From b96b2004d8bf29f9641cd9dca0d2356a0a8fa314 Mon Sep 17 00:00:00 2001 From: Dan Walsh Date: Fri, 28 Oct 2011 16:28:58 -0400 Subject: [PATCH] Move named file trans rules from unconfined_t to all unconfined_domains --- policy/modules/kernel/domain.te | 83 ++++++++++++++++++++++++-- policy/modules/roles/unconfineduser.te | 57 ------------------ 2 files changed, 78 insertions(+), 62 deletions(-) diff --git a/policy/modules/kernel/domain.te b/policy/modules/kernel/domain.te index b949cfbc..4b732cda 100644 --- a/policy/modules/kernel/domain.te +++ b/policy/modules/kernel/domain.te @@ -144,11 +144,9 @@ optional_policy(` afs_rw_cache(domain) ') -optional_policy(` - libs_use_ld_so(domain) - libs_use_shared_libs(domain) - libs_read_lib_files(domain) -') +libs_use_ld_so(domain) +libs_use_shared_libs(domain) +libs_read_lib_files(domain) optional_policy(` setrans_translate_context(domain) @@ -195,9 +193,84 @@ allow unconfined_domain_type domain:lnk_file { read_lnk_file_perms ioctl lock }; # act on all domains keys allow unconfined_domain_type domain:key *; +dev_filetrans_all_named_dev(unconfined_domain_type) + # receive from all domains over labeled networking domain_all_recvfrom_all_domains(unconfined_domain_type) +storage_filetrans_all_named_dev(unconfined_domain_type) + +term_filetrans_all_named_dev(unconfined_domain_type) + +authlogin_filetrans_named_content(unconfined_domain_type) + +lib_filetrans_named_content(unconfined_domain_type) + +miscfiles_filetrans_named_content(unconfined_domain_type) + +modules_filetrans_named_content(unconfined_domain_type) + +sysnet_filetrans_named_content(unconfined_domain_type) + +userdom_user_home_dir_filetrans_user_home_content(unconfined_domain_type, { dir file lnk_file fifo_file sock_file }) + +optional_policy(` + alsa_filetrans_named_content(unconfined_domain_type) +') + +optional_policy(` + apache_filetrans_home_content(unconfined_domain_type) +') + +optional_policy(` + bootloader_filetrans_config(unconfined_domain_type) +') + +optional_policy(` + gnome_filetrans_admin_home_content(unconfined_domain_type) +') + +optional_policy(` + devicekit_filetrans_named_content(unconfined_domain_type) +') + +optional_policy(` + dnsmasq_filetrans_named_content(unconfined_domain_type) +') + +optional_policy(` + kerberos_filetrans_named_content(unconfined_domain_type) +') + +optional_policy(` + mta_filetrans_named_content(unconfined_domain_type) +') + +optional_policy(` + networkmanager_filetrans_named_content(unconfined_domain_type) +') + +optional_policy(` + nx_filetrans_named_content(unconfined_domain_type) +') + +optional_policy(` + pulseaudio_filetrans_home_content(unconfined_domain_type) + pulseaudio_filetrans_admin_home_content(unconfined_domain_type) +') + +optional_policy(` + quota_filetrans_named_content(unconfined_domain_type) +') + +optional_policy(` + virt_filetrans_home_content(unconfined_domain_type) +') + +optional_policy(` + ssh_filetrans_admin_home_content(unconfined_domain_type) +') + selinux_getattr_fs(domain) selinux_search_fs(domain) selinux_dontaudit_read_fs(domain) diff --git a/policy/modules/roles/unconfineduser.te b/policy/modules/roles/unconfineduser.te index b1e60db8..4163dc52 100644 --- a/policy/modules/roles/unconfineduser.te +++ b/policy/modules/roles/unconfineduser.te @@ -81,20 +81,6 @@ files_create_boot_flag(unconfined_t) files_create_default_dir(unconfined_t) files_root_filetrans_default(unconfined_t, dir) -dev_filetrans_all_named_dev(unconfined_t) -storage_filetrans_all_named_dev(unconfined_t) -term_filetrans_all_named_dev(unconfined_t) - -authlogin_filetrans_named_content(unconfined_t) - -miscfiles_filetrans_named_content(unconfined_t) - -sysnet_filetrans_named_content(unconfined_t) - -optional_policy(` - ssh_filetrans_admin_home_content(unconfined_t) -') - mcs_killall(unconfined_t) mcs_ptrace_all(unconfined_t) mls_file_write_all_levels(unconfined_t) @@ -103,8 +89,6 @@ init_run_daemon(unconfined_t, unconfined_r) init_domtrans_script(unconfined_t) init_telinit(unconfined_t) -lib_filetrans_named_content(unconfined_t) - logging_send_syslog_msg(unconfined_t) logging_run_auditctl(unconfined_t, unconfined_r) @@ -117,8 +101,6 @@ seutil_run_semanage(unconfined_t, unconfined_r) unconfined_domain_noaudit(unconfined_t) -userdom_user_home_dir_filetrans_user_home_content(unconfined_t, { dir file lnk_file fifo_file sock_file }) - usermanage_run_passwd(unconfined_t, unconfined_r) usermanage_run_chfn(unconfined_t, unconfined_r) @@ -171,7 +153,6 @@ optional_policy(` devicekit_dbus_chat(unconfined_usertype) devicekit_dbus_chat_disk(unconfined_usertype) devicekit_dbus_chat_power(unconfined_usertype) - devicekit_filetrans_named_content(unconfined_usertype) ') optional_policy(` @@ -180,7 +161,6 @@ optional_policy(` optional_policy(` networkmanager_dbus_chat(unconfined_usertype) - networkmanager_filetrans_named_content(unconfined_usertype) ') optional_policy(` @@ -224,23 +204,14 @@ optional_policy(` accountsd_dbus_chat(unconfined_t) ') -optional_policy(` - alsa_filetrans_named_content(unconfined_t) -') - optional_policy(` apache_run_helper(unconfined_t, unconfined_r) - apache_filetrans_home_content(unconfined_t) ') optional_policy(` bind_run_ndc(unconfined_t, unconfined_r) ') -optional_policy(` - bootloader_filetrans_config(unconfined_t) -') - optional_policy(` chrome_role_notrans(unconfined_r, unconfined_usertype) @@ -285,7 +256,6 @@ optional_policy(` optional_policy(` gnomeclock_dbus_chat(unconfined_usertype) gnome_dbus_chat_gconfdefault(unconfined_usertype) - gnome_filetrans_admin_home_content(unconfined_usertype) gnome_command_domtrans_gkeyringd(unconfined_dbusd_t,unconfined_t) ') @@ -314,10 +284,6 @@ optional_policy(` firewallgui_dbus_chat(unconfined_usertype) ') -optional_policy(` - dnsmasq_filetrans_named_content(unconfined_t) -') - optional_policy(` firstboot_run(unconfined_t, unconfined_r) ') @@ -334,10 +300,6 @@ optional_policy(` java_run_unconfined(unconfined_t, unconfined_r) ') -optional_policy(` - kerberos_filetrans_named_content(unconfined_t) -') - optional_policy(` livecd_run(unconfined_t, unconfined_r) ') @@ -352,7 +314,6 @@ optional_policy(` optional_policy(` modutils_run_update_mods(unconfined_t, unconfined_r) - modules_filetrans_named_content(unconfined_t) ') optional_policy(` @@ -370,18 +331,10 @@ optional_policy(` ') ') -optional_policy(` - mta_filetrans_named_content(unconfined_t) -') - optional_policy(` ncftool_run(unconfined_t, unconfined_r) ') -optional_policy(` - nx_filetrans_named_content(unconfined_t) -') - optional_policy(` oddjob_run_mkhomedir(unconfined_t, unconfined_r) ') @@ -394,15 +347,6 @@ optional_policy(` portmap_run_helper(unconfined_t, unconfined_r) ') -optional_policy(` - pulseaudio_filetrans_admin_home_content(unconfined_usertype) - pulseaudio_filetrans_home_content(unconfined_usertype) -') - -optional_policy(` - quota_filetrans_named_content(unconfined_t) -') - optional_policy(` rpm_run(unconfined_t, unconfined_r) # Allow SELinux aware applications to request rpm_script execution @@ -432,7 +376,6 @@ optional_policy(` optional_policy(` virt_transition_svirt(unconfined_t, unconfined_r) - virt_filetrans_home_content(unconfined_t) ') optional_policy(` -- 2.47.3