Navigation

← Previous Changeset
Next Changeset →

Changeset 2770

Timestamp:

07/31/08 09:05:46 (4 months ago)

Author:

cpebenito

Message:

trunk: Policy size optimization with a non-security file attribute from James Carter.

Files:

trunk/Changelog (modified) (1 diff)
trunk/policy/modules/kernel/files.if (modified) (14 diffs)
trunk/policy/modules/kernel/files.te (modified) (2 diffs)
trunk/policy/modules/system/logging.te (modified) (2 diffs)

Legend:

: Unmodified
: Added
: Removed
: Modified
: Copied
: Moved

trunk/Changelog

r2765	r2770
	1	- Policy size optimization with a non-security file attribute from James
	2	Carter.
1	3	- Database labeled networking update from KaiGai Kohei.
2	4	- Several misc changes from the Fedora policy, cherry picked by David

trunk/policy/modules/kernel/files.if

r2763	r2770
33	33	interface(`files_type',`
34	34	gen_require(`
35		attribute file_type;
36		')
37
38		typeattribute $1 file_type;
	35	attribute file_type, non_security_file_type;
	36	')
	37
	38	typeattribute $1 file_type, non_security_file_type;
39	39	')
40	40
…	…
218	218	interface(`files_security_file',`
219	219	gen_require(`
220		attribute security_file_type;
221		')
222
223		files_type($1)
224		typeattribute $1 security_file_type;
	220	attribute file_type, security_file_type;
	221	')
	222
	223	typeattribute $1 file_type, security_file_type;
	224	')
	225
	226	########################################
	227	## <summary>
	228	## Make the specified type usable for
	229	## security file filesystem mount points.
	230	## </summary>
	231	## <param name="type">
	232	## <summary>
	233	## Type to be used for mount points.
	234	## </summary>
	235	## </param>
	236	#
	237	interface(`files_security_mountpoint',`
	238	gen_require(`
	239	attribute mountpoint;
	240	')
	241
	242	files_security_file($1)
	243	typeattribute $1 mountpoint;
225	244	')
226	245
…	…
317	336	interface(`files_list_non_security',`
318	337	gen_require(`
319		attribute ~~file_type,~~ security_file_type;
320		')
321
322		list_dirs_pattern($1, ~~{ file_type -security_file_type }, { file_type -security_file_type }~~)
	338	attribute non_security_file_type;
	339	')
	340
	341	list_dirs_pattern($1, non_security_file_type, non_security_file_type)
323	342	')
324	343
…	…
336	355	interface(`files_dontaudit_list_non_security',`
337	356	gen_require(`
338		attribute ~~file_type,~~ security_file_type;
339		')
340
341		dontaudit $1 ~~{ file_type -security_file_type }~~:dir list_dir_perms;
	357	attribute non_security_file_type;
	358	')
	359
	360	dontaudit $1 non_security_file_type:dir list_dir_perms;
342	361	')
343	362
…	…
355	374	interface(`files_mounton_non_security',`
356	375	gen_require(`
357		attribute ~~file_type,~~ security_file_type;
358		')
359
360		allow $1 ~~{ file_type -security_file_type }~~:dir mounton;
361		allow $1 ~~{ file_type -security_file_type }~~:file mounton;
	376	attribute non_security_file_type;
	377	')
	378
	379	allow $1 non_security_file_type:dir mounton;
	380	allow $1 non_security_file_type:file mounton;
362	381	')
363	382
…	…
374	393	interface(`files_write_non_security_dirs',`
375	394	gen_require(`
376		attribute file_type, security_file_type;
377		')
378
379		allow $1 { file_type -security_file_type }:dir write;
	395	attribute non_security_file_type;
	396	')
	397
	398	allow $1 non_security_file_type:dir write;
	399	')
	400
	401	########################################
	402	## <summary>
	403	## Allow attempts to manage non-security directories
	404	## </summary>
	405	## <param name="domain">
	406	## <summary>
	407	## Domain to allow
	408	## </summary>
	409	## </param>
	410	#
	411	interface(`files_manage_non_security_dirs',`
	412	gen_require(`
	413	attribute non_security_file_type;
	414	')
	415
	416	allow $1 non_security_file_type:dir manage_dir_perms;
380	417	')
381	418
…	…
431	468	interface(`files_dontaudit_getattr_non_security_files',`
432	469	gen_require(`
433		attribute ~~file_type,~~ security_file_type;
434		')
435
436		dontaudit $1 ~~{ file_type -security_file_type }~~:file getattr;
	470	attribute non_security_file_type;
	471	')
	472
	473	dontaudit $1 non_security_file_type:file getattr;
437	474	')
438	475
…	…
499	536	interface(`files_read_non_security_files',`
500	537	gen_require(`
501		attribute ~~file_type,~~ security_file_type;
502		')
503
504		read_files_pattern($1, ~~{ file_type -security_file_type }, { file_type -security_file_type }~~)
505		read_lnk_files_pattern($1, ~~{ file_type -security_file_type }, { file_type -security_file_type }~~)
	538	attribute non_security_file_type;
	539	')
	540
	541	read_files_pattern($1, non_security_file_type, non_security_file_type)
	542	read_lnk_files_pattern($1, non_security_file_type, non_security_file_type)
506	543	')
507	544
…	…
649	686	interface(`files_dontaudit_getattr_non_security_symlinks',`
650	687	gen_require(`
651		attribute ~~file_type,~~ security_file_type;
652		')
653
654		dontaudit $1 ~~{ file_type -security_file_type }~~:lnk_file getattr;
	688	attribute non_security_file_type;
	689	')
	690
	691	dontaudit $1 non_security_file_type:lnk_file getattr;
655	692	')
656	693
…	…
668	705	interface(`files_dontaudit_getattr_non_security_blk_files',`
669	706	gen_require(`
670		attribute ~~file_type,~~ security_file_type;
671		')
672
673		dontaudit $1 ~~{ file_type -security_file_type }~~:blk_file getattr;
	707	attribute non_security_file_type;
	708	')
	709
	710	dontaudit $1 non_security_file_type:blk_file getattr;
674	711	')
675	712
…	…
687	724	interface(`files_dontaudit_getattr_non_security_chr_files',`
688	725	gen_require(`
689		attribute ~~file_type,~~ security_file_type;
690		')
691
692		dontaudit $1 ~~{ file_type -security_file_type }~~:chr_file getattr;
	726	attribute non_security_file_type;
	727	')
	728
	729	dontaudit $1 non_security_file_type:chr_file getattr;
693	730	')
694	731
…	…
764	801	interface(`files_dontaudit_getattr_non_security_pipes',`
765	802	gen_require(`
766		attribute ~~file_type,~~ security_file_type;
767		')
768
769		dontaudit $1 ~~{ file_type -security_file_type }~~:fifo_file getattr;
	803	attribute non_security_file_type;
	804	')
	805
	806	dontaudit $1 non_security_file_type:fifo_file getattr;
770	807	')
771	808
…	…
821	858	interface(`files_dontaudit_getattr_non_security_sockets',`
822	859	gen_require(`
823		attribute ~~file_type,~~ security_file_type;
824		')
825
826		dontaudit $1 ~~{ file_type -security_file_type }~~:sock_file getattr;
	860	attribute non_security_file_type;
	861	')
	862
	863	dontaudit $1 non_security_file_type:sock_file getattr;
827	864	')
828	865
…	…
4751	4788	typeattribute $1 files_unconfined_type;
4752	4789	')
4753
4754		~~########################################~~
4755		~~## <summary>~~
4756		~~## Allow attempts to monage any directory~~
4757		~~## </summary>~~
4758		~~## <param name="domain">~~
4759		~~## <summary>~~
4760		~~## Domain to allow~~
4761		~~## </summary>~~
4762		~~## </param>~~
4763		#
4764		~~interface(`files_manage_non_security_dirs',`~~
4765		~~gen_require(`~~
4766		~~attribute file_type, security_file_type;~~
4767		')
4768
4769		~~allow $1 { file_type -security_file_type }:dir manage_dir_perms;~~
4770		')

trunk/policy/modules/kernel/files.te

r2763	r2770
1	1
2		policy_module(files, 1.9.0)
	2	policy_module(files, 1.9.1)
3	3
4	4	########################################
…	…
27	27	# not be dontaudited for uses
28	28	attribute security_file_type;
	29	# and its opposite
	30	attribute non_security_file_type;
29	31
30	32	attribute tmpfile;

trunk/policy/modules/system/logging.te

r2742	r2770
1	1
2		policy_module(logging, 1.11.0)
	2	policy_module(logging, 1.11.1)
3	3
4	4	########################################
…	…
19	19	type auditd_log_t;
20	20	files_security_file(auditd_log_t)
21		files_mountpoint(auditd_log_t)
	21	files_security_mountpoint(auditd_log_t)
22	22
23	23	type auditd_t;

Download in other formats:

Unified Diff
Zip Disabled

* Generating other formats may take time.