From 1293184998ce844b39fb076552125b7c9f28b749 Mon Sep 17 00:00:00 2001 From: Chris PeBenito Date: Jun 01 2005 13:51:54 +0000 Subject: last fixes for cab --- diff --git a/refpolicy/policy/modules/kernel/devices.if b/refpolicy/policy/modules/kernel/devices.if index cfd1c5b..875a770 100644 --- a/refpolicy/policy/modules/kernel/devices.if +++ b/refpolicy/policy/modules/kernel/devices.if @@ -80,6 +80,20 @@ class dir r_dir_perms; ######################################## # +# devices_add_dev_dir(domain) +# +define(`devices_add_dev_dir',` +requires_block_template(`$0'_depend) +allow $1 device_t:dir { ra_dir_perms create }; +') + +define(`devices_add_dev_dir_depend',` +type device_t; +class dir { ra_dir_perms create }; +') + +######################################## +# # devices_ignore_get_generic_pipe_attributes(domain) # define(`devices_ignore_get_generic_pipe_attributes',` diff --git a/refpolicy/policy/modules/system/files.if b/refpolicy/policy/modules/system/files.if index 8f43850..f09edd9 100644 --- a/refpolicy/policy/modules/system/files.if +++ b/refpolicy/policy/modules/system/files.if @@ -623,6 +623,20 @@ class dir { getattr search read write add_name remove_name }; ######################################## # +# files_modify_isid_type_dir(domain) +# +define(`files_modify_isid_type_dir',` +requires_block_template(`$0'_depend) +allow $1 file_t:dir rw_dir_perms; +') + +define(`files_modify_isid_type_dir_depend',` +type file_t; +class dir rw_dir_perms; +') + +######################################## +# # files_ignore_get_isid_type_dir_attrib(domain) # define(`files_ignore_get_isid_type_dir_attrib',` diff --git a/refpolicy/policy/modules/system/getty.te b/refpolicy/policy/modules/system/getty.te index 8d2f593..db24d06 100644 --- a/refpolicy/policy/modules/system/getty.te +++ b/refpolicy/policy/modules/system/getty.te @@ -49,7 +49,10 @@ kernel_read_hardware_state(getty_t) filesystem_get_persistent_filesystem_attributes(getty_t) # Chown, chmod, read and write ttys. -terminal_use_all_terminals(getty_t) +terminal_use_all_private_physical_terminals(getty_t) +terminal_use_general_physical_terminal(getty_t) +terminal_set_all_private_physical_terminal_attributes(getty_t) +terminal_set_general_physical_terminal_attributes(getty_t) terminal_set_console_attributes(getty_t) authlogin_modify_login_records(getty_t) diff --git a/refpolicy/policy/modules/system/init.te b/refpolicy/policy/modules/system/init.te index 10726ae..8887846 100644 --- a/refpolicy/policy/modules/system/init.te +++ b/refpolicy/policy/modules/system/init.te @@ -313,6 +313,9 @@ tunable_policy(`distro_debian', ` ') tunable_policy(`distro_redhat',` + # this is from kmodule, which should get its own policy: + allow initrc_t self:capability sys_admin; + # Red Hat systems seem to have a stray # fd open from the initrd kernel_ignore_use_file_descriptors(initrc_t) @@ -327,6 +330,7 @@ tunable_policy(`distro_redhat',` # These seem to be from the initrd # during device initialization: + devices_add_dev_dir(initrc_t) devices_legacy_use_dev_zero(initrc_t) devices_legacy_raw_read_memory(initrc_t) devices_legacy_raw_write_memory(initrc_t) @@ -339,8 +343,7 @@ tunable_policy(`distro_redhat',` # readahead asks for these mta_read_mail_aliases(initrc_t) - -') dnl end distro_redhat +') optional_policy(`hotplug.te',` kernel_read_usb_hardware_state(initrc_t) diff --git a/refpolicy/policy/modules/system/lvm.te b/refpolicy/policy/modules/system/lvm.te index f3cd829..10c2688 100644 --- a/refpolicy/policy/modules/system/lvm.te +++ b/refpolicy/policy/modules/system/lvm.te @@ -136,6 +136,11 @@ selinux_read_config(lvm_t) selinux_read_file_contexts(lvm_t) selinux_newrole_sigchld(lvm_t) +tunable_policy(`distro_redhat',` + # this is from the initrd: + files_modify_isid_type_dir(lvm_t) +') + tunable_policy(`targeted_policy', ` terminal_ignore_use_general_physical_terminal(lvm_t) terminal_ignore_use_general_pseudoterminal(lvm_t)