From 8cd1306e5b93dbf7131e529144d8145e1f8466b2 Mon Sep 17 00:00:00 2001 From: Chris PeBenito Date: Aug 05 2009 14:06:04 +0000 Subject: fix ordering of interface calls in locallogin. --- diff --git a/policy/modules/system/locallogin.te b/policy/modules/system/locallogin.te index 3cb6ca2..30e25c7 100644 --- a/policy/modules/system/locallogin.te +++ b/policy/modules/system/locallogin.te @@ -61,6 +61,13 @@ kernel_read_kernel_sysctls(local_login_t) kernel_search_key(local_login_t) kernel_link_key(local_login_t) +corecmd_list_bin(local_login_t) +corecmd_read_bin_symlinks(local_login_t) +# cjp: these are probably not needed: +corecmd_read_bin_files(local_login_t) +corecmd_read_bin_pipes(local_login_t) +corecmd_read_bin_sockets(local_login_t) + dev_setattr_mouse_dev(local_login_t) dev_getattr_mouse_dev(local_login_t) dev_getattr_power_mgmt_dev(local_login_t) @@ -84,6 +91,20 @@ dev_dontaudit_search_sysfs(local_login_t) dev_dontaudit_getattr_video_dev(local_login_t) dev_dontaudit_setattr_video_dev(local_login_t) +domain_read_all_entry_files(local_login_t) + +files_read_etc_files(local_login_t) +files_read_etc_runtime_files(local_login_t) +files_read_usr_files(local_login_t) +files_list_mnt(local_login_t) +files_list_world_readable(local_login_t) +files_read_world_readable_files(local_login_t) +files_read_world_readable_symlinks(local_login_t) +files_read_world_readable_pipes(local_login_t) +files_read_world_readable_sockets(local_login_t) +# for when /var/mail is a symlink +files_read_var_symlinks(local_login_t) + fs_search_auto_mountpoints(local_login_t) storage_dontaudit_getattr_fixed_disk_dev(local_login_t) @@ -104,27 +125,6 @@ auth_manage_pam_pid(local_login_t) auth_manage_pam_console_data(local_login_t) auth_domtrans_pam_console(local_login_t) -corecmd_list_bin(local_login_t) -corecmd_read_bin_symlinks(local_login_t) -# cjp: these are probably not needed: -corecmd_read_bin_files(local_login_t) -corecmd_read_bin_pipes(local_login_t) -corecmd_read_bin_sockets(local_login_t) - -domain_read_all_entry_files(local_login_t) - -files_read_etc_files(local_login_t) -files_read_etc_runtime_files(local_login_t) -files_read_usr_files(local_login_t) -files_list_mnt(local_login_t) -files_list_world_readable(local_login_t) -files_read_world_readable_files(local_login_t) -files_read_world_readable_symlinks(local_login_t) -files_read_world_readable_pipes(local_login_t) -files_read_world_readable_sockets(local_login_t) -# for when /var/mail is a symlink -files_read_var_symlinks(local_login_t) - init_dontaudit_use_fds(local_login_t) miscfiles_read_localization(local_login_t) @@ -219,6 +219,8 @@ files_read_etc_files(sulogin_t) # because file systems are not mounted: files_dontaudit_search_isid_type_dirs(sulogin_t) +auth_read_shadow(sulogin_t) + init_getpgid_script(sulogin_t) logging_send_syslog_msg(sulogin_t) @@ -226,8 +228,6 @@ logging_send_syslog_msg(sulogin_t) seutil_read_config(sulogin_t) seutil_read_default_contexts(sulogin_t) -auth_read_shadow(sulogin_t) - userdom_use_unpriv_users_fds(sulogin_t) userdom_search_user_home_dirs(sulogin_t)