reverse

author Chris PeBenito <cpebenito@tresys.com>

Thu, 16 Feb 2006 16:45:03 +0000 (16:45 +0000)

committer Chris PeBenito <cpebenito@tresys.com>

Thu, 16 Feb 2006 16:45:03 +0000 (16:45 +0000)
author Chris PeBenito <cpebenito@tresys.com>
Thu, 16 Feb 2006 16:45:03 +0000 (16:45 +0000)
committer Chris PeBenito <cpebenito@tresys.com>
Thu, 16 Feb 2006 16:45:03 +0000 (16:45 +0000)
diff --git a/refpolicy/Makefile b/refpolicy/Makefile

index e101e2af8d3c904a3ebe8e2ffaf38e1c8a777a34..d8f10119832f423c84a21483040fa5e677184c36 100644 (file)
--- a/refpolicy/Makefile
+++ b/refpolicy/Makefile
@@ -284,10 +284,6 @@ else
         include $(ROOT)/Rules.modular
  endif
  
-test:
-       # $(MODDIR)
-       # $(ALL_LAYERS)
-
  ########################################
  #
  # Generated files
diff --git a/refpolicy/Rules.monolithic b/refpolicy/Rules.monolithic

index d324c0bd1c69954ad7cd377c173e6201e9452e18..b383186d615ccf3c34fd220e4de89a79a49beb6e 100644 (file)
--- a/refpolicy/Rules.monolithic
+++ b/refpolicy/Rules.monolithic
@@ -105,7 +105,7 @@ $(TMPDIR)/pre_te_files.conf: $(PRE_TE_FILES)
         @test -d $(TMPDIR) || mkdir -p $(TMPDIR)
         $(verbose) cat $^ > $@
  
-$(TMPDIR)/generated_definitions.conf: $(ALL_TE_FILES)
+$(TMPDIR)/generated_definitions.conf: $(ALL_LAYERS) $(ALL_TE_FILES)
  # per-userdomain templates:
         @test -d $(TMPDIR) || mkdir -p $(TMPDIR)
         $(verbose) echo "define(\`base_per_userdomain_template',\`" > $@
diff --git a/refpolicy/policy/mcs b/refpolicy/policy/mcs

index 9a39f467082e8fcef695aa8b5488cefc85b87754..ce5ad18c66704493adc80635cbfb57572695a292 100644 (file)
--- a/refpolicy/policy/mcs
+++ b/refpolicy/policy/mcs
@@ -137,24 +137,15 @@ level s0:c0.c255;
  # Only files are constrained by MCS at this stage.
  #
  mlsconstrain file { write setattr append unlink link rename
-                   ioctl lock execute relabelfrom } (h1 dom h2);
-
-mlsconstrain file { create relabelto } ((h1 dom h2) and (l2 eq h2));
+                   create ioctl lock execute } (h1 dom h2);
  
  mlsconstrain file { read } ((h1 dom h2) or 
                             ( t1 == mlsfileread ));
  
  
  # new file labels must be dominated by the relabeling subject clearance
-mlsconstrain { dir lnk_file chr_file blk_file sock_file fifo_file } { relabelfrom }
+mlsconstrain { dir file lnk_file chr_file blk_file sock_file fifo_file } { relabelfrom relabelto }
         ( h1 dom h2 );
-mlsconstrain { dir lnk_file chr_file blk_file sock_file fifo_file } { create relabelto }
-       (( h1 dom h2 ) and ( l2 eq h2 ));
-
-mlsconstrain process { ptrace } ( h1 dom h2 );
-
-mlsconstrain process { sigkill sigstop } ( h1 dom h2 ) or
-               ( t1 == mcskillall );
  
  define(`nogetattr_file_perms', `{ create ioctl read lock write setattr append 
  link unlink rename relabelfrom relabelto }')
diff --git a/refpolicy/policy/modules/kernel/devices.if b/refpolicy/policy/modules/kernel/devices.if

index bf599403fd2ac80184177416cb6dbc525d069348..01e855112eb3c7de8dcf4465b9a9aa728be2fc31 100644 (file)
--- a/refpolicy/policy/modules/kernel/devices.if
+++ b/refpolicy/policy/modules/kernel/devices.if
@@ -2656,22 +2656,3 @@ interface(`dev_unconfined',`
         typeattribute $1 memory_raw_write, memory_raw_read;
  ')
  
-
-########################################
-## <summary>
-##     Read and write the USB device.
-## </summary>
-## <param name="domain">
-##     <summary>
-##     Domain allowed access.
-##     </summary>
-## </param>
-#
-interface(`dev_rw_usb',`
-       gen_require(`
-               type usb_device_t;
-       ')
-
-       allow $1 device_t:dir r_dir_perms;
-       allow $1 usb_device_t:chr_file { read write };
-')
diff --git a/refpolicy/policy/modules/kernel/mcs.fc b/refpolicy/policy/modules/kernel/mcs.fc

index fa8a4b15ff67e14dd40e3a505e9265086137daa0..e69de29bb2d1d6434b8b29ae775ad8c2e48c5391 100644 (file)
--- a/refpolicy/policy/modules/kernel/mcs.fc
+++ b/refpolicy/policy/modules/kernel/mcs.fc
@@ -1 +0,0 @@
-# no MCS file contexts
diff --git a/refpolicy/policy/modules/kernel/mcs.if b/refpolicy/policy/modules/kernel/mcs.if

index 1ceab9f71932a9da0d25f3b9258173b4bae2fe98..e69de29bb2d1d6434b8b29ae775ad8c2e48c5391 100644 (file)
--- a/refpolicy/policy/modules/kernel/mcs.if
+++ b/refpolicy/policy/modules/kernel/mcs.if
@@ -1,23 +0,0 @@
-## <summary>Multicategory security policy</summary>
-## <required val="true">
-##     Contains attributes used in MCS policy.
-## </required>
-
-########################################
-## <summary>
-##     This domain is allowed to sigkill and sigstop 
-##     all domains regardless of their MCS level.
-## </summary>
-## <param name="domain">
-##     <summary>
-##     Domain target for user exemption.
-##     </summary>
-## </param>
-#
-interface(`mcs_killall',`
-       gen_require(`
-               attribute mcskillall;
-       ')
-
-       typeattribute $1 mcskillall;
-')
diff --git a/refpolicy/policy/modules/kernel/mcs.te b/refpolicy/policy/modules/kernel/mcs.te

index 260d95035bc39fc45eb77703e61401afc6240cac..e69de29bb2d1d6434b8b29ae775ad8c2e48c5391 100644 (file)
--- a/refpolicy/policy/modules/kernel/mcs.te
+++ b/refpolicy/policy/modules/kernel/mcs.te
@@ -1,47 +0,0 @@
-
-policy_module(mcs,1.0.0)
-
-########################################
-#
-# Declarations
-#
-
-attribute mcskillall;
-
-########################################
-#
-# THIS IS A HACK
-#
-# Only the base module can have range_transitions, so we
-# temporarily have to break encapsulation to work around this.
-#
-
-type auditd_exec_t;
-type crond_exec_t;
-type cupsd_exec_t;
-type getty_t;
-type init_t;
-type init_exec_t;
-type initrc_t;
-type initrc_exec_t;
-type login_exec_t;
-type sshd_exec_t;
-type su_exec_t;
-type udev_exec_t;
-type unconfined_t;
-type xdm_exec_t;
-
-ifdef(`enable_mcs',`
-range_transition getty_t login_exec_t s0 - s0:c0.c255;
-range_transition init_t xdm_exec_t s0 - s0:c0.c255;
-range_transition initrc_t crond_exec_t s0 - s0:c0.c255;
-range_transition initrc_t cupsd_exec_t s0 - s0:c0.c255;
-range_transition initrc_t sshd_exec_t s0 - s0:c0.c255;
-range_transition initrc_t udev_exec_t s0 - s0:c0.c255;
-range_transition initrc_t xdm_exec_t s0 - s0:c0.c255;
-range_transition kernel_t udev_exec_t s0 - s0:c0.c255;
-
-# these might be targeted_policy only
-range_transition unconfined_t su_exec_t s0 - s0:c0.c255;
-range_transition unconfined_t initrc_exec_t s0;
-')
diff --git a/refpolicy/policy/modules/kernel/mls.te b/refpolicy/policy/modules/kernel/mls.te

index 765b0651bc3abe52265bc5ebba9bb0ccf2a01222..0b66165be7643dce63f8aa9965ac3015d40ccaac 100644 (file)
--- a/refpolicy/policy/modules/kernel/mls.te
+++ b/refpolicy/policy/modules/kernel/mls.te
@@ -53,10 +53,38 @@ attribute mlsrangetrans;
  #
  # Only the base module can have range_transitions, so we
  # temporarily have to break encapsulation to work around this.
-# Other types are declared in the mcs module.
  #
  
+type auditd_exec_t;
+type crond_exec_t;
+type cupsd_exec_t;
+type getty_t;
+type init_t;
+type init_exec_t;
+type initrc_t;
+type initrc_exec_t;
+type login_exec_t;
  type lvm_exec_t;
+type sshd_exec_t;
+type su_exec_t;
+type udev_exec_t;
+type unconfined_t;
+type xdm_exec_t;
+
+ifdef(`enable_mcs',`
+range_transition getty_t login_exec_t s0 - s0:c0.c255;
+range_transition init_t xdm_exec_t s0 - s0:c0.c255;
+range_transition initrc_t crond_exec_t s0 - s0:c0.c255;
+range_transition initrc_t cupsd_exec_t s0 - s0:c0.c255;
+range_transition initrc_t sshd_exec_t s0 - s0:c0.c255;
+range_transition initrc_t udev_exec_t s0 - s0:c0.c255;
+range_transition initrc_t xdm_exec_t s0 - s0:c0.c255;
+range_transition kernel_t udev_exec_t s0 - s0:c0.c255;
+
+# these might be targeted_policy only
+range_transition unconfined_t su_exec_t s0 - s0:c0.c255;
+range_transition unconfined_t initrc_exec_t s0;
+')
  
  ifdef(`enable_mls',`
  range_transition initrc_t auditd_exec_t s15:c0.c255;
diff --git a/refpolicy/policy/modules/services/bluetooth.te b/refpolicy/policy/modules/services/bluetooth.te

index 143dd7e0ffb7080a308318d201a8d07a70d0c94e..b8305fd8accc3d9e4be2d2d1ec6052568c5519a6 100644 (file)
--- a/refpolicy/policy/modules/services/bluetooth.te
+++ b/refpolicy/policy/modules/services/bluetooth.te
@@ -101,7 +101,6 @@ corenet_udp_bind_all_nodes(bluetooth_t)
  
  dev_read_sysfs(bluetooth_t)
  dev_rw_usbfs(bluetooth_t)
-dev_rw_usb(bluetooth_t)
  dev_read_urand(bluetooth_t)
  
  fs_getattr_all_fs(bluetooth_t)
diff --git a/refpolicy/policy/modules/services/hal.te b/refpolicy/policy/modules/services/hal.te

index 62131f9d90ffb7313c4e6ac6cde1f035ad448baf..8e85e00a1ef95853921af2b3edee83a4c94bf255 100644 (file)
--- a/refpolicy/policy/modules/services/hal.te
+++ b/refpolicy/policy/modules/services/hal.te
@@ -97,8 +97,6 @@ fs_search_auto_mountpoints(hald_t)
  
  mls_file_read_up(hald_t)
  
-modutils_domtrans_insmod(hald_t)
-
  selinux_get_fs_mount(hald_t)
  selinux_validate_context(hald_t)
  selinux_compute_access_vector(hald_t)
@@ -130,7 +128,6 @@ libs_exec_ld_so(hald_t)
  libs_exec_lib_files(hald_t)
  
  logging_send_syslog_msg(hald_t)
-logging_search_logs(hald_t)
  
  miscfiles_read_localization(hald_t)
  miscfiles_read_hwdata(hald_t)
diff --git a/refpolicy/policy/modules/services/mta.te b/refpolicy/policy/modules/services/mta.te

index 5cae9f4cfc55be6cba79b20384d7b3c2648ec764..91c90a8dc3e31ab57d29b61cd032c96b0f2e11bb 100644 (file)
--- a/refpolicy/policy/modules/services/mta.te
+++ b/refpolicy/policy/modules/services/mta.te
@@ -44,9 +44,6 @@ role system_r types system_mail_t;
  # System mail local policy
  #
  
-# newalias required this, not sure if it is needed in 'if' file
-allow system_mail_t self:capability { dac_override };
-
  allow system_mail_t etc_mail_t:dir { getattr search };
  allow system_mail_t etc_mail_t:file r_file_perms;
  
diff --git a/refpolicy/policy/modules/services/networkmanager.te b/refpolicy/policy/modules/services/networkmanager.te

index 8cafe537a9fe2b7eb41c1ce5da772e80ab048721..d2576449af2e265ce0f1ad0f8a1c4bb45e2f8712 100644 (file)
--- a/refpolicy/policy/modules/services/networkmanager.te
+++ b/refpolicy/policy/modules/services/networkmanager.te
@@ -22,7 +22,7 @@ allow NetworkManager_t self:capability { kill setgid setuid sys_nice dac_overrid
  dontaudit NetworkManager_t self:capability sys_tty_config;
  allow NetworkManager_t self:process { setcap getsched signal_perms };
  allow NetworkManager_t self:fifo_file rw_file_perms;
-allow NetworkManager_t self:unix_dgram_socket { sendto create_socket_perms };
+allow NetworkManager_t self:unix_dgram_socket create_socket_perms;
  allow NetworkManager_t self:unix_stream_socket create_stream_socket_perms;
  allow NetworkManager_t self:netlink_route_socket create_netlink_socket_perms;
  allow NetworkManager_t self:tcp_socket create_stream_socket_perms;
diff --git a/refpolicy/policy/modules/services/postfix.te b/refpolicy/policy/modules/services/postfix.te

index 37d09ee593950db1ed2f8aef17cf3b8493ed3bbe..f54a670e18c58da360a3265f31a72320ad40577d 100644 (file)
--- a/refpolicy/policy/modules/services/postfix.te
+++ b/refpolicy/policy/modules/services/postfix.te
@@ -273,8 +273,6 @@ allow postfix_local_t postfix_spool_t:file rw_file_perms;
  corecmd_exec_shell(postfix_local_t)
  corecmd_exec_bin(postfix_local_t)
  
-files_read_etc_files(postfix_local_t)
-
  mta_read_aliases(postfix_local_t)
  mta_delete_spool(postfix_local_t)
  # For reading spamassasin
@@ -397,8 +395,6 @@ allow postfix_pipe_t self:fifo_file { read write };
  allow postfix_pipe_t postfix_private_t:dir search;
  allow postfix_pipe_t postfix_private_t:sock_file write;
  
-allow postfix_pipe_t postfix_public_t:fifo_file { getattr write };
-
  allow postfix_pipe_t postfix_spool_t:dir search;
  allow postfix_pipe_t postfix_spool_t:file rw_file_perms;
  
diff --git a/refpolicy/policy/modules/system/init.fc b/refpolicy/policy/modules/system/init.fc

index 4515bbbae1ca47c317aa7e6e220f3cff38361153..8a11fb66096f24995b7b9e2457df24873dc0b535 100644 (file)
--- a/refpolicy/policy/modules/system/init.fc
+++ b/refpolicy/policy/modules/system/init.fc
@@ -22,8 +22,7 @@ ifdef(`targeted_policy', `', `
  #
  # /sbin
  #
-/sbin/init(ng)?                --      gen_context(system_u:object_r:init_exec_t,s0)
-
+/sbin/init             --      gen_context(system_u:object_r:init_exec_t,s0)
  
  ifdef(`distro_gentoo', `
  /sbin/rc                       --      gen_context(system_u:object_r:initrc_exec_t,s0)
diff --git a/refpolicy/policy/modules/system/init.te b/refpolicy/policy/modules/system/init.te

index 6d00dd6431394873f7a7e96e65e926c5c6e42e88..2df80252b5349c145c9b8173a10788e6a55a2881 100644 (file)
--- a/refpolicy/policy/modules/system/init.te
+++ b/refpolicy/policy/modules/system/init.te
@@ -155,8 +155,6 @@ libs_rw_ld_so_cache(init_t)
  logging_send_syslog_msg(init_t)
  logging_rw_generic_logs(init_t)
  
-mcs_killall(init_t)
-
  mls_file_read_up(init_t)
  mls_file_write_down(init_t)
  mls_rangetrans_target(init_t)
@@ -362,8 +360,6 @@ miscfiles_read_localization(initrc_t)
  # slapd needs to read cert files from its initscript
  miscfiles_read_certs(initrc_t)
  
-mcs_killall(initrc_t)
-
  mls_file_read_up(initrc_t)
  mls_file_write_down(initrc_t)
  mls_process_read_up(initrc_t)
diff --git a/refpolicy/policy/modules/system/libraries.if b/refpolicy/policy/modules/system/libraries.if

index 3d646fe7d21663f9f59cf72b1b9b7e0fb41677c2..a53d3383fa8d81afd536d717a8bf28c1607cd0b4 100644 (file)
--- a/refpolicy/policy/modules/system/libraries.if
+++ b/refpolicy/policy/modules/system/libraries.if
@@ -283,7 +283,6 @@ interface(`libs_manage_lib_files',`
  
         allow $1 lib_t:dir search_dir_perms;
         allow $1 lib_t:file manage_file_perms;
-       allow $1 lib_t:lnk_file unlink;
  ')
  
  ########################################
diff --git a/refpolicy/policy/modules/system/selinuxutil.fc b/refpolicy/policy/modules/system/selinuxutil.fc

index dec2ff1b320d56a832dc04dc3645210e926b7d16..8364ca48ca12225dbc00538f39f81f58eb291e26 100644 (file)
--- a/refpolicy/policy/modules/system/selinuxutil.fc
+++ b/refpolicy/policy/modules/system/selinuxutil.fc
@@ -10,7 +10,6 @@
  /etc/selinux/([^/]*/)?contexts/files(/.*)? gen_context(system_u:object_r:file_context_t,s0)
  
  /etc/selinux/([^/]*/)?policy(/.*)?     gen_context(system_u:object_r:policy_config_t,s15:c0.c255)
-/etc/selinux/([^/]*/)?modules(/.*)?    gen_context(system_u:object_r:policy_config_t,s15:c0.c255)
  /etc/selinux/([^/]*/)?seusers  --      gen_context(system_u:object_r:selinux_config_t,s15:c0.c255)
  /etc/selinux/([^/]*/)?users(/.*)?      --      gen_context(system_u:object_r:selinux_config_t,s15:c0.c255)
  
@@ -40,5 +39,3 @@
  ifdef(`distro_debian', `
  /usr/share/selinux(/.*)?               gen_context(system_u:object_r:policy_src_t,s0)
  ')
-
-/usr/sbin/semodule             --      gen_context(system_u:object_r:semodule_exec_t,s0)
diff --git a/refpolicy/policy/modules/system/selinuxutil.if b/refpolicy/policy/modules/system/selinuxutil.if

index 70792e9f08713ba4f82e035308c1532652bb3172..606c5112097e395163b54a8931a932c5835ad3ee 100644 (file)
--- a/refpolicy/policy/modules/system/selinuxutil.if
+++ b/refpolicy/policy/modules/system/selinuxutil.if
@@ -585,28 +585,6 @@ interface(`seutil_read_file_contexts',`
         allow $1 file_context_t:lnk_file { getattr read };
  ')
  
-########################################
-## <summary>
-##     Read and write the file_contexts files.
-## </summary>
-## <param name="domain">
-##     <summary>
-##     Domain allowed access.
-##     </summary>
-## </param>
-#
-interface(`seutil_rw_file_contexts',`
-       gen_require(`
-               type selinux_config_t, file_context_t;
-       ')
-
-       files_search_etc($1)
-       allow $1 selinux_config_t:dir search;
-       allow $1 file_context_t:dir r_dir_perms;
-       allow $1 file_context_t:file rw_file_perms;
-       allow $1 file_context_t:lnk_file { getattr read };
-')
-
  ########################################
  #
  # seutil_read_bin_policy(domain)
@@ -705,3 +683,4 @@ interface(`seutil_manage_src_policy',`
         allow $1 policy_src_t:dir create_dir_perms;
         allow $1 policy_src_t:file create_file_perms;
  ')
+
diff --git a/refpolicy/policy/modules/system/unconfined.if b/refpolicy/policy/modules/system/unconfined.if

index bc32cd790637a1645940863a65c0e9477c41fe5c..e63d8278b3fe4f690c1fdf1dedc2046c2c53a5b1 100644 (file)
--- a/refpolicy/policy/modules/system/unconfined.if
+++ b/refpolicy/policy/modules/system/unconfined.if
@@ -55,11 +55,10 @@ interface(`unconfined_domain_noaudit',`
         tunable_policy(`allow_execmem && allow_execstack',`
                 # Allow making the stack executable via mprotect.
                 allow $1 self:process execstack;
-               auditallow $1 self:process execstack;
         ', `
                 # These are fairly common but seem to be harmless
                 # caused by using shared libraries built with old tool chains
-               #dontaudit $1 self:process execstack;
+               dontaudit $1 self:process execstack;
         ')
  
  
diff --git a/refpolicy/policy/modules/system/userdomain.te b/refpolicy/policy/modules/system/userdomain.te

index c2271525911626d2b11fa47a61ecdeec3412b43a..ac593ef242c51a47f27b9c8cea10189c252a0254 100644 (file)
--- a/refpolicy/policy/modules/system/userdomain.te
+++ b/refpolicy/policy/modules/system/userdomain.te
@@ -165,13 +165,9 @@ ifdef(`targeted_policy',`
         ')
  
         ifdef(`enable_mls',`
-               corecmd_exec_shell(secadm_t)
-               mls_process_read_up(secadm_t)
-               mls_file_write_down(secadm_t)
-               mls_file_upgrade(secadm_t)
-               mls_file_downgrade(secadm_t)
                 logging_read_audit_log(secadm_t)
                 logging_domtrans_auditctl(secadm_t)
+               mls_process_read_up(secadm_t)
                 userdom_dontaudit_append_staff_home_files(secadm_t)
         ', `
                 logging_domtrans_auditctl(sysadm_t)
@@ -358,7 +354,6 @@ ifdef(`targeted_policy',`
                         seutil_run_checkpolicy(secadm_t,secadm_r,admin_terminal)
                         seutil_run_loadpolicy(secadm_t,secadm_r,admin_terminal)
                         seutil_run_setfiles(secadm_t,secadm_r,admin_terminal)
-                       seutil_run_restorecon(secadm_t,secadm_r,admin_terminal)
                 ', `
                         selinux_set_enforce_mode(sysadm_t)
                         selinux_set_boolean(sysadm_t)
author	Chris PeBenito <cpebenito@tresys.com>
	Thu, 16 Feb 2006 16:45:03 +0000 (16:45 +0000)
committer	Chris PeBenito <cpebenito@tresys.com>
	Thu, 16 Feb 2006 16:45:03 +0000 (16:45 +0000)
refpolicy/Makefile		patch \| blob \| blame \| history
refpolicy/Rules.monolithic		patch \| blob \| blame \| history
refpolicy/policy/mcs		patch \| blob \| blame \| history
refpolicy/policy/modules/kernel/devices.if		patch \| blob \| blame \| history
refpolicy/policy/modules/kernel/mcs.fc		patch \| blob \| blame \| history
refpolicy/policy/modules/kernel/mcs.if		patch \| blob \| blame \| history
refpolicy/policy/modules/kernel/mcs.te		patch \| blob \| blame \| history
refpolicy/policy/modules/kernel/mls.te		patch \| blob \| blame \| history
refpolicy/policy/modules/services/bluetooth.te		patch \| blob \| blame \| history
refpolicy/policy/modules/services/hal.te		patch \| blob \| blame \| history
refpolicy/policy/modules/services/mta.te		patch \| blob \| blame \| history
refpolicy/policy/modules/services/networkmanager.te		patch \| blob \| blame \| history
refpolicy/policy/modules/services/postfix.te		patch \| blob \| blame \| history
refpolicy/policy/modules/system/init.fc		patch \| blob \| blame \| history
refpolicy/policy/modules/system/init.te		patch \| blob \| blame \| history
refpolicy/policy/modules/system/libraries.if		patch \| blob \| blame \| history
refpolicy/policy/modules/system/selinuxutil.fc		patch \| blob \| blame \| history
refpolicy/policy/modules/system/selinuxutil.if		patch \| blob \| blame \| history
refpolicy/policy/modules/system/unconfined.if		patch \| blob \| blame \| history
refpolicy/policy/modules/system/userdomain.te		patch \| blob \| blame \| history