Navigation

← Previous Changeset
Next Changeset →

Changeset 1817

Timestamp:

05/16/06 13:36:25 (3 years ago)

Author:

cpebenito

Message:

move old strict, targeted, and mls policies to archive

Files:

archive (added)
archive/mls (moved) (moved from trunk/mls)
archive/strict (moved) (moved from trunk/strict)
archive/targeted (moved) (moved from trunk/targeted)
trunk/docs/macro_conversion_guide (modified) (16 diffs)
trunk/tools/buildtest.sh (modified) (5 diffs)
trunk/tools/quicktest.sh (modified) (5 diffs)

Legend:

: Unmodified
: Added
: Removed
: Modified
: Copied
: Moved

trunk/docs/macro_conversion_guide

r1690	r1817
32	32	#
33	33	optional_policy(`nscd',`
34		nscd_~~use_socket~~($1)
	34	nscd_socket_use($1)
35	35	')
36	36
…	…
44	44	#
45	45	# handled by appropriate interfaces
	46
	47	#
	48	# exec_type: complete
	49	#
	50	corecmd_executable_file($1)
46	51
47	52	#
…	…
120	125	')
121	126	')
122		optional_policy(`~~cron',`~~
	127	optional_policy(`
123	128	cron_sigchld($1)
124	129	cron_read_system_job_tmp_files($1)
125	130	')
126		optional_policy(`~~logrotate',`~~
	131	optional_policy(`
127	132	logrotate_read_tmp_files($1)
128	133	')
…	…
131	136	# nscd_client_domain: complete
132	137	#
133		optional_policy(`~~nscd',`~~
134		nscd_~~use_socket~~($1)
	138	optional_policy(`
	139	nscd_socket_use($1)
135	140	')
136	141
…	…
143	148	# privlog: complete
144	149	#
145		optional_policy(`logging',`
146		logging_send_syslog_msg($1)
147		')
	150	logging_send_syslog_msg($1)
148	151
149	152	#
…	…
368	371	# can_exec_any(): complete
369	372	#
370		corecmd_exec_bin($1)
371		corecmd_exec_sbin($1)
372		domain_exec_all_entry_files($1)
	373	corecmd_exec_all_executables($1)
373	374	files_exec_etc_files($1)
374	375	libs_use_ld_so($1)
…	…
644	645	allow $1 $2:{ file lnk_file } { read getattr };
645	646	allow $1 $2:process getattr;
646		~~# We need to suppress this denial because procps tries to access~~
647		~~# /proc/pid/environ and this now triggers a ptrace check in recent kernels~~
648		~~# (2.4 and 2.6). Might want to change procps to not do this, or only if~~
649		~~# running in a privileged domain.~~
650		~~dontaudit $1 $2:process ptrace;~~
651	647
652	648	#
…	…
788	784	kernel_read_kernel_sysctls($1_t)
789	785	dev_read_sysfs($1_t)
	786	domain_use_interactive_fds($1_t)
790	787	fs_search_auto_mountpoints($1_t)
791	788	term_dontaudit_use_console($1_t)
792		~~domain_use_interactive_fds($1_t)~~
793	789	init_use_fds($1_t)
794		init_use_script_pty($1_t)
	790	init_use_script_ptys($1_t)
795	791	libs_use_ld_so($1_t)
796	792	libs_use_shared_libs($1_t)
…	…
798	794	userdom_dontaudit_use_unpriv_user_fds($1_t)
799	795	ifdef(`targeted_policy',`
800		term_dontaudit_use_unallocated_tty($1_t)
801		term_dontaudit_use_generic_pty($1_t)
	796	term_dontaudit_use_unallocated_ttys($1_t)
	797	term_dontaudit_use_generic_ptys($1_t)
802	798	files_dontaudit_read_root_files($1_t)
803	799	')
804		optional_policy(`~~selinuxutil',`~~
	800	optional_policy(`
805	801	seutil_sigchld_newrole($1_t)
806	802	')
807		optional_policy(`~~udev',`~~
	803	optional_policy(`
808	804	udev_read_db($1_t)
809	805	')
…	…
821	817	allow $1_t $1_var_run_t:file create_file_perms;
822	818	allow $1_t $1_var_run_t:dir rw_dir_perms;
823		files_pid_filetrans($1_t,$1_var_run_t)
	819	files_pid_filetrans($1_t,$1_var_run_t,file)
824	820	kernel_read_kernel_sysctls($1_t)
825	821	kernel_list_proc($1_t)
826	822	kernel_read_proc_symlinks($1_t)
827	823	dev_read_sysfs($1_t)
	824	domain_use_interactive_fds($1_t)
828	825	fs_getattr_all_fs($1_t)
829	826	fs_search_auto_mountpoints($1_t)
830	827	term_dontaudit_use_console($1_t)
831		~~domain_use_interactive_fds($1_t)~~
832	828	init_use_fds($1_t)
833		init_use_script_pty($1_t)
	829	init_use_script_ptys($1_t)
834	830	libs_use_ld_so($1_t)
835	831	libs_use_shared_libs($1_t)
…	…
838	834	userdom_dontaudit_use_unpriv_user_fds($1_t)
839	835	userdom_dontaudit_search_sysadm_home_dirs($1_t)
840		ifdef(`targeted_policy', `
841		term_dontaudit_use_unallocated_tty($1_t)
842		term_dontaudit_use_generic_pty($1_t)
	836	ifdef(`targeted_policy',`
	837	term_dontaudit_use_unallocated_ttys($1_t)
	838	term_dontaudit_use_generic_ptys($1_t)
843	839	files_dontaudit_read_root_files($1_t)
844	840	')
845		optional_policy(`~~selinuxutil',`~~
	841	optional_policy(`
846	842	seutil_sigchld_newrole($1_t)
847	843	')
848		optional_policy(`~~udev',`~~
	844	optional_policy(`
849	845	udev_read_db($1_t)
850	846	')
…	…
1045	1041	')
1046	1042	optional_policy(`nscd',`
1047		nscd_~~use_socket~~($1_t)
	1043	nscd_socket_use($1_t)
1048	1044	')
1049	1045
…	…
1061	1057	files_lock_file($1_lock_t)
1062	1058	allow $1_t $1_lock_t:file create_file_perms;
1063		files_lock_filetrans($1_t,$1_lock_t)
	1059	files_lock_filetrans($1_t,$1_lock_t,file)
1064	1060
1065	1061	#
…	…
1069	1065	logging_log_file($1_log_t)
1070	1066	allow $1_t $1_log_t:file create_file_perms;
1071		logging_log_filetrans($1_t,$1_log_t)
	1067	logging_log_filetrans($1_t,$1_log_t,file)
1072	1068
1073	1069	#
…	…
1231	1227	allow $1_t $1_var_lib_t:file create_file_perms;
1232	1228	allow $1_t $1_var_lib_t:dir rw_dir_perms;
1233		files_var_lib_filetrans($1_t,$1_var_lib_t)
	1229	files_var_lib_filetrans($1_t,$1_var_lib_t,file)
1234	1230
1235	1231	#
…	…
1240	1236	allow $1_t $1_var_run_t:file create_file_perms;
1241	1237	allow $1_t $1_var_run_t:dir rw_dir_perms;
1242		files_pid_filetrans($1_t,$1_var_run_t)
	1238	files_pid_filetrans($1_t,$1_var_run_t,file)
1243	1239
1244	1240	#

trunk/tools/buildtest.sh

r1739	r1817
5	5	POLVER="`checkpolicy -V \|cut -f 1 -d ' '`"
6	6	SETFILES="/usr/sbin/setfiles"
7		SE_LINK="/usr/bin/semodule_link"
	7	SE_LINK="time -p /usr/bin/semodule_link"
8	8
9	9	die() {
…	…
15	15	}
16	16
17		cleanup() {
18		make bare
	17	cleanup_mon() {
	18	make MONOLITHIC=y bare
	19	}
	20
	21	cleanup_mod() {
19	22	make MONOLITHIC=n bare
20	23	}
…	…
23	26	local OPTS=""
24	27
25		~~trap cleanup SIGINT SIGQUIT~~
26
27	28	for i in $TYPES; do
28	29	# Monolithic tests
	30	trap cleanup_mon SIGINT SIGQUIT
29	31	OPTS="TYPE=$i MONOLITHIC=y QUIET=y DIRECT_INITRC=y"
30	32	[ ! -z "$1" ] && OPTS="$OPTS DISTRO=$1"
…	…
35	37	make $OPTS file_contexts \|\| die "$?" "$OPTS"
36	38	$SETFILES -q -c policy.$POLVER file_contexts \|\| die "$?" "$OPTS"
37		~~make $OPTS bare \|\| die "$?" "$OPTS"~~
	39	cleanup_mon
38	40
39	41	# Loadable module tests
	42	trap cleanup_mod SIGINT SIGQUIT
40	43	OPTS="TYPE=$i MONOLITHIC=n QUIET=y DIRECT_INITRC=y"
41	44	[ ! -z "$1" ] && OPTS="$OPTS DISTRO=$1"
…	…
49	52	rm dmesg.pp
50	53	$SE_LINK tmp/base.pp *.pp \|\| die "$?" "$OPTS"
51		~~make $OPTS bare \|\| die "$?" "$OPTS"~~
	54	cleanup_mod
52	55	done
53	56	}
54	57
55		cleanup
	58	cleanup_mon
	59	cleanup_mod
56	60	do_test
57	61
	62	for i in $DISTROS; do
	63	do_test $i
	64	done
	65
58	66	echo "Completed successfully."

trunk/tools/quicktest.sh

r1739	r1817
4	4	POLVER="`checkpolicy -V \|cut -f 1 -d ' '`"
5	5	SETFILES="/usr/sbin/setfiles"
6		SE_LINK="/usr/bin/semodule_link"
	6	SE_LINK="time -p /usr/bin/semodule_link"
7	7
8	8	die() {
…	…
14	14	}
15	15
16		cleanup() {
17		make bare
	16	cleanup_mon() {
	17	make MONOLITHIC=y bare
	18	}
	19
	20	cleanup_mod() {
18	21	make MONOLITHIC=n bare
19	22	}
…	…
22	25	local OPTS=""
23	26
24		~~trap cleanup SIGINT SIGQUIT~~
25
26	27	for i in $TYPES; do
27	28	# Monolithic tests
	29	trap cleanup_mon SIGINT SIGQUIT
28	30	OPTS="TYPE=$i MONOLITHIC=y QUIET=y DIRECT_INITRC=y"
29	31	[ ! -z "$1" ] && OPTS="$OPTS DISTRO=$1"
…	…
34	36	make $OPTS file_contexts \|\| die "$?" "$OPTS"
35	37	$SETFILES -q -c policy.$POLVER file_contexts \|\| die "$?" "$OPTS"
36		~~make $OPTS bare \|\| die "$?" "$OPTS"~~
	38	cleanup_mon
37	39
38	40	# Loadable module tests
	41	trap cleanup_mod SIGINT SIGQUIT
39	42	OPTS="TYPE=$i MONOLITHIC=n QUIET=y DIRECT_INITRC=y"
40	43	[ ! -z "$1" ] && OPTS="$OPTS DISTRO=$1"
…	…
48	51	rm dmesg.pp
49	52	$SE_LINK tmp/base.pp *.pp \|\| die "$?" "$OPTS"
50		~~make $OPTS bare \|\| die "$?" "$OPTS"~~
	53	cleanup_mod
51	54	done
52	55	}
53	56
54		cleanup
	57	cleanup_mon
	58	cleanup_mod
55	59	do_test
56	60

Download in other formats:

Unified Diff
Zip Disabled

* Generating other formats may take time.