add radvd, plus a few cleanups from sediff

2005-09-23 21:20:03 +00:00 · 2005-09-23 21:20:03 +00:00 · fa67570d9a
commit fa67570d9a
parent 842859260c
10 changed files with 137 additions and 9 deletions
--- a/refpolicy/Changelog
+++ b/refpolicy/Changelog
@ -1,6 +1,7 @@
 - Fix errors uncovered by sediff.
 - Added policies:
 	kudzu
 	radvd
 * Thu Sep 22 2005 Chris PeBenito <selinux@tresys.com> - 20050922
 - Make logrotate, sendmail, sshd, and rpm policies
--- a/refpolicy/policy/modules/admin/kudzu.te
+++ b/refpolicy/policy/modules/admin/kudzu.te
@ -29,7 +29,7 @@ allow kudzu_t self:unix_stream_socket { connectto create_stream_socket_perms };
 allow kudzu_t self:unix_dgram_socket create_socket_perms;
 allow kudzu_t self:udp_socket { create ioctl };
-allow kudzu_t kudzu_tmp_t:{ dir } create_file_perms;
+allow kudzu_t kudzu_tmp_t:dir create_file_perms;
 allow kudzu_t kudzu_tmp_t:{ file chr_file } create_file_perms;
 files_create_tmp_files(kudzu_t, kudzu_tmp_t, { file dir chr_file })
@ -81,7 +81,6 @@ domain_use_wide_inherit_fd(kudzu_t)
 files_search_var(kudzu_t)
 files_search_locks(kudzu_t)
 files_exec_etc_files(kudzu_t)
 files_manage_etc_files(kudzu_t)
 files_manage_etc_runtime_files(kudzu_t)
 files_manage_mnt_files(kudzu_t)
@ -98,8 +97,6 @@ init_use_fd(kudzu_t)
 init_use_script_pty(kudzu_t)
 init_unix_connect_script(kudzu_t)
 libs_exec_ld_so(kudzu_t)
 libs_exec_lib_files(kudzu_t)
 libs_use_ld_so(kudzu_t)
 libs_use_shared_libs(kudzu_t)
 # Read /usr/lib/gconv/gconv-modules.*
@ -110,6 +107,7 @@ logging_send_syslog_msg(kudzu_t)
 miscfiles_read_localization(kudzu_t)
 modutils_read_module_conf(kudzu_t)
 modutils_domtrans_insmod(kudzu_t)
 sysnet_read_config(kudzu_t)
@ -130,6 +128,10 @@ optional_policy(`gpm.te',`
 	gpm_getattr_gpmctl(kudzu_t)
 ')
 optional_policy(`nscd.te',`
 	nscd_use_socket(kudzu_t)
 ')
 optional_policy(`selinuxutil.te',`
        seutil_sigchld_newrole(kudzu_t)
 ')
@ -139,6 +141,7 @@ optional_policy(`udev.te',`
 ')
 ifdef(`TODO',`
 allow kudzu_t modules_conf_t:file unlink;
 optional_policy(`rhgb.te',`
        rhgb_domain(kudzu_t)
 ')
--- a/refpolicy/policy/modules/services/nis.if
+++ b/refpolicy/policy/modules/services/nis.if
@ -43,6 +43,12 @@ interface(`nis_use_ypbind',`
 		corenet_tcp_connect_reserved_port($1)
 		corenet_tcp_connect_generic_port($1)
 		corenet_dontaudit_tcp_connect_all_reserved_ports($1)
 		sysnet_read_config($1)
 		optional_policy(`mount.te',`
 			mount_send_nfs_client_request($1)
 		')
 	',`
 		dontaudit $1 var_yp_t:dir search;
 	')
--- a/refpolicy/policy/modules/services/radvd.fc
+++ b/refpolicy/policy/modules/services/radvd.fc
@ -0,0 +1,7 @@
 /etc/radvd\.conf	--	context_template(system_u:object_r:radvd_etc_t,s0)
 /usr/sbin/radvd		--	context_template(system_u:object_r:radvd_exec_t,s0)
 /var/run/radvd\.pid	--	context_template(system_u:object_r:radvd_var_run_t,s0)
 /var/run/radvd(/.*)?		context_template(system_u:object_r:radvd_var_run_t,s0)
--- a/refpolicy/policy/modules/services/radvd.if
+++ b/refpolicy/policy/modules/services/radvd.if
@ -0,0 +1 @@
 ## <summary>IPv6 router advertisement daemon</summary>
--- a/refpolicy/policy/modules/services/radvd.te
+++ b/refpolicy/policy/modules/services/radvd.te
@ -0,0 +1,102 @@
 policy_module(radvd,1.0)
 ########################################
 #
 # Declarations
 #
 type radvd_t;
 type radvd_exec_t;
 init_daemon_domain(radvd_t,radvd_exec_t)
 type radvd_var_run_t;
 files_pid_file(radvd_var_run_t)
 type radvd_etc_t; #, usercanread;
 files_type(radvd_etc_t)
 ########################################
 #
 # Local policy
 #
 allow radvd_t self:capability { setgid setuid net_raw };
 dontaudit radvd_t self:capability sys_tty_config;
 allow radvd_t self:process signal_perms;
 allow radvd_t self:unix_dgram_socket create_socket_perms;
 allow radvd_t self:unix_stream_socket create_socket_perms;
 allow radvd_t self:rawip_socket create_socket_perms;
 allow radvd_t self:tcp_socket create_stream_socket_perms;
 allow radvd_t self:udp_socket create_socket_perms;
 allow radvd_t radvd_etc_t:file { getattr read };
 allow radvd_t radvd_var_run_t:file create_file_perms;
 allow radvd_t radvd_var_run_t:dir rw_dir_perms;
 files_create_pid(radvd_t,radvd_var_run_t)
 kernel_read_kernel_sysctl(radvd_t)
 kernel_read_net_sysctl(radvd_t)
 kernel_read_network_state(radvd_t)
 kernel_read_system_state(radvd_t)
 corenet_tcp_sendrecv_all_if(radvd_t)
 corenet_udp_sendrecv_all_if(radvd_t)
 corenet_raw_sendrecv_all_if(radvd_t)
 corenet_tcp_sendrecv_all_nodes(radvd_t)
 corenet_udp_sendrecv_all_nodes(radvd_t)
 corenet_raw_sendrecv_all_nodes(radvd_t)
 corenet_tcp_sendrecv_all_ports(radvd_t)
 corenet_udp_sendrecv_all_ports(radvd_t)
 corenet_tcp_bind_all_nodes(radvd_t)
 corenet_udp_bind_all_nodes(radvd_t)
 dev_read_sysfs(radvd_t)
 fs_getattr_all_fs(radvd_t)
 fs_search_auto_mountpoints(radvd_t)
 term_dontaudit_use_console(radvd_t)
 domain_use_wide_inherit_fd(radvd_t)
 files_read_etc_files(radvd_t)
 files_list_usr(radvd_t)
 init_use_fd(radvd_t)
 init_use_script_pty(radvd_t)
 libs_use_ld_so(radvd_t)
 libs_use_shared_libs(radvd_t)
 logging_send_syslog_msg(radvd_t)
 miscfiles_read_localization(radvd_t)
 sysnet_read_config(radvd_t)
 userdom_dontaudit_use_unpriv_user_fd(radvd_t)
 userdom_dontaudit_search_sysadm_home_dir(radvd_t)
 ifdef(`targeted_policy',`
 	term_dontaudit_use_unallocated_tty(radvd_t)
 	term_dontaudit_use_generic_pty(radvd_t)
 	files_dontaudit_read_root_file(radvd_t)
 ')
 optional_policy(`nis.te',`
 	nis_use_ypbind(radvd_t)
 ')
 optional_policy(`selinuxutil.te',`
 	seutil_sigchld_newrole(radvd_t)
 ')
 optional_policy(`udev.te',`
 	udev_read_db(radvd_t)
 ')
 ifdef(`TODO',`
 optional_policy(`rhgb.te',`
 	rhgb_domain(radvd_t)
 ')
 ')
--- a/refpolicy/policy/modules/services/snmp.te
+++ b/refpolicy/policy/modules/services/snmp.te
@ -118,6 +118,10 @@ ifdef(`targeted_policy', `
 	files_dontaudit_read_root_file(snmpd_t)
 ')
 optional_policy(`nis.te',`
 	nis_use_ypbind(snmpd_t)
 ')
 optional_policy(`nscd.te',`
 	nscd_use_socket(snmpd_t)
 ')
@ -130,11 +134,6 @@ optional_policy(`udev.te', `
 	udev_read_db(snmpd_t)
 ')
 optional_policy(`nis.te',`
 	nis_use_ypbind(snmpd_t)
 ')
 ifdef(`TODO',`
 can_udp_send(sysadm_t, snmpd_t)
 can_udp_send(snmpd_t, sysadm_t)
--- a/refpolicy/policy/modules/system/init.te
+++ b/refpolicy/policy/modules/system/init.te
@ -475,6 +475,7 @@ optional_policy(`mysql.te',`
 ')
 optional_policy(`nis.te',`
 	nis_use_ypbind(initrc_t)
 	nis_udp_sendto_ypbind(initrc_t)
 	nis_list_var_yp(initrc_t)
 ')
--- a/refpolicy/policy/modules/system/modutils.te
+++ b/refpolicy/policy/modules/system/modutils.te
@ -121,6 +121,10 @@ optional_policy(`mount.te',`
 	mount_domtrans(insmod_t)
 ')
 optional_policy(`nis.te',`
 	nis_use_ypbind(insmod_t)
 ')
 optional_policy(`nscd.te',`
 	nscd_use_socket(insmod_t)
 ')
--- a/refpolicy/policy/modules/system/udev.te
+++ b/refpolicy/policy/modules/system/udev.te
@ -161,6 +161,10 @@ optional_policy(`hotplug.te',`
 	hotplug_read_config(udev_t)
 ')
 optional_policy(`nis.te',`
 	nis_use_ypbind(udev_t)
 ')
 optional_policy(`nscd.te',`
 	nscd_use_socket(udev_t)
 ')
		`@ -0,0 +1 @@`
							`## <summary>IPv6 router advertisement daemon</summary>`