[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

patch: cleanup uses of notdevfile_class_set

To: SELinux ML <selinux@xxxxxxxxxxxxx>
Subject: patch: cleanup uses of notdevfile_class_set
From: Thomas Bleher <bleher@xxxxxxxxxxxxxxxxxxxxxxxxxx>
Date: Wed, 30 Mar 2005 18:52:15 +0200
Mail-followup-to: SELinux ML <selinux@xxxxxxxxxxxxx>
Sender: owner-selinux@xxxxxxxxxxxxx
User-agent: mutt-ng 1.5.8i (Debian)

This patch replaces uses of allow ...:notdevfile_class_set r_file_perms;
with r_dir_file(). This should be no problem normally; user_t used to
have access to sock_file and fifo_file under /var and /var/spool - I
have removed this access, if there are any files where access is really
needed they should probably get extra types.

Please apply.
Thomas

-- 
http://www.cip.ifi.lmu.de/~bleher/selinux/ - my SELinux pages
GPG-Fingerprint: BC4F BB16 30D6 F253 E3EA  D09E C562 2BAE B2F4 ABE7

diff -ur orig/domains/program/fsadm.te mod/domains/program/fsadm.te
--- orig/domains/program/fsadm.te	2004-12-12 17:00:01.000000000 +0100
+++ mod/domains/program/fsadm.te	2005-03-18 02:04:53.914697024 +0100
@@ -34,8 +34,7 @@
 base_file_read_access(fsadm_t)
 
 # Read /etc.
-allow fsadm_t etc_t:dir r_dir_perms;
-allow fsadm_t etc_t:notdevfile_class_set r_file_perms;
+r_dir_file(fsadm_t, etc_t)
 
 # Read module-related files.
 allow fsadm_t modules_conf_t:{ file lnk_file } r_file_perms;
diff -ur orig/domains/program/load_policy.te mod/domains/program/load_policy.te
--- orig/domains/program/load_policy.te	2004-10-14 13:09:52.000000000 +0200
+++ mod/domains/program/load_policy.te	2005-03-18 02:06:39.169695832 +0100
@@ -37,8 +37,7 @@
 
 # only allow read of policy config files
 allow load_policy_t policy_src_t:dir search;
-allow load_policy_t policy_config_t:dir r_dir_perms;
-allow load_policy_t policy_config_t:notdevfile_class_set r_file_perms;
+r_dir_file(load_policy_t, policy_config_t)
 
 # directory search permissions for path to binary policy files
 allow load_policy_t root_t:dir search;
diff -ur orig/domains/program/login.te mod/domains/program/login.te
--- orig/domains/program/login.te	2005-02-11 12:48:57.000000000 +0100
+++ mod/domains/program/login.te	2005-03-18 02:04:13.546833872 +0100
@@ -37,8 +37,7 @@
 allow $1_login_t var_t:lnk_file read;
 
 # Read /etc.
-allow $1_login_t etc_t:dir r_dir_perms;
-allow $1_login_t etc_t:notdevfile_class_set r_file_perms;
+r_dir_file($1_login_t, etc_t)
 allow $1_login_t etc_runtime_t:{ file lnk_file } r_file_perms;
 
 read_locale($1_login_t)
diff -ur orig/macros/base_user_macros.te mod/macros/base_user_macros.te
--- orig/macros/base_user_macros.te	2005-03-01 11:56:39.000000000 +0100
+++ mod/macros/base_user_macros.te	2005-03-18 02:00:48.971933984 +0100
@@ -349,8 +349,7 @@
 # Read the devpts root directory.
 allow $1_t devpts_t:dir r_dir_perms;
 
-allow $1_t src_t:dir r_dir_perms;
-allow $1_t src_t:notdevfile_class_set r_file_perms;
+r_dir_file($1_t, src_t)
 
 if (read_default_t) {
 allow $1_t default_t:dir r_dir_perms;
diff -ur orig/macros/program/newrole_macros.te mod/macros/program/newrole_macros.te
--- orig/macros/program/newrole_macros.te	2005-02-04 00:18:21.000000000 +0100
+++ mod/macros/program/newrole_macros.te	2005-03-18 02:03:18.029273824 +0100
@@ -60,8 +60,7 @@
 allow $1_t etc_t:file r_file_perms;
 
 # Read /var.
-allow $1_t var_t:dir r_dir_perms;
-allow $1_t var_t:notdevfile_class_set r_file_perms;
+r_dir_file($1_t, var_t)
 
 # Read /dev directories and any symbolic links.
 allow $1_t device_t:dir r_dir_perms;
diff -ur orig/macros/program/ssh_macros.te mod/macros/program/ssh_macros.te
--- orig/macros/program/ssh_macros.te	2005-03-01 11:56:40.000000000 +0100
+++ mod/macros/program/ssh_macros.te	2005-03-18 02:02:23.940496568 +0100
@@ -53,8 +53,7 @@
 base_file_read_access($1_ssh_t)
 
 # Read /var.
-allow $1_ssh_t var_t:dir r_dir_perms;
-allow $1_ssh_t var_t:notdevfile_class_set r_file_perms;
+r_dir_file($1_ssh_t, var_t)
 
 # Read /var/run, /var/log.
 allow $1_ssh_t var_run_t:dir r_dir_perms;
@@ -63,8 +62,7 @@
 allow $1_ssh_t var_log_t:{ file lnk_file } r_file_perms;
 
 # Read /etc.
-allow $1_ssh_t etc_t:dir r_dir_perms;
-allow $1_ssh_t etc_t:notdevfile_class_set r_file_perms;
+r_dir_file($1_ssh_t, etc_t)
 allow $1_ssh_t etc_runtime_t:{ file lnk_file } r_file_perms;
 
 # Read /dev directories and any symbolic links.
diff -ur orig/macros/program/userhelper_macros.te mod/macros/program/userhelper_macros.te
--- orig/macros/program/userhelper_macros.te	2005-02-04 00:18:22.000000000 +0100
+++ mod/macros/program/userhelper_macros.te	2005-03-18 02:07:21.585247688 +0100
@@ -76,8 +76,7 @@
 allow $1_userhelper_t etc_t:file r_file_perms;
 
 # Read /var.
-allow $1_userhelper_t var_t:dir r_dir_perms;
-allow $1_userhelper_t var_t:notdevfile_class_set r_file_perms;
+r_dir_file($1_userhelper_t, var_t)
 
 # Read /dev directories and any symbolic links.
 allow $1_userhelper_t device_t:dir r_dir_perms;
diff -ur orig/macros/user_macros.te mod/macros/user_macros.te
--- orig/macros/user_macros.te	2005-03-01 11:56:39.000000000 +0100
+++ mod/macros/user_macros.te	2005-03-18 01:54:57.971294192 +0100
@@ -134,12 +134,10 @@
 allow $1_t lost_found_t:dir getattr;
 
 # Read /var, /var/spool, /var/run.
-allow $1_t var_t:dir r_dir_perms;
-allow $1_t var_t:notdevfile_class_set r_file_perms;
-allow $1_t var_spool_t:dir r_dir_perms;
-allow $1_t var_spool_t:notdevfile_class_set r_file_perms;
-allow $1_t var_run_t:dir r_dir_perms;
-allow $1_t var_run_t:{ file lnk_file } r_file_perms;
+r_dir_file($1_t, var_t)
+# what about pipes and sockets under /var/spool?
+r_dir_file($1_t, var_spool_t)
+r_dir_file($1_t, var_run_t)
 allow $1_t var_lib_t:dir r_dir_perms;
 allow $1_t var_lib_t:file { getattr read };
 
@@ -147,16 +145,15 @@
 allow $1_t sysctl_kernel_t:file { getattr read };
 
 # Read /etc.
-allow $1_t etc_t:dir r_dir_perms;
-allow $1_t etc_t:notdevfile_class_set r_file_perms;
-allow $1_t etc_runtime_t:{ file lnk_file } r_file_perms;
+r_dir_file($1_t, etc_t)
+allow $1_t etc_runtime_t:file r_file_perms;
+allow $1_t etc_runtime_t:lnk_file { getattr read };
 
 # for running depmod as part of the kernel packaging process
 allow $1_t modules_conf_t:file { getattr read };
 
 # Read man directories and files.
-allow $1_t man_t:dir r_dir_perms;
-allow $1_t man_t:notdevfile_class_set r_file_perms;
+r_dir_file($1_t, man_t)
 
 # Allow users to rw usb devices
 if (user_rw_usb) {
@@ -169,13 +166,13 @@
 
 # Read /dev directories and any symbolic links.
 allow $1_t device_t:dir r_dir_perms;
-allow $1_t device_t:lnk_file r_file_perms;
+allow $1_t device_t:lnk_file { getattr read };
 
 # Do not audit write denials to /etc/ld.so.cache.
 dontaudit $1_t ld_so_cache_t:file write;
 
 # Execute from the system shared libraries.
-uses_shlib($1_t);
+uses_shlib($1_t)
 
 # $1_t is also granted permissions specific to user domains.
 user_domain($1)

Attachment: pgpPWsjMj9Qqm.pgp
Description: PGP signature

Follow-Ups:
- Re: patch: cleanup uses of notdevfile_class_set
  - From: James Carter

Prev by Date: patch: Use etc_domain() where possible
Next by Date: patch: Cleanup policy for /var/lock
Previous by thread: Re: patch: Use etc_domain() where possible
Next by thread: Re: patch: cleanup uses of notdevfile_class_set
Index(es):
- Date
- Thread

This mailing list archive is a service of Copilot Consulting.