Navigation

← Previous Changeset
Next Changeset →

Changeset 2690

Timestamp:

05/22/08 10:24:52 (7 months ago)

Author:

pebenito

Message:

trunk: another pile of misc fixes.

Files:

trunk/policy/modules/admin/apt.if (modified) (1 diff)
trunk/policy/modules/apps/gnome.if (modified) (1 diff)
trunk/policy/modules/apps/mplayer.if (modified) (2 diffs)
trunk/policy/modules/apps/rssh.if (modified) (1 diff)
trunk/policy/modules/kernel/filesystem.if (modified) (1 diff)
trunk/policy/modules/roles/sysadm.te (modified) (5 diffs)
trunk/policy/modules/services/aide.if (modified) (2 diffs)
trunk/policy/modules/services/amavis.if (modified) (2 diffs)
trunk/policy/modules/services/apcupsd.if (modified) (1 diff)
trunk/policy/modules/services/bluetooth.if (modified) (1 diff)
trunk/policy/modules/services/cups.te (modified) (1 diff)
trunk/policy/modules/services/cvs.te (modified) (1 diff)
trunk/policy/modules/services/mta.if (modified) (2 diffs)
trunk/policy/modules/services/sasl.if (modified) (1 diff)
trunk/policy/modules/services/smartmon.if (modified) (1 diff)
trunk/policy/modules/services/ssh.if (modified) (1 diff)
trunk/policy/modules/services/zabbix.if (modified) (1 diff)
trunk/policy/modules/system/userdomain.if (modified) (2 diffs)
trunk/policy/modules/system/xen.if (modified) (2 diffs)
trunk/policy/support/obj_perm_sets.spt (modified) (1 diff)

Legend:

: Unmodified
: Added
: Removed
: Modified
: Copied
: Moved

trunk/policy/modules/admin/apt.if

r2630	r2690
189	189	dontaudit $1 apt_var_lib_t:dir rw_dir_perms;
190	190	dontaudit $1 apt_var_lib_t:file manage_file_perms;
191		dontaudit $1 apt_var_lib_t:lnk_file manage_lnk_perms;
	191	dontaudit $1 apt_var_lib_t:lnk_file manage_lnk_file_perms;
192	192	')

trunk/policy/modules/apps/gnome.if

r2372	r2690
35	35	template(`gnome_per_role_template',`
36	36	gen_require(`
37		type gconfd_exec_t;
	37	type gconfd_exec_t, gconf_etc_t;
38	38	attribute gnomedomain;
39	39	')

trunk/policy/modules/apps/mplayer.if

r2665	r2690
76	76
77	77	# Allow the user domain to signal/ps.
78		ps_process_pattern($2,$1_mencoder_t~~,$1_mencoder_t~~)
	78	ps_process_pattern($2,$1_mencoder_t)
79	79	allow $2 $1_mencoder_t:process signal_perms;
80	80
…	…
236	236	files_tmp_filetrans($1_mencoder_t,$1_untrusted_content_tmp_t,dir)
237	237
238		userdom_manage_user_untrusted_content_files($1,$1_mencoder_t,file)
239		userdom_manage_user_untrusted_content_files($1,$1_mencoder_t,dir)
240
	238	userdom_manage_user_untrusted_content_dirs($1,$1_mencoder_t)
	239	userdom_manage_user_untrusted_content_files($1,$1_mencoder_t)
241	240	',`
242	241	files_dontaudit_list_home($1_mencoder_t)

trunk/policy/modules/apps/rssh.if

r2372	r2690
25	25	#
26	26	template(`rssh_per_role_template',`
	27	gen_require(`
	28	type rssh_exec_t;
	29	attribute rssh_domain_type;
	30	attribute rssh_ro_content_type;
	31	')
27	32
28	33	##############################

trunk/policy/modules/kernel/filesystem.if

r2683	r2690
474	474	interface(`fs_getattr_binfmt_misc_dirs',`
475	475	gen_require(`
476		type binfmt_misc_t;
477		')
478
479		allow $1 binfmt_misc_t:dir getattr;
	476	type binfmt_misc_fs_t;
	477	')
	478
	479	allow $1 binfmt_misc_fs_tt:dir getattr;
480	480
481	481	')

trunk/policy/modules/roles/sysadm.te

r2668	r2690
111	111
112	112	optional_policy(`
113		cron_admin_template(sysadm~~, sysadm_t, sysadm_r~~)
	113	cron_admin_template(sysadm)
114	114	')
115	115
…	…
142	142	optional_policy(`
143	143	ethereal_run_tethereal(sysadm_t, sysadm_r, { sysadm_tty_device_t sysadm_devpts_t })
144		ethereal_admin_template(sysadm~~, sysadm_t, sysadm_r~~)
	144	ethereal_admin_template(sysadm)
145	145	')
146	146
…	…
185	185	optional_policy(`
186	186	lpd_run_checkpc(sysadm_t, sysadm_r, { sysadm_tty_device_t sysadm_devpts_t })
187		lpr_admin_template(sysadm~~, sysadm_t, sysadm_r~~)
	187	lpr_admin_template(sysadm)
188	188	')
189	189
…	…
203	203
204	204	optional_policy(`
205		mta_admin_template(sysadm, sysadm_t~~, sysadm_r~~)
	205	mta_admin_template(sysadm, sysadm_t)
206	206	')
207	207
…	…
297	297
298	298	optional_policy(`
299		unconfined_domtrans(sysadm_t~~, sysadm_r, { sysadm_tty_device_t sysadm_devpts_t }~~)
	299	unconfined_domtrans(sysadm_t)
300	300	')
301	301

trunk/policy/modules/services/aide.if

r2612	r2690
61	61	## </summary>
62	62	## </param>
63		~~## <param name="role">~~
64		~~## <summary>~~
65		~~## The role to be allowed to manage the aide domain.~~
66		~~## </summary>~~
67		~~## </param>~~
68		~~## <param name="terminal">~~
69		~~## <summary>~~
70		~~## The type of the user terminal.~~
71		~~## </summary>~~
72		~~## </param>~~
73	63	## <rolecap/>
74	64	#
…	…
85	75
86	76	logging_list_logs($1)
87		manage_~~all~~_pattern($1, aide_log_t, aide_log_t)
	77	manage_files_pattern($1, aide_log_t, aide_log_t)
88	78	')

trunk/policy/modules/services/amavis.if

r2612	r2690
198	198	## </summary>
199	199	## </param>
200		~~## <param name="role">~~
201		~~## <summary>~~
202		~~## The role to be allowed to manage the amavis domain.~~
203		~~## </summary>~~
204		~~## </param>~~
205		~~## <param name="terminal">~~
206		~~## <summary>~~
207		~~## The type of the user terminal.~~
208		~~## </summary>~~
209		~~## </param>~~
210	200	## <rolecap/>
211	201	#
212	202	interface(`amavis_admin',`
213	203	gen_require(`
214		type amavis_t, amavis_tmp_t, amavis_log_t;
	204	type amavis_t, amavis_tmp_t, amavis_var_log_t;
215	205	type amavis_spool_t, amavis_var_lib_t, amavis_var_run_t;
216	206	type amavis_etc_t, amavis_quarantine_t;
…	…
229	219
230	220	logging_list_logs($1)
231		manage_files_pattern($1, amavis_~~log_t, amavis~~_log_t)
	221	manage_files_pattern($1, amavis_var_log_t, amavis_var_log_t)
232	222
233	223	files_list_spool($1)

trunk/policy/modules/services/apcupsd.if

r2409	r2690
73	73	interface(`apcupsd_append_log',`
74	74	gen_require(`
75		type ~~var_log_t,~~ apcupsd_log_t;
	75	type apcupsd_log_t;
76	76	')
77	77

trunk/policy/modules/services/bluetooth.if

r2655	r2690
37	37	attribute bluetooth_helper_domain;
38	38	type bluetooth_helper_exec_t;
	39	type bluetooth_t;
39	40	')
40	41

trunk/policy/modules/services/cups.te

r2668	r2690
256	256
257	257	optional_policy(`
258		inetd_core_service_domain(cupsd_t,~~cupsd_exec_t,cupsd~~_t)
	258	inetd_core_service_domain(cupsd_t, cupsd_exec_t)
259	259	')
260	260

trunk/policy/modules/services/cvs.te

r2553	r2690
43	43	manage_dirs_pattern(cvs_t,cvs_data_t,cvs_data_t)
44	44	manage_files_pattern(cvs_t,cvs_data_t,cvs_data_t)
45		manage_lnk_files_pattern(cvs_t,cvs_data_t,cvs_data_t~~,cvs_data_t~~)
	45	manage_lnk_files_pattern(cvs_t,cvs_data_t,cvs_data_t)
46	46
47	47	manage_dirs_pattern(cvs_t,cvs_tmp_t,cvs_tmp_t)

trunk/policy/modules/services/mta.if

r2683	r2690
173	173	attribute mta_user_agent;
174	174	attribute mailserver_delivery;
	175	type sendmail_exec_t;
175	176	')
176	177
…	…
333	334	## </summary>
334	335	## </param>
335		## <param name="entry_point">
336		## <summary>
337		## The type to be used for the domain entry point program.
338		## </summary>
339		## </param>
	336	#
340	337	interface(`mta_sendmail_mailserver',`
341	338	gen_require(`

trunk/policy/modules/services/sasl.if

r2683	r2690
34	34	interface(`sasl_admin',`
35	35	gen_require(`
36		type sasl_t;
37		type sasl_tmp_t;
38		type sasl_var_run_t;
	36	type saslauthd_t;
	37	type saslauthd_tmp_t;
	38	type saslauthd_var_run_t;
39	39	')
40	40
41		allow $1 sasl_t:process { ptrace signal_perms getattr };
42		ps_process_pattern($1, sasl_t)
	41	allow $1 saslauthd_t:process { ptrace signal_perms getattr };
	42	ps_process_pattern($1, saslauthd_t)
43	43
44	44	files_list_tmp($1)
45		manage_files_pattern($1, sasl~~_tmp_t, sasl~~_tmp_t)
	45	manage_files_pattern($1, saslauthd_tmp_t, saslauthd_tmp_t)
46	46
47	47	files_list_pids($1)
48		manage_files_pattern($1, sasl~~_var_run_t, sasl~~_var_run_t)
	48	manage_files_pattern($1, saslauthd_var_run_t, saslauthd_var_run_t)
49	49	')

trunk/policy/modules/services/smartmon.if

r2683	r2690
33	33	interface(`smartmon_admin',`
34	34	gen_require(`
35		type ~~smartmon_t, smartmon_tmp_t, smart~~mon_var_run_t;
	35	type fsdaemon_t, fsdaemon_tmp_t, fsdaemon_var_run_t;
36	36	')
37	37
38		allow $1 ~~smart~~mon_t:process { ptrace signal_perms getattr };
39		ps_process_pattern($1, ~~smart~~mon_t)
	38	allow $1 fsdaemon_t:process { ptrace signal_perms getattr };
	39	ps_process_pattern($1, fsdaemon_t)
40	40
41	41	files_list_tmp($1)
42		manage_files_pattern($1, ~~smartmon_tmp_t, smart~~mon_tmp_t)
	42	manage_files_pattern($1, fsdaemon_tmp_t, fsdaemon_tmp_t)
43	43
44	44	files_list_pids($1)
45		manage_files_pattern($1, ~~smartmon_var_run_t, smart~~mon_var_run_t)
	45	manage_files_pattern($1, fsdaemon_var_run_t, fsdaemon_var_run_t)
46	46	')

trunk/policy/modules/services/ssh.if

r2655	r2690
203	203	template(`ssh_per_role_template',`
204	204	gen_require(`
205		type ssh_agent_exec_t, ssh_keysign_exec_t;
	205	type ssh_agent_exec_t, ssh_keysign_exec_t, sshd_t, sshd_key_t;
206	206	')
207	207

trunk/policy/modules/services/zabbix.if

r2683	r2690
52	52	interface(`zabbix_append_log',`
53	53	gen_require(`
54		type ~~var_log_t,~~ zabbix_log_t;
	54	type zabbix_log_t;
55	55	')
56	56

trunk/policy/modules/system/userdomain.if

r2683	r2690
1403	1403	## </summary>
1404	1404	## </param>
1405		~~## <param name="object_class">~~
1406		~~## <summary>~~
1407		~~## The terminal~~
1408		~~## </summary>~~
1409		~~## </param>~~
1410	1405	#
1411	1406	template(`userdom_security_admin_template',`
…	…
3277	3272	########################################
3278	3273	## <summary>
	3274	## Create, read, write, and delete users untrusted directories.
	3275	## </summary>
	3276	## <desc>
	3277	## <p>
	3278	## Create, read, write, and delete users untrusted directories.
	3279	## </p>
	3280	## <p>
	3281	## This is a templated interface, and should only
	3282	## be called from a per-userdomain template.
	3283	## </p>
	3284	## </desc>
	3285	## <param name="userdomain_prefix">
	3286	## <summary>
	3287	## The prefix of the user domain (e.g., user
	3288	## is the prefix for user_t).
	3289	## </summary>
	3290	## </param>
	3291	## <param name="domain">
	3292	## <summary>
	3293	## Domain allowed access.
	3294	## </summary>
	3295	## </param>
	3296	#
	3297	template(`userdom_manage_user_untrusted_content_dirs',`
	3298	gen_require(`
	3299	type $1_untrusted_content_t;
	3300	')
	3301
	3302	allow $2 $1_untrusted_content_t:dir manage_dir_perms;
	3303	')
	3304
	3305	########################################
	3306	## <summary>
3279	3307	## Read user untrusted files.
3280	3308	## </summary>

trunk/policy/modules/system/xen.if

r2346	r2690
88	88	interface(`xen_append_log',`
89	89	gen_require(`
90		type ~~var_log_t,~~ xend_var_log_t;
	90	type xend_var_log_t;
91	91	')
92	92
…	…
109	109	interface(`xen_manage_log',`
110	110	gen_require(`
111		type ~~var_log_t,~~ xend_var_log_t;
	111	type xend_var_log_t;
112	112	')
113	113

trunk/policy/support/obj_perm_sets.spt

r2593	r2690
224	224	define(`setattr_lnk_file_perms',`{ setattr }')
225	225	define(`read_lnk_file_perms',`{ getattr read }')
226		define(`write_lnk_file_perms',`{ getattr write lock ioctl }')
	226	define(`append_lnk_file_perms',`{ getattr append lock ioctl }')
	227	define(`write_lnk_file_perms',`{ getattr append write lock ioctl }')
227	228	define(`rw_lnk_file_perms',`{ getattr read write lock ioctl }')
228	229	define(`create_lnk_file_perms',`{ create getattr }')

Download in other formats:

Unified Diff
Zip Disabled

* Generating other formats may take time.