diff --git a/refpolicy/policy/modules/admin/rpm.te b/refpolicy/policy/modules/admin/rpm.te index b3f6bad..1da9add 100644 --- a/refpolicy/policy/modules/admin/rpm.te +++ b/refpolicy/policy/modules/admin/rpm.te @@ -34,7 +34,7 @@ type rpm_script_exec_t; domain_obj_id_change_exempt(rpm_script_t) corecmd_shell_entry_type(rpm_script_t) domain_type(rpm_script_t) -domain_entry_file(rpm_t,rpm_script_t) +domain_entry_file(rpm_t,rpm_script_exec_t) domain_wide_inherit_fd(rpm_script_t) role system_r types rpm_script_t; diff --git a/refpolicy/policy/modules/kernel/terminal.if b/refpolicy/policy/modules/kernel/terminal.if index b18b441..181effd 100644 --- a/refpolicy/policy/modules/kernel/terminal.if +++ b/refpolicy/policy/modules/kernel/terminal.if @@ -43,8 +43,8 @@ interface(`term_user_pty',` attribute server_ptynode; ') - term_pty($1) - type_change $1 server_ptynode:chr_file $2; + term_pty($2) + type_change $2 server_ptynode:chr_file $1; ') ######################################## diff --git a/refpolicy/policy/modules/system/domain.te b/refpolicy/policy/modules/system/domain.te index cb3306d..6891c30 100644 --- a/refpolicy/policy/modules/system/domain.te +++ b/refpolicy/policy/modules/system/domain.te @@ -15,9 +15,14 @@ attribute can_change_process_identity; attribute can_change_process_role; attribute can_change_object_identity; +# Transitions only allowed from domains to other domains neverallow domain ~domain:process { transition dyntransition }; # enabling setcurrent breaks process tranquility. If you do not # know what this means or do not understand the implications of a # dynamic transition, you should not be using it!!! neverallow * *:process setcurrent; + +# Files with domain types are currently only proc files +neverallow * domain:dir ~r_dir_perms; +neverallow * domain:file_class_set ~rw_file_perms; diff --git a/refpolicy/policy/modules/system/libraries.if b/refpolicy/policy/modules/system/libraries.if index 58b587e..2cd42f0 100644 --- a/refpolicy/policy/modules/system/libraries.if +++ b/refpolicy/policy/modules/system/libraries.if @@ -109,10 +109,7 @@ interface(`libs_legacy_use_ld_so',` ## ## Execute the dynamic link/loader in the caller's ## domain. This is commonly needed for the -## /usr/bin/ldd program. Note: this can be used -## to execute any binary that the caller can -## read, even if the caller does not have execute -## permissions. +## /usr/bin/ldd program. ## ## ## The type of the process performing this action. diff --git a/refpolicy/policy/modules/system/logging.te b/refpolicy/policy/modules/system/logging.te index feaf158..9dc0e2b 100644 --- a/refpolicy/policy/modules/system/logging.te +++ b/refpolicy/policy/modules/system/logging.te @@ -9,7 +9,7 @@ policy_module(logging,1.0) attribute logfile; type auditd_log_t; -logging_log_file(auditd_t,auditd_log_t) +logging_log_file(auditd_log_t) type auditd_t; type auditd_exec_t;