlogin_common_auth_domain_template',` ') type $1_chkpwd_t, can_read_shadow_passwords; - domain_type($1_chkpwd_t) - domain_entry_file($1_chkpwd_t,chkpwd_exec_t) + application_domain($1_chkpwd_t,chkpwd_exec_t) allow $1_chkpwd_t self:capability { audit_control setuid }; allow $1_chkpwd_t self:process getattr; diff --git a/policy/modules/system/authlogin.te b/policy/modules/system/authlogin.te index 1507e20a..3c6b3009 100644 --- a/policy/modules/system/authlogin.te +++ b/policy/modules/system/authlogin.te @@ -1,5 +1,5 @@ -policy_module(authlogin,1.7.0) +policy_module(authlogin,1.7.1) ######################################## # @@ -11,7 +11,7 @@ attribute can_write_shadow_passwords; attribute can_relabelto_shadow_passwords; type chkpwd_exec_t; -corecmd_executable_file(chkpwd_exec_t) +application_executable_file(chkpwd_exec_t) type faillog_t; logging_log_file(faillog_t) @@ -20,7 +20,7 @@ type lastlog_t; logging_log_file(lastlog_t) type login_exec_t; -corecmd_executable_file(login_exec_t) +application_executable_file(login_exec_t) type pam_console_t; type pam_console_exec_t; @@ -50,10 +50,8 @@ neverallow ~can_write_shadow_passwords shadow_t:file { create write }; neverallow ~can_relabelto_shadow_passwords shadow_t:file relabelto; type utempter_t; -domain_type(utempter_t) - type utempter_exec_t; -domain_entry_file(utempter_t,utempter_exec_t) +application_domain(utempter_t,utempter_exec_t) # # var_auth_t is the type of /var/lib/auth, usually diff --git a/policy/modules/system/daemontools.te b/policy/modules/system/daemontools.te index 58a78dea..3186528a 100644 --- a/policy/modules/system/daemontools.te +++ b/policy/modules/system/daemontools.te @@ -1,5 +1,5 @@ -policy_module(daemontools,1.1.0) +policy_module(daemontools,1.1.1) ######################################## # @@ -14,14 +14,12 @@ files_type(svc_log_t) type svc_multilog_t; type svc_multilog_exec_t; -domain_type(svc_multilog_t) -domain_entry_file(svc_multilog_t,svc_multilog_exec_t) +application_domain(svc_multilog_t,svc_multilog_exec_t) role system_r types svc_multilog_t; type svc_run_t; type svc_run_exec_t; -domain_type(svc_run_t) -domain_entry_file(svc_run_t,svc_run_exec_t) +application_domain(svc_run_t,svc_run_exec_t) role system_r types svc_run_t; type svc_start_t; diff --git a/policy/modules/system/init.if b/policy/modules/system/init.if index 0e7ef25b..ac536fc5 100644 --- a/policy/modules/system/init.if +++ b/policy/modules/system/init.if @@ -196,8 +196,7 @@ interface(`init_system_domain',` role system_r; ') - domain_type($1) - domain_entry_file($1,$2) + application_domain($1,$2) role system_r types $1; diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te index c9ddc2e6..59926f8c 100644 --- a/policy/modules/system/init.te +++ b/policy/modules/system/init.te @@ -1,5 +1,5 @@ -policy_module(init,1.7.0) +policy_module(init,1.7.1) gen_require(` class passwd rootok; @@ -642,6 +642,11 @@ optional_policy(` loadkeys_exec(initrc_t) ') +optional_policy(` + # in emergency/recovery situations use sulogin + locallogin_domtrans_sulogin(initrc_t) +') + optional_policy(` # This is needed to permit chown to read /var/spool/lpd/lp. # This is opens up security more than necessary; this means that ANYTHING diff --git a/policy/modules/system/locallogin.if b/policy/modules/system/locallogin.if index db32b2ed..447fe0b7 100644 --- a/policy/modules/system/locallogin.if +++ b/policy/modules/system/locallogin.if @@ -111,3 +111,21 @@ interface(`locallogin_link_keys',` allow $1 local_login_t:key link; ') + +######################################## +## +## Execute local logins in the local login domain. +## +## +## +## Domain allowed access. +## +## +# +interface(`locallogin_domtrans_sulogin',` + gen_require(` + type sulogin_exec_t, sulogin_t; + ') + + domtrans_pattern($1,sulogin_exec_t,sulogin_t) +') diff --git a/policy/modules/system/locallogin.te b/policy/modules/system/locallogin.te index e73a4c8e..acfe74f6 100644 --- a/policy/modules/system/locallogin.te +++ b/policy/modules/system/locallogin.te @@ -1,5 +1,5 @@ -policy_module(locallogin,1.4.0) +policy_module(locallogin,1.4.1) ######################################## # @@ -25,7 +25,6 @@ domain_subj_id_change_exemption(sulogin_t) domain_role_change_exemption(sulogin_t) domain_interactive_fd(sulogin_t) init_domain(sulogin_t,sulogin_exec_t) -init_system_domain(sulogin_t,sulogin_exec_t) role system_r types sulogin_t; ######################################## diff --git a/policy/modules/system/modutils.te b/policy/modules/system/modutils.te index 657475da..e12a1553 100644 --- a/policy/modules/system/modutils.te +++ b/policy/modules/system/modutils.te @@ -1,5 +1,5 @@ -policy_module(modutils,1.4.0) +policy_module(modutils,1.4.1) gen_require(` bool secure_mode_insmod; @@ -20,8 +20,7 @@ files_type(modules_dep_t) type insmod_t; type insmod_exec_t; -domain_type(insmod_t) -domain_entry_file(insmod_t,insmod_exec_t) +application_domain(insmod_t,insmod_exec_t) mls_file_write_down(insmod_t) role system_r types insmod_t; diff --git a/policy/modules/system/mount.te b/policy/modules/system/mount.te index 6950895a..4cc9b979 100644 --- a/policy/modules/system/mount.te +++ b/policy/modules/system/mount.te @@ -1,5 +1,5 @@ -policy_module(mount,1.7.0) +policy_module(mount,1.7.1) ######################################## # @@ -28,8 +28,7 @@ files_tmp_file(mount_tmp_t) ifdef(`targeted_policy',` type unconfined_mount_t; - domain_type(unconfined_mount_t) - domain_entry_file(unconfined_mount_t,mount_exec_t) + application_domain(unconfined_mount_t,mount_exec_t) ') ######################################## diff --git a/policy/modules/system/netlabel.te b/policy/modules/system/netlabel.te index 464fb5ba..232d2039 100644 --- a/policy/modules/system/netlabel.te +++ b/policy/modules/system/netlabel.te @@ -1,5 +1,5 @@ -policy_module(netlabel,1.0.0) +policy_module(netlabel,1.0.1) ######################################## # @@ -8,8 +8,7 @@ policy_module(netlabel,1.0.0) type netlabel_mgmt_t; type netlabel_mgmt_exec_t; -domain_type(netlabel_mgmt_t) -domain_entry_file(netlabel_mgmt_t,netlabel_mgmt_exec_t) +application_domain(netlabel_mgmt_t,netlabel_mgmt_exec_t) ######################################## # diff --git a/policy/modules/system/pcmcia.te b/policy/modules/system/pcmcia.te index 9550cbcf..3ab7e34d 100644 --- a/policy/modules/system/pcmcia.te +++ b/policy/modules/system/pcmcia.te @@ -1,5 +1,5 @@ -policy_module(pcmcia,1.2.0) +policy_module(pcmcia,1.2.1) ######################################## # @@ -22,7 +22,7 @@ type cardmgr_var_run_t; files_pid_file(cardmgr_var_run_t) type cardctl_exec_t; -domain_entry_file(cardmgr_t,cardctl_exec_t) +application_domain(cardmgr_t,cardctl_exec_t) ######################################## # diff --git a/policy/modules/system/selinuxutil.te b/policy/modules/system/selinuxutil.te index d7d68806..8a3cf887 100644 --- a/policy/modules/system/selinuxutil.te +++ b/policy/modules/system/selinuxutil.te @@ -1,5 +1,5 @@ -policy_module(selinuxutil,1.6.0) +policy_module(selinuxutil,1.6.1) ifdef(`strict_policy',` gen_require(` @@ -26,11 +26,9 @@ type selinux_config_t; files_type(selinux_config_t) type checkpolicy_t, can_write_binary_policy; -domain_type(checkpolicy_t) -role system_r types checkpolicy_t; - type checkpolicy_exec_t; -domain_entry_file(checkpolicy_t,checkpolicy_exec_t) +application_domain(checkpolicy_t, checkpolicy_exec_t) +role system_r types checkpolicy_t; # # default_context_t is the type applied to @@ -47,20 +45,17 @@ type file_context_t; files_type(file_context_t) type load_policy_t; -domain_type(load_policy_t) +type load_policy_exec_t; +application_domain(load_policy_t,load_policy_exec_t) role system_r types load_policy_t; -type load_policy_exec_t; -domain_entry_file(load_policy_t,load_policy_exec_t) - type newrole_t; +type newrole_exec_t; +application_domain(newrole_t,newrole_exec_t) domain_role_change_exemption(newrole_t) domain_obj_id_change_exemption(newrole_t) -domain_type(newrole_t) domain_interactive_fd(newrole_t) -type newrole_exec_t; -domain_entry_file(newrole_t,newrole_exec_t) # # policy_config_t is the type of /etc/security/selinux/* @@ -90,16 +85,15 @@ files_pid_file(restorecond_var_run_t) type run_init_t; type run_init_exec_t; -domain_type(run_init_t) -domain_entry_file(run_init_t,run_init_exec_t) +application_domain(run_init_t,run_init_exec_t) domain_system_change_exemption(run_init_t) +role system_r types run_init_t; type semanage_t; -domain_type(semanage_t) domain_interactive_fd(semanage_t) type semanage_exec_t; -domain_entry_file(semanage_t, semanage_exec_t) +application_domain(semanage_t,semanage_exec_t) role system_r types semanage_t; type semanage_store_t; diff --git a/policy/modules/system/xen.te b/policy/modules/system/xen.te index 5b7ffde7..7c0e8b6d 100644 --- a/policy/modules/system/xen.te +++ b/policy/modules/system/xen.te @@ -1,5 +1,5 @@ -policy_module(xen,1.4.0) +policy_module(xen,1.4.1) ######################################## # @@ -70,7 +70,7 @@ files_pid_file(xenconsoled_var_run_t) type xm_t; type xm_exec_t; domain_type(xm_t) -init_daemon_domain(xm_t, xm_exec_t) +init_system_domain(xm_t, xm_exec_t) ######################################## #