From 02687a70342a88e5e52cacec7b258c745bb5864c Mon Sep 17 00:00:00 2001 From: Dominick Grift Date: Sep 22 2010 13:41:45 +0000 Subject: Move calls to external interfaces below policy that governs internal interaction. Move calls to external interfaces below policy that governs internal interaction. --- diff --git a/policy/modules/services/cachefilesd.te b/policy/modules/services/cachefilesd.te index efabfb5..575c16e 100644 --- a/policy/modules/services/cachefilesd.te +++ b/policy/modules/services/cachefilesd.te @@ -79,14 +79,6 @@ rpm_use_script_fds(cachefilesd_t) # allow cachefilesd_t self:capability { setuid setgid sys_admin dac_override }; -# Basic access -files_read_etc_files(cachefilesd_t) -miscfiles_read_localization(cachefilesd_t) -logging_send_syslog_msg(cachefilesd_t) -init_dontaudit_use_script_ptys(cachefilesd_t) -term_dontaudit_use_generic_ptys(cachefilesd_t) -term_dontaudit_getattr_unallocated_ttys(cachefilesd_t) - # Allow manipulation of pid file allow cachefilesd_t cachefilesd_var_run_t:file create_file_perms; manage_files_pattern(cachefilesd_t, cachefilesd_var_run_t, cachefilesd_var_run_t) @@ -104,6 +96,14 @@ allow cachefilesd_t cachefiles_var_t:file { rename delete_file_perms }; # Permit statfs on the backing filesystem fs_getattr_xattr_fs(cachefilesd_t) +# Basic access +files_read_etc_files(cachefilesd_t) +miscfiles_read_localization(cachefilesd_t) +logging_send_syslog_msg(cachefilesd_t) +init_dontaudit_use_script_ptys(cachefilesd_t) +term_dontaudit_use_generic_ptys(cachefilesd_t) +term_dontaudit_getattr_unallocated_ttys(cachefilesd_t) + ############################################################################### # # When cachefilesd invokes the kernel module to begin caching, it has to tell diff --git a/policy/modules/services/djbdns.te b/policy/modules/services/djbdns.te index 5fd29a5..51e2ce8 100644 --- a/policy/modules/services/djbdns.te +++ b/policy/modules/services/djbdns.te @@ -25,9 +25,6 @@ djbdns_daemontools_domain_template(tinydns) allow djbdns_axfrdns_t self:capability { setuid setgid sys_chroot }; -daemontools_ipc_domain(djbdns_axfrdns_t) -daemontools_read_svc(djbdns_axfrdns_t) - allow djbdns_axfrdns_t djbdns_axfrdns_conf_t:dir list_dir_perms; allow djbdns_axfrdns_t djbdns_axfrdns_conf_t:file read_file_perms; @@ -39,6 +36,9 @@ allow djbdns_axfrdns_t djbdns_tinydns_conf_t:file read_file_perms; files_search_var(djbdns_axfrdns_t) +daemontools_ipc_domain(djbdns_axfrdns_t) +daemontools_read_svc(djbdns_axfrdns_t) + ucspitcp_service_domain(djbdns_axfrdns_t, djbdns_axfrdns_exec_t) ########################################