clean up networkmanager hacks

2005-11-25 16:43:03 +00:00 · 2005-11-25 16:43:03 +00:00 · d828b5ca8f
commit d828b5ca8f
parent cf0ff557b2
10 changed files with 99 additions and 64 deletions
--- a/refpolicy/policy/modules/services/apm.te
+++ b/refpolicy/policy/modules/services/apm.te
@ -1,5 +1,5 @@
-policy_module(apm,1.0)
+policy_module(apm,1.0.1)
 ########################################
 #
@ -138,6 +138,7 @@ libs_use_shared_libs(apmd_t)
 logging_send_syslog_msg(apmd_t)
 miscfiles_read_localization(apmd_t)
 miscfiles_read_hwdata(apmd_t)
 modutils_domtrans_insmod(apmd_t)
 modutils_read_module_conf(apmd_t)
@ -168,7 +169,6 @@ ifdef(`distro_redhat',`
 	')
 ',`
 	# for ifconfig which is run all the time
 	kernel_dontaudit_search_sysctl(apmd_t)
 ')
@ -195,6 +195,14 @@ optional_policy(`cron',`
 	cron_domtrans_anacron_system_job(apmd_t)
 ')
 optional_policy(`dbus',`
 	dbus_stub(apmd_t)
 	optional_policy(`networkmanager',`
 		networkmanager_dbus_chat(apmd_t)
 	')
 ')
 optional_policy(`logrotate',`
 	logrotate_use_fd(apmd_t)
 ')
@ -227,7 +235,4 @@ allow apmd_t user_tty_type:chr_file { ioctl read getattr lock write append };
 optional_policy(`cron',`
 	allow apmd_t crond_t:fifo_file { getattr read write ioctl };
 ')
 r_dir_file(apmd_t, hwdata_t)
 ')
--- a/refpolicy/policy/modules/services/dbus.if
+++ b/refpolicy/policy/modules/services/dbus.if
@ -1,5 +1,19 @@
 ## <summary>Desktop messaging bus</summary>
 ########################################
 ## <summary>
 ##	DBUS stub interface.  No access allowed.
 ## </summary>
 ## <param name="domain" optional="true">
 ##	N/A
 ## </param>
 #
 interface(`dbus_stub',`
 	gen_require(`
 		type system_dbusd_t;
 	')
 ')
 #######################################
 ## <summary>
 ##	The per user domain template for the dbus module.
@ -173,9 +187,6 @@ template(`dbus_system_bus_client_template',`
 	gen_require(`
 		type system_dbusd_t, system_dbusd_t;
 		type system_dbusd_var_run_t;
 		class dir search;
 		class sock_file write;
 		class unix_stream_socket connectto;
 		class dbus send_msg;
 	')
--- a/refpolicy/policy/modules/services/dovecot.te
+++ b/refpolicy/policy/modules/services/dovecot.te
@ -34,6 +34,7 @@ role system_r types dovecot_auth_t;
 #
 # dovecot local policy
 #
 allow dovecot_t self:capability { dac_override dac_read_search chown net_bind_service setgid setuid sys_chroot };
 dontaudit dovecot_t self:capability sys_tty_config;
 allow dovecot_t self:process { setrlimit signal_perms };
@ -141,6 +142,7 @@ optional_policy(`udev',`
 #
 # dovecot auth local policy
 #
 allow dovecot_auth_t self:capability { setgid setuid };
 allow dovecot_auth_t self:process signal_perms;
 allow dovecot_auth_t self:fifo_file rw_file_perms;
--- a/refpolicy/policy/modules/services/hal.te
+++ b/refpolicy/policy/modules/services/hal.te
@ -137,10 +137,13 @@ optional_policy(`cups',`
 ')
 optional_policy(`dbus',`
 	allow hald_t self:dbus send_msg;
 	dbus_system_bus_client_template(hald,hald_t)
 	dbus_send_system_bus_msg(hald_t)
 	dbus_connect_system_bus(hald_t)
 	optional_policy(`networkmanager',`
 		networkmanager_dbus_chat(hald_t)
 	')
 ')
 optional_policy(`dmidecode',`
--- a/refpolicy/policy/modules/services/howl.if
+++ b/refpolicy/policy/modules/services/howl.if
@ -1 +1,17 @@
 ## <summary>Port of Apple Rendezvous multicast DNS</summary>
 ########################################
 ## <summary>
 ##	Send generic signals to howl.
 ## </summary>
 ## <param name="domain">
 ##	Domain allowed access.
 ## </param>
 #
 interface(`howl_signal',`
 	gen_require(`
 		type howl_t;
 	')
 	allow $1 howl_t:process signal;
 ')
--- a/refpolicy/policy/modules/services/networkmanager.if
+++ b/refpolicy/policy/modules/services/networkmanager.if
@ -1 +1,20 @@
 ## <summary>Manager for dynamically switching between networks.</summary>
 ########################################
 ## <summary>
 ##	Send and receive messages from
 ##	NetworkManager over dbus.
 ## </summary>
 ## <param name="domain">
 ##	Domain allowed access.
 ## </param>
 #
 interface(`networkmanager_dbus_chat',`
 	gen_require(`
 		type NetworkManager_t;
 		class dbus send_msg;
 	')
 	allow $1 NetworkManager_t:dbus send_msg;
 	allow NetworkManager_t $1:dbus send_msg;
 ')
--- a/refpolicy/policy/modules/services/networkmanager.te
+++ b/refpolicy/policy/modules/services/networkmanager.te
@ -1,5 +1,5 @@
-policy_module(networkmanager,0.9)
+policy_module(networkmanager,1.0.0)
 ########################################
 #
@ -65,6 +65,8 @@ fs_search_auto_mountpoints(NetworkManager_t)
 mls_file_read_up(NetworkManager_t)
 selinux_dontaudit_search_fs(NetworkManager_t)
 term_dontaudit_use_console(NetworkManager_t)
 corecmd_exec_shell(NetworkManager_t)
@ -98,12 +100,16 @@ seutil_read_config(NetworkManager_t)
 sysnet_domtrans_ifconfig(NetworkManager_t)
 sysnet_domtrans_dhcpc(NetworkManager_t)
 sysnet_signal_dhcpc(NetworkManager_t)
 sysnet_read_dhcpc_pid(NetworkManager_t)
 sysnet_delete_dhcpc_pid(NetworkManager_t)
 sysnet_search_dhcp_state(NetworkManager_t)
 # in /etc created by NetworkManager will be labelled net_conf_t.
 sysnet_manage_config(NetworkManager_t)
 sysnet_create_config(NetworkManager_t)
 userdom_dontaudit_use_unpriv_user_fd(NetworkManager_t)
 userdom_dontaudit_search_sysadm_home_dir(NetworkManager_t)
 userdom_dontaudit_use_unpriv_user_tty(NetworkManager_t)
 ifdef(`targeted_policy', `
 	term_dontaudit_use_unallocated_tty(NetworkManager_t)
@ -119,6 +125,16 @@ optional_policy(`consoletype',`
 	consoletype_exec(NetworkManager_t)
 ')
 optional_policy(`dbus',`
 	dbus_system_bus_client_template(NetworkManager,NetworkManager_t)
 	dbus_connect_system_bus(NetworkManager_t)
 	dbus_send_system_bus_msg(NetworkManager_t)
 ')
 optional_policy(`howl',`
 	howl_signal(NetworkManager_t)
 ')
 optional_policy(`mount',`
 	mount_send_nfs_client_request(NetworkManager_t)
 ')
@ -142,48 +158,3 @@ optional_policy(`udev',`
 optional_policy(`vpn',`
 	vpn_domtrans(NetworkManager_t)
 ')
 ###########################################################
 #
 # Partially converted rules.  THESE ARE ONLY TEMPORARY
 #
 optional_policy(`dbus',`
 	gen_require(`
 		class dbus send_msg;
 	')
 	allow NetworkManager_t self:dbus send_msg;
 	allow NetworkManager_t userdomain:dbus send_msg;
 	allow userdomain NetworkManager_t:dbus send_msg;
 	allow NetworkManager_t initrc_t:dbus send_msg;
 	allow initrc_t NetworkManager_t:dbus send_msg;
 	allow NetworkManager_t apmd_t:dbus send_msg;
 	allow apmd_t NetworkManager_t:dbus send_msg;
 	dbus_system_bus_client_template(NetworkManager,NetworkManager_t)
 	dbus_connect_system_bus(NetworkManager_t)
 	dbus_send_system_bus_msg(NetworkManager_t)
 	ifdef(`targeted_policy',`
 		allow NetworkManager_t unconfined_t:dbus send_msg;
 		allow unconfined_t NetworkManager_t:dbus send_msg;
 	')
 	optional_policy(`hal',`
 		allow NetworkManager_t hald_t:dbus send_msg;
 		allow hald_t NetworkManager_t:dbus send_msg;
 	')
 ')
 allow NetworkManager_t howl_t:process signal;
 allow NetworkManager_t dhcp_state_t:dir search;
 allow NetworkManager_t dhcpc_var_run_t:file { getattr read unlink };
 allow NetworkManager_t var_lib_t:dir search;
 dontaudit NetworkManager_t user_ttynode:chr_file { read write };
 dontaudit NetworkManager_t security_t:dir search;
--- a/refpolicy/policy/modules/system/init.te
+++ b/refpolicy/policy/modules/system/init.te
@ -1,5 +1,5 @@
-policy_module(init,1.0)
+policy_module(init,1.0.1)
 gen_require(`
 	class passwd rootok;
@ -497,14 +497,10 @@ optional_policy(`cpucontrol',`
 optional_policy(`dbus',`
 	dbus_connect_system_bus(initrc_t)
 	dbus_send_system_bus_msg(initrc_t)
 	dbus_system_bus_client_template(initrc,initrc_t)
-	# FIXME
+	optional_policy(`networkmanager',`
-	allow initrc_t system_dbusd_t:unix_stream_socket connectto;
+		networkmanager_dbus_chat(initrc_t)
 	allow initrc_t system_dbusd_var_run_t:sock_file write;
 	ifdef(`targeted_policy',`
 		allow unconfined_t initrc_t:dbus { acquire_svc send_msg };
 		allow initrc_t unconfined_t:dbus { acquire_svc send_msg };
 	')
 ')
--- a/refpolicy/policy/modules/system/unconfined.te
+++ b/refpolicy/policy/modules/system/unconfined.te
@ -57,6 +57,14 @@ ifdef(`targeted_policy',`
 		bluetooth_domtrans_helper(unconfined_t)
 	')
 	optional_policy(`dbus',`
 		dbus_stub(unconfined_t)
 		optional_policy(`networkmanager',`
 			networkmanager_dbus_chat(unconfined_t)
 		')
 	')
 	optional_policy(`dmidecode',`
 		dmidecode_domtrans(unconfined_t)
 	')
--- a/refpolicy/policy/modules/system/userdomain.if
+++ b/refpolicy/policy/modules/system/userdomain.if
@ -310,6 +310,10 @@ template(`base_user_template',`
 	optional_policy(`dbus',`
 		dbus_system_bus_client_template($1,$1_t)
 		optional_policy(`networkmanager',`
 			networkmanager_dbus_chat($1_t)
 		')
 	')
 	optional_policy(`dictd',`
@ -2466,7 +2470,7 @@ interface(`userdom_write_unpriv_user_tmp',`
 #
 interface(`userdom_dontaudit_use_unpriv_user_tty',`
 	ifdef(`targeted_policy',`
-		term_dontaudit_use_generic_pty($1)
+		term_dontaudit_use_unallocated_tty($1)
 	',`
 		gen_require(`
 			attribute user_ttynode;