Navigation

← Previous Changeset
Next Changeset →

Changeset 2335

Timestamp:

06/15/07 12:11:51 (1 year ago)

Author:

pebenito

Message:

strict-targeted-merge: ifdef strict/targeted_policy cleanup for mplayer, dbus, ldap, mta, cron, spamassassin, cups, xserver, networkmanager, prilink, su

Files:

branches/strict-targeted-merge-2266/policy/modules/admin/prelink.te (modified) (1 diff)
branches/strict-targeted-merge-2266/policy/modules/admin/su.if (modified) (1 diff)
branches/strict-targeted-merge-2266/policy/modules/apps/mplayer.te (modified) (1 diff)
branches/strict-targeted-merge-2266/policy/modules/services/cron.if (modified) (1 diff)
branches/strict-targeted-merge-2266/policy/modules/services/cron.te (modified) (1 diff)
branches/strict-targeted-merge-2266/policy/modules/services/cups.te (modified) (1 diff)
branches/strict-targeted-merge-2266/policy/modules/services/dbus.if (modified) (1 diff)
branches/strict-targeted-merge-2266/policy/modules/services/dbus.te (modified) (1 diff)
branches/strict-targeted-merge-2266/policy/modules/services/ldap.te (modified) (1 diff)
branches/strict-targeted-merge-2266/policy/modules/services/mta.te (modified) (1 diff)
branches/strict-targeted-merge-2266/policy/modules/services/networkmanager.te (modified) (2 diffs)
branches/strict-targeted-merge-2266/policy/modules/services/spamassassin.if (modified) (1 diff)
branches/strict-targeted-merge-2266/policy/modules/services/spamassassin.te (modified) (3 diffs)
branches/strict-targeted-merge-2266/policy/modules/services/xserver.if (modified) (1 diff)
branches/strict-targeted-merge-2266/policy/modules/system/unconfined.if (modified) (1 diff)
branches/strict-targeted-merge-2266/policy/modules/system/unconfined.te (modified) (1 diff)

Legend:

: Unmodified
: Added
: Removed
: Modified
: Copied
: Moved

branches/strict-targeted-merge-2266/policy/modules/admin/prelink.te

r2320	r2335
85	85	miscfiles_read_localization(prelink_t)
86	86
87		~~# cjp: this seems incorrect~~
88		~~#ifdef(`targeted_policy',`~~
89		~~# # prelink executables in the user homedir~~
90		~~# userdom_manage_generic_user_home_content_files(prelink_t)~~
91		~~# userdom_mmap_generic_user_home_content_files(prelink_t)~~
92		~~# userdom_dontaudit_relabel_generic_user_home_content_files(prelink_t)~~
93		~~#')~~
94
95	87	optional_policy(`
96	88	amanda_manage_lib(prelink_t)

branches/strict-targeted-merge-2266/policy/modules/admin/su.if

r2320	r2335
269	269	')
270	270
271		~~# ifdef(`targeted_policy',`~~
272		~~# # allow user to suspend terminal.~~
273		~~# # does not work in strict since the~~
274		~~# # parent may not be able to use~~
275		~~# # the terminal if we newrole,~~
276		~~# # which relabels the terminal.~~
277		~~# allow $1_su_t self:process sigstop;~~
278		#
279		~~# corecmd_exec_bin($1_su_t)~~
280		~~# userdom_manage_all_users_home_content_files($1_su_t)~~
281		~~# userdom_manage_all_users_home_content_symlinks($1_su_t)~~
282		~~# ')~~
283
284	271	tunable_policy(`allow_polyinstantiation',`
285	272	fs_mount_xattr_fs($1_su_t)

branches/strict-targeted-merge-2266/policy/modules/apps/mplayer.te

r2302	r2335
22	22	type mplayer_exec_t;
23	23	corecmd_executable_file(mplayer_exec_t)
24
25		~~#ifdef(`targeted_policy',`~~
26		~~# unconfined_execmem_alias_program(mencoder_exec_t)~~
27		~~# unconfined_execmem_alias_program(mplayer_exec_t)~~
28		~~#')~~

branches/strict-targeted-merge-2266/policy/modules/services/cron.if

r2239	r2335
153	153	')
154	154
	155	# need a per-role version of this:
	156	#optional_policy(`
	157	# mono_domtrans($1_crond_t)
	158	#')
	159
	160	optional_policy(`
	161	dbus_stub($1_crond_t)
	162
	163	allow $1_crond_t $2:dbus send_msg;
	164	')
	165
155	166	optional_policy(`
156	167	nis_use_ypbind($1_crond_t)

branches/strict-targeted-merge-2266/policy/modules/services/cron.te

r2313	r2335
179	179	locallogin_search_keys(crond_t)
180	180	locallogin_link_keys(crond_t)
181		')
182
183		~~ifdef(`targeted_policy',`~~
184		~~# these should probably be unconfined_crond_t~~
185		~~init_dbus_send_script(crond_t)~~
186		~~unconfined_dbus_send(crond_t)~~
187
188		~~optional_policy(`~~
189		~~mono_domtrans(crond_t)~~
190		')
191	181	')
192	182

branches/strict-targeted-merge-2266/policy/modules/services/cups.te

r2315	r2335
234	234	')
235	235
236		~~ifdef(`targeted_policy',`~~
237		~~init_stream_connect_script(cupsd_t)~~
238
239		~~optional_policy(`~~
240		~~init_dbus_chat_script(cupsd_t)~~
241
242		~~unconfined_dbus_send(cupsd_t)~~
243
244		~~dbus_stub(cupsd_t)~~
245		')
246		')
247
248	236	optional_policy(`
249	237	apm_domtrans_client(cupsd_t)

branches/strict-targeted-merge-2266/policy/modules/services/dbus.if

r2239	r2335
14	14	gen_require(`
15	15	type system_dbusd_t;
	16	class dbus all_dbus_perms;
16	17	')
17	18	')

branches/strict-targeted-merge-2266/policy/modules/services/dbus.te

r2295 r2335

3 3
4 4 gen_require(`
5 class dbus ~~{ send_msg acquire_svc }~~;
5 class dbus all_dbus_perms;
6 6 ')
7 7

branches/strict-targeted-merge-2266/policy/modules/services/ldap.te

r2302	r2335
117	117	userdom_dontaudit_search_sysadm_home_dirs(slapd_t)
118	118
119		~~ifdef(`targeted_policy',`~~
120		~~userdom_search_generic_user_home_dirs(slapd_t)~~
121		~~#need to be able to read ldif files created by root~~
122		~~# cjp: fix to not use templated interface:~~
123		~~userdom_read_user_home_content_files(user,slapd_t)~~
124		')
125
126	119	optional_policy(`
127	120	kerberos_use(slapd_t)

branches/strict-targeted-merge-2266/policy/modules/services/mta.te

r2314	r2335
31	31	mta_base_mail_template(system)
32	32	role system_r types system_mail_t;
33
34		~~# cjp: need to resolve this, but require{}~~
35		~~# does not work in the else part of the optional~~
36		~~#ifdef(`strict_policy',`~~
37		~~# optional_policy(`',`~~
38		~~# init_system_domain(system_mail_t,sendmail_exec_t)~~
39		~~# ')~~
40		~~#')~~
41	33
42	34	########################################

branches/strict-targeted-merge-2266/policy/modules/services/networkmanager.te

r2320	r2335
109	109	userdom_dontaudit_search_sysadm_home_dirs(NetworkManager_t)
110	110	userdom_dontaudit_use_unpriv_users_ttys(NetworkManager_t)
111
112		ifdef(`targeted_policy', `
113		# Read gnome-keyring
114		userdom_read_generic_user_home_content_files(NetworkManager_t)
115		')
	111	# Read gnome-keyring
	112	userdom_read_unpriv_users_home_content_files(NetworkManager_t)
116	113
117	114	optional_policy(`
…	…
169	166
170	167	optional_policy(`
	168	# Read gnome-keyring
	169	unconfined_read_home_content_files(NetworkManager_t)
	170	')
	171
	172	optional_policy(`
171	173	vpn_domtrans(NetworkManager_t)
172	174	vpn_signal(NetworkManager_t)

branches/strict-targeted-merge-2266/policy/modules/services/spamassassin.if

r2239	r2335
281	281	')
282	282
	283	tunable_policy(`spamd_enable_home_dirs',`
	284	userdom_manage_user_home_content_dirs($1,spamd_t)
	285	userdom_manage_user_home_content_files($1,spamd_t)
	286	userdom_manage_user_home_content_symlinks($1,spamd_t)
	287	')
	288
283	289	tunable_policy(`use_nfs_home_dirs',`
284	290	fs_manage_nfs_dirs($1_spamassassin_t)

branches/strict-targeted-merge-2266/policy/modules/services/spamassassin.te

r2295	r2335
14	14	gen_tunable(spamassassin_can_network,false)
15	15
16		~~ifdef(`targeted_policy',`~~
17	16	## <desc>
18	17	## <p>
…	…
21	20	## </desc>
22	21	gen_tunable(spamd_enable_home_dirs,true)
23		')
24	22
25	23	# spamassassin client executable
…	…
151	149	userdom_dontaudit_search_sysadm_home_dirs(spamd_t)
152	150
153		~~ifdef(`targeted_policy',`~~
154		~~tunable_policy(`spamd_enable_home_dirs',`~~
155		~~userdom_manage_generic_user_home_content_dirs(spamd_t)~~
156		~~userdom_manage_generic_user_home_content_files(spamd_t)~~
157		~~userdom_manage_generic_user_home_content_symlinks(spamd_t)~~
158		~~userdom_generic_user_home_dir_filetrans_generic_user_home_content(spamd_t,dir)~~
159		')
160		')
161
162	151	tunable_policy(`use_nfs_home_dirs',`
163	152	fs_manage_nfs_files(spamd_t)

branches/strict-targeted-merge-2266/policy/modules/services/xserver.if

r2289	r2335
733	733	')
734	734
735		ifdef(`strict_policy',`
736		allow $1 xauth_home_type:file read_file_perms;
737		userdom_search_all_users_home_dirs($1)
738		',`
739		userdom_read_generic_user_home_content_files($1)
740		')
	735	allow $1 xauth_home_type:file read_file_perms;
	736	userdom_search_all_users_home_dirs($1)
741	737	')
742	738

branches/strict-targeted-merge-2266/policy/modules/system/unconfined.if

r2310	r2335
559	559
560	560	files_search_home($1)
561		allow $1 { unconfined_home_dir_t ~~sysadm~~_home_t }:dir list_dir_perms;
	561	allow $1 { unconfined_home_dir_t unconfined_home_t }:dir list_dir_perms;
562	562	read_files_pattern($1,{ unconfined_home_dir_t unconfined_home_t },unconfined_home_t)
563	563	read_lnk_files_pattern($1,{ unconfined_home_dir_t unconfined_home_t },unconfined_home_t)

branches/strict-targeted-merge-2266/policy/modules/system/unconfined.te

r2317	r2335
183	183
184	184	optional_policy(`
	185	spamassassin_per_role_template(unconfined,unconfined_t,unconfined_r)
	186	')
	187
	188	optional_policy(`
185	189	sysnet_run_dhcpc(unconfined_t,unconfined_r,{ unconfined_devpts_t unconfined_tty_device_t })
186	190	sysnet_dbus_chat_dhcpc(unconfined_t)

Download in other formats:

Unified Diff
Zip Disabled

* Generating other formats may take time.

r2295	r2335
3	3
4	4	gen_require(`
5		class dbus ~~{ send_msg acquire_svc }~~;
	5	class dbus all_dbus_perms;
6	6	')
7	7