diff --git a/refpolicy/policy/modules/system/selinux.te b/refpolicy/policy/modules/system/selinux.te index fb0ba1d..92739bf 100644 --- a/refpolicy/policy/modules/system/selinux.te +++ b/refpolicy/policy/modules/system/selinux.te @@ -115,14 +115,16 @@ filesystem_get_persistent_filesystem_attributes(checkpolicy_t) terminal_use_console(checkpolicy_t) +domain_use_widely_inheritable_file_descriptors(checkpolicy_t) + init_use_file_descriptors(checkpolicy_t) init_script_use_pseudoterminal(checkpolicy_t) -domain_use_widely_inheritable_file_descriptors(checkpolicy_t) - libraries_use_dynamic_loader(checkpolicy_t) libraries_use_shared_libraries(checkpolicy_t) +userdomain_use_all_users_file_descriptors(checkpolicy_t) + ifdef(`TODO',` role sysadm_r types checkpolicy_t; domain_auto_trans(sysadm_t, checkpolicy_exec_t, checkpolicy_t) @@ -138,9 +140,6 @@ ifdef(`sshd.te',`allow checkpolicy_t sshd_devpts_t:dir r_dir_perms;') # Allow users to execute checkpolicy without a domain transition # so it can be used without privilege to write real binary policy file can_exec(unpriv_userdomain, checkpolicy_exec_t) - -allow checkpolicy_t userdomain:fd use; - ') dnl endif TODO ######################################## @@ -178,6 +177,8 @@ libraries_use_shared_libraries(load_policy_t) miscfiles_read_localization(load_policy_t) +userdomain_use_all_users_file_descriptors(load_policy_t) + ifdef(`TODO',` role sysadm_r types load_policy_t; domain_auto_trans(sysadm_t, load_policy_exec_t, load_policy_t) @@ -186,8 +187,6 @@ allow load_policy_t admin_tty_type:chr_file { read write ioctl getattr }; # directory search permissions for path to binary policy files allow load_policy_t etc_t:dir search; - -allow load_policy_t userdomain:fd use; ') dnl endif TODO ######################################## @@ -327,6 +326,8 @@ libraries_use_shared_libraries(restorecon_t) logging_send_system_log_message(restorecon_t) +userdomain_use_all_users_file_descriptors(restorecon_t) + optional_policy(`hotplug.te',` hotplug_use_file_descriptors(restorecon_t) ') @@ -343,7 +344,6 @@ ifdef(`TODO',` allow restorecon_t admin_tty_type:chr_file { read write ioctl }; domain_audo_trans(sysadm_t, restorecon_exec_t, restorecon_t) role sysadm_r types restorecon_t; -allow restorecon_t userdomain:fd use; # for upgrading glibc and other shared objects - without this the upgrade # scripts will put things in a state such that restorecon can not be run! @@ -478,6 +478,8 @@ logging_send_system_log_message(setfiles_t) miscfiles_read_localization(setfiles_t) +userdomain_use_all_users_file_descriptors(setfiles_t) + # relabeling rules kernel_relabel_unlabeled_object(setfiles_t) devices_manage_all_devices_labels(setfiles_t) @@ -491,8 +493,6 @@ ifdef(`TODO',` domain_auto_trans(sysadm_t, setfiles_exec_t, setfiles_t) role sysadm_r types setfiles_t; -allow setfiles_t userdomain:fd use; - # for upgrading glibc and other shared objects - without this the upgrade # scripts will put things in a state such that setfiles can not be run! allow setfiles_t lib_t:file { read execute }; diff --git a/refpolicy/policy/modules/system/selinuxutil.te b/refpolicy/policy/modules/system/selinuxutil.te index fb0ba1d..92739bf 100644 --- a/refpolicy/policy/modules/system/selinuxutil.te +++ b/refpolicy/policy/modules/system/selinuxutil.te @@ -115,14 +115,16 @@ filesystem_get_persistent_filesystem_attributes(checkpolicy_t) terminal_use_console(checkpolicy_t) +domain_use_widely_inheritable_file_descriptors(checkpolicy_t) + init_use_file_descriptors(checkpolicy_t) init_script_use_pseudoterminal(checkpolicy_t) -domain_use_widely_inheritable_file_descriptors(checkpolicy_t) - libraries_use_dynamic_loader(checkpolicy_t) libraries_use_shared_libraries(checkpolicy_t) +userdomain_use_all_users_file_descriptors(checkpolicy_t) + ifdef(`TODO',` role sysadm_r types checkpolicy_t; domain_auto_trans(sysadm_t, checkpolicy_exec_t, checkpolicy_t) @@ -138,9 +140,6 @@ ifdef(`sshd.te',`allow checkpolicy_t sshd_devpts_t:dir r_dir_perms;') # Allow users to execute checkpolicy without a domain transition # so it can be used without privilege to write real binary policy file can_exec(unpriv_userdomain, checkpolicy_exec_t) - -allow checkpolicy_t userdomain:fd use; - ') dnl endif TODO ######################################## @@ -178,6 +177,8 @@ libraries_use_shared_libraries(load_policy_t) miscfiles_read_localization(load_policy_t) +userdomain_use_all_users_file_descriptors(load_policy_t) + ifdef(`TODO',` role sysadm_r types load_policy_t; domain_auto_trans(sysadm_t, load_policy_exec_t, load_policy_t) @@ -186,8 +187,6 @@ allow load_policy_t admin_tty_type:chr_file { read write ioctl getattr }; # directory search permissions for path to binary policy files allow load_policy_t etc_t:dir search; - -allow load_policy_t userdomain:fd use; ') dnl endif TODO ######################################## @@ -327,6 +326,8 @@ libraries_use_shared_libraries(restorecon_t) logging_send_system_log_message(restorecon_t) +userdomain_use_all_users_file_descriptors(restorecon_t) + optional_policy(`hotplug.te',` hotplug_use_file_descriptors(restorecon_t) ') @@ -343,7 +344,6 @@ ifdef(`TODO',` allow restorecon_t admin_tty_type:chr_file { read write ioctl }; domain_audo_trans(sysadm_t, restorecon_exec_t, restorecon_t) role sysadm_r types restorecon_t; -allow restorecon_t userdomain:fd use; # for upgrading glibc and other shared objects - without this the upgrade # scripts will put things in a state such that restorecon can not be run! @@ -478,6 +478,8 @@ logging_send_system_log_message(setfiles_t) miscfiles_read_localization(setfiles_t) +userdomain_use_all_users_file_descriptors(setfiles_t) + # relabeling rules kernel_relabel_unlabeled_object(setfiles_t) devices_manage_all_devices_labels(setfiles_t) @@ -491,8 +493,6 @@ ifdef(`TODO',` domain_auto_trans(sysadm_t, setfiles_exec_t, setfiles_t) role sysadm_r types setfiles_t; -allow setfiles_t userdomain:fd use; - # for upgrading glibc and other shared objects - without this the upgrade # scripts will put things in a state such that setfiles can not be run! allow setfiles_t lib_t:file { read execute };