more merging from 1.27.1-15

This commit is contained in:
Chris PeBenito 2005-10-14 18:42:42 +00:00
parent 65a2523024
commit fe9d17fe14
8 changed files with 57 additions and 3 deletions

View File

@ -62,6 +62,8 @@ fs_search_ramfs(kudzu_t)
fs_write_ramfs_socket(kudzu_t) fs_write_ramfs_socket(kudzu_t)
modutils_read_mods_deps(kudzu_t) modutils_read_mods_deps(kudzu_t)
modutils_read_module_conf(kudzu_t)
modutils_rename_module_conf(kudzu_t)
storage_read_scsi_generic(kudzu_t) storage_read_scsi_generic(kudzu_t)
storage_read_tape_device(kudzu_t) storage_read_tape_device(kudzu_t)

View File

@ -5,7 +5,7 @@
## Execute ndc in the ndc domain. ## Execute ndc in the ndc domain.
## </summary> ## </summary>
## <param name="domain"> ## <param name="domain">
## The type of the process performing this action. ## Domain allowed access.
## </param> ## </param>
# #
interface(`bind_domtrans_ndc',` interface(`bind_domtrans_ndc',`
@ -30,7 +30,7 @@ interface(`bind_domtrans_ndc',`
## allow the specified role the ndc domain. ## allow the specified role the ndc domain.
## </summary> ## </summary>
## <param name="domain"> ## <param name="domain">
## The type of the process performing this action. ## Domain allowed access.
## </param> ## </param>
## <param name="role"> ## <param name="role">
## The role to be allowed the bind domain. ## The role to be allowed the bind domain.
@ -50,6 +50,30 @@ interface(`bind_run_ndc',`
allow ndc_t $3:chr_file rw_term_perms; allow ndc_t $3:chr_file rw_term_perms;
') ')
########################################
## <summary>
## Execute bind in the named domain.
## </summary>
## <param name="domain">
## Domain allowed access.
## </param>
#
interface(`bind_domtrans',`
gen_require(`
type named_t, named_exec_t;
class process sigchld;
class fd use;
class fifo_file rw_file_perms;
')
domain_auto_trans($1,named_exec_t,named_t)
allow $1 named_t:fd use;
allow named_t $1:fd use;
allow named_t $1:fifo_file rw_file_perms;
allow named_t $1:process sigchld;
')
######################################## ########################################
## <summary> ## <summary>
## Read DNSSEC keys. ## Read DNSSEC keys.

View File

@ -124,6 +124,10 @@ tunable_policy(`read_default_t',`
files_read_default_pipes(system_dbusd_t) files_read_default_pipes(system_dbusd_t)
') ')
optional_policy(`bind.te',`
bind_domtrans(system_dbusd_t)
')
optional_policy(`nscd.te',` optional_policy(`nscd.te',`
nscd_use_socket(system_dbusd_t) nscd_use_socket(system_dbusd_t)
') ')

View File

@ -91,6 +91,8 @@ sysnet_dns_name_resolve(system_mail_t)
userdom_use_sysadm_terms(system_mail_t) userdom_use_sysadm_terms(system_mail_t)
ifdef(`targeted_policy',` ifdef(`targeted_policy',`
typealias system_mail_t alias sysadm_mail_t;
allow system_mail_t etc_mail_t:file r_file_perms; allow system_mail_t etc_mail_t:file r_file_perms;
allow system_mail_t mail_spool_t:dir create_dir_perms; allow system_mail_t mail_spool_t:dir create_dir_perms;

View File

@ -41,6 +41,23 @@ interface(`modutils_read_module_conf',`
allow $1 modules_conf_t:file r_file_perms; allow $1 modules_conf_t:file r_file_perms;
') ')
########################################
## <summary>
## Rename a file with the configuration options used when
## loading modules.
## </summary>
## <param name="domain">
## The type of the process performing this action.
## </param>
#
interface(`modutils_rename_module_conf',`
gen_require(`
type modules_conf_t;
')
allow $1 modules_conf_t:file rename;
')
######################################## ########################################
## <summary> ## <summary>
## Execute insmod in the insmod domain. ## Execute insmod in the insmod domain.

View File

@ -20,7 +20,7 @@ allow kudzu_t memory_device_t:chr_file { read write execute };
allow kudzu_t ramfs_t:dir search; allow kudzu_t ramfs_t:dir search;
allow kudzu_t ramfs_t:sock_file write; allow kudzu_t ramfs_t:sock_file write;
allow kudzu_t self:capability { dac_override sys_admin sys_rawio net_admin sys_tty_config mknod }; allow kudzu_t self:capability { dac_override sys_admin sys_rawio net_admin sys_tty_config mknod };
allow kudzu_t modules_conf_t:file { getattr read unlink }; allow kudzu_t modules_conf_t:file { getattr read unlink rename };
allow kudzu_t modules_object_t:dir r_dir_perms; allow kudzu_t modules_object_t:dir r_dir_perms;
allow kudzu_t { modules_object_t modules_dep_t }:file { getattr read }; allow kudzu_t { modules_object_t modules_dep_t }:file { getattr read };
allow kudzu_t mouse_device_t:chr_file { read write }; allow kudzu_t mouse_device_t:chr_file { read write };

View File

@ -72,3 +72,7 @@ allow mta_delivery_agent { etc_runtime_t proc_t }:file { getattr read };
allow system_mail_t etc_runtime_t:file { getattr read }; allow system_mail_t etc_runtime_t:file { getattr read };
allow system_mail_t { random_device_t urandom_device_t }:chr_file { getattr read }; allow system_mail_t { random_device_t urandom_device_t }:chr_file { getattr read };
ifdef(`targeted_policy', `
typealias system_mail_t alias sysadm_mail_t;
')

View File

@ -104,6 +104,7 @@ allow named_t self:fifo_file rw_file_perms;
# Enable named dbus support: # Enable named dbus support:
ifdef(`dbusd.te', ` ifdef(`dbusd.te', `
dbusd_client(system, named) dbusd_client(system, named)
domain_auto_trans(system_dbusd_t, named_exec_t, named_t)
allow named_t system_dbusd_t:dbus { acquire_svc send_msg }; allow named_t system_dbusd_t:dbus { acquire_svc send_msg };
allow named_t self:dbus send_msg; allow named_t self:dbus send_msg;
') ')