diff --git a/refpolicy/policy/modules/kernel/bootloader.te b/refpolicy/policy/modules/kernel/bootloader.te index aa2b20e..4577903 100644 --- a/refpolicy/policy/modules/kernel/bootloader.te +++ b/refpolicy/policy/modules/kernel/bootloader.te @@ -91,6 +91,7 @@ domain_use_widely_inheritable_file_descriptors(bootloader_t) libraries_use_dynamic_loader(bootloader_t) libraries_read_shared_libraries(bootloader_t) +libraries_read_library_resources(bootloader_t) files_read_general_system_config(bootloader_t) files_read_runtime_system_config(bootloader_t) @@ -186,8 +187,6 @@ allow bootloader_t admin_tty_type:chr_file rw_file_perms; allow bootloader_t initrc_t:fifo_file { read write }; -allow bootloader_t lib_t:file { getattr read }; - allow bootloader_t sysfs_t:dir getattr; allow bootloader_t var_t:dir search; diff --git a/refpolicy/policy/modules/system/hotplug.te b/refpolicy/policy/modules/system/hotplug.te index 5abaaec..516974a 100644 --- a/refpolicy/policy/modules/system/hotplug.te +++ b/refpolicy/policy/modules/system/hotplug.te @@ -82,6 +82,8 @@ logging_send_system_log_message(hotplug_t) libraries_use_dynamic_loader(hotplug_t) libraries_read_shared_libraries(hotplug_t) +# Read /usr/lib/gconv/.* +libraries_read_library_resources(hotplug_t) modutils_insmod_transition(hotplug_t) modutils_read_kernel_module_dependencies(hotplug_t) @@ -155,9 +157,6 @@ allow hotplug_t kernel_t:process sigchld; # for when filesystems are not mounted early in the boot dontaudit hotplug_t file_t:dir { search getattr }; -# Read /usr/lib/gconv/.* -allow hotplug_t lib_t:file { getattr read }; - allow hotplug_t udev_runtime_t:file rw_file_perms; allow hotplug_t var_log_t:dir search; diff --git a/refpolicy/policy/modules/system/init.te b/refpolicy/policy/modules/system/init.te index 7a06dac..832bcf0 100644 --- a/refpolicy/policy/modules/system/init.te +++ b/refpolicy/policy/modules/system/init.te @@ -145,8 +145,6 @@ allow init_t self:capability ~sys_module; allow init_t initrc_var_run_t:file { getattr read write setattr }; ifdef(`TODO',` -# something other then static libs -allow init_t lib_t:file { getattr read }; # for mount points allow init_t file_t:dir search; @@ -438,14 +436,8 @@ domain_trans(initrc_t, shell_exec_t, unconfined_t) ', ` domain_auto_trans(sysadm_t, run_init_exec_t, run_init_t) role sysadm_r types run_init_t; - domain_auto_trans(run_init_t, chkpwd_exec_t, sysadm_chkpwd_t) - -# for utmp allow run_init_t admin_tty_type:chr_file rw_file_perms; - -allow run_init_t lib_t:file { getattr read }; - ') dnl endif targeted policy tunable_policy(`distro_gentoo', ` diff --git a/refpolicy/policy/modules/system/libraries.if b/refpolicy/policy/modules/system/libraries.if index efb5097..7e02e9c 100644 --- a/refpolicy/policy/modules/system/libraries.if +++ b/refpolicy/policy/modules/system/libraries.if @@ -87,15 +87,15 @@ class file execmod; ######################################## # -# libraries_read_static_libraries(domain) +# libraries_read_library_resources(domain) # -define(`libraries_read_static_libraries',` +define(`libraries_read_library_resources',` requires_block_template(`$0'_depend) allow $1 lib_t:dir { getattr read search }; allow $1 lib_t:{ file lnk_file } { getattr read }; ') -define(`libraries_read_static_libraries_depend',` +define(`libraries_read_library_resources_depend',` type lib_t; class dir { getattr read search }; class lnk_file { getattr read }; diff --git a/refpolicy/policy/modules/system/miscfiles.if b/refpolicy/policy/modules/system/miscfiles.if index a9755a7..ccceb51 100644 --- a/refpolicy/policy/modules/system/miscfiles.if +++ b/refpolicy/policy/modules/system/miscfiles.if @@ -27,7 +27,10 @@ define(`miscfiles_read_localization',` requires_block_template(`$0'_depend) # FIXME: $1 read etc_t:lnk_file here # FIXME: $1 search usr_t:dir here -# FIXME: $1 read lib_t:file(?) + +# why? +libraries_read_library_resources($1) + allow $1 locale_t:dir { getattr read search }; allow $1 locale_t:lnk_file { getattr read }; allow $1 locale_t:file { getattr read }; diff --git a/refpolicy/policy/modules/system/modutils.te b/refpolicy/policy/modules/system/modutils.te index df716c6..62854b9 100644 --- a/refpolicy/policy/modules/system/modutils.te +++ b/refpolicy/policy/modules/system/modutils.te @@ -2,6 +2,11 @@ policy_module(modutils,1.0) +######################################## +# +# Declarations +# + # module loading config type modules_conf_t; files_make_file(modules_conf_t) @@ -92,7 +97,6 @@ ifdef(`TODO',` allow insmod_t initrc_t:fifo_file { getattr read write }; -allow insmod_t lib_t:file { getattr read }; allow insmod_t { var_t var_log_t }:dir search; allow insmod_t apm_bios_t:chr_file { read write }; @@ -229,6 +233,4 @@ role sysadm_r types update_modules_t; domain_auto_trans(sysadm_t, update_modules_exec_t, update_modules_t) allow update_modules_t admin_tty_type:chr_file rw_file_perms; dontaudit update_modules_t sysadm_home_dir_t:dir search; - -allow update_modules_t lib_t:file { getattr read }; ') dnl endif TODO diff --git a/refpolicy/policy/modules/system/mount.te b/refpolicy/policy/modules/system/mount.te index e292109..a999b3d 100644 --- a/refpolicy/policy/modules/system/mount.te +++ b/refpolicy/policy/modules/system/mount.te @@ -67,9 +67,6 @@ ifdef(`TODO',` # nfsv4 has a filesystem to mount for its userspace daemons allow mount_t var_lib_nfs_t:dir mounton; -# for localization -allow mount_t lib_t:file { getattr read }; - # TODO: Need to examine this further. Not sure how to handle this #type sysadm_mount_source_t, file_type, sysadmfile, $1_file_type; #allow sysadm_t sysadm_mount_source_t:file create_file_perms; diff --git a/refpolicy/policy/modules/system/sysnetwork.te b/refpolicy/policy/modules/system/sysnetwork.te index 97c9722..b95984d 100644 --- a/refpolicy/policy/modules/system/sysnetwork.te +++ b/refpolicy/policy/modules/system/sysnetwork.te @@ -165,9 +165,6 @@ allow dhcpc_t rhgb_t:fifo_file { read write }; can_ypbind(dhcpc_t) -# for localization -allow dhcpc_t lib_t:file { getattr read }; - ifdef(`cardmgr.te', ` domain_auto_trans(cardmgr_t, dhcpc_exec_t, dhcpc_t) allow cardmgr_t dhcpc_var_run_t:file { getattr read };