diff --git a/refpolicy/policy/modules/admin/firstboot.te b/refpolicy/policy/modules/admin/firstboot.te index 359cbdc..f39a053 100644 --- a/refpolicy/policy/modules/admin/firstboot.te +++ b/refpolicy/policy/modules/admin/firstboot.te @@ -1,6 +1,10 @@ policy_module(firstboot,1.0) +gen_require(` + class passwd rootok; +') + ######################################## # # Declarations @@ -111,6 +115,10 @@ optional_policy(`nis.te',` nis_use_ypbind(firstboot_t) ') +optional_policy(`samba.te',` + samba_rw_config(firstboot_t) +') + optional_policy(`usermanage.te',` usermanage_domtrans_useradd(firstboot_t) usermanage_domtrans_groupadd(firstboot_t) @@ -123,10 +131,6 @@ ifdef(`printconf.te', ` can_exec(firstboot_t, printconf_t) ') -ifdef(`samba.te', ` - rw_dir_file(firstboot_t, samba_etc_t) -') - ifdef(`userhelper.te', ` role system_r types sysadm_userhelper_t; domain_auto_trans(firstboot_t, userhelper_exec_t, sysadm_userhelper_t) diff --git a/refpolicy/policy/modules/kernel/kernel.if b/refpolicy/policy/modules/kernel/kernel.if index 6d0b9ba..89f26ff 100644 --- a/refpolicy/policy/modules/kernel/kernel.if +++ b/refpolicy/policy/modules/kernel/kernel.if @@ -756,8 +756,6 @@ interface(`kernel_dontaudit_search_network_sysctl_dir',` interface(`kernel_read_net_sysctl',` gen_require(` type proc_t, sysctl_t, sysctl_net_t; - class dir r_dir_perms; - class file f_file_perms; ') allow $1 proc_t:dir search; diff --git a/refpolicy/policy/modules/kernel/terminal.if b/refpolicy/policy/modules/kernel/terminal.if index 2ba6b92..b597a2e 100644 --- a/refpolicy/policy/modules/kernel/terminal.if +++ b/refpolicy/policy/modules/kernel/terminal.if @@ -454,8 +454,7 @@ interface(`term_relabelto_all_user_ptys',` interface(`term_use_all_user_ptys',` gen_require(` attribute ptynode; - class dir r_dir_perms; - class chr_file { getattr read write ioctl }; + type devpts_t; ') dev_list_all_dev_nodes($1) diff --git a/refpolicy/policy/modules/services/kerberos.if b/refpolicy/policy/modules/services/kerberos.if index b777d46..b1b0199 100644 --- a/refpolicy/policy/modules/services/kerberos.if +++ b/refpolicy/policy/modules/services/kerberos.if @@ -32,9 +32,6 @@ interface(`kerberos_use',` gen_require(` type krb5_conf_t; - class file r_file_perms; - class tcp_socket create_socket_perms; - class udp_socket create_socket_perms; ') files_search_etc($1) @@ -71,7 +68,6 @@ interface(`kerberos_use',` interface(`kerberos_read_config',` gen_require(` type krb5_conf_t; - class files r_file_perms; ') files_search_etc($1) @@ -89,7 +85,6 @@ interface(`kerberos_read_config',` interface(`kerberos_rw_config',` gen_require(` type krb5_conf_t; - class files rw_file_perms; ') files_search_etc($1) diff --git a/refpolicy/policy/modules/services/nis.if b/refpolicy/policy/modules/services/nis.if index 1f5a0c5..d744ed9 100644 --- a/refpolicy/policy/modules/services/nis.if +++ b/refpolicy/policy/modules/services/nis.if @@ -11,12 +11,6 @@ interface(`nis_use_ypbind',` gen_require(` type var_yp_t; - class dir r_dir_perms; - class lnk_file r_file_perms; - class file r_file_perms; - class capability net_bind_service; - class tcp_socket create_stream_socket_perms; - class udp_socket create_socket_perms; ') tunable_policy(`allow_ypbind',` @@ -65,7 +59,6 @@ interface(`nis_use_ypbind',` interface(`nis_list_var_yp',` gen_require(` type ypbind_t; - class dir r_dir_perms; ') files_search_var($1) @@ -83,7 +76,6 @@ interface(`nis_list_var_yp',` interface(`nis_udp_sendto_ypbind',` gen_require(` type ypbind_t; - class udp_socket { sendto recvfrom }; ') allow $1 ypbind_t:udp_socket sendto; diff --git a/refpolicy/policy/modules/services/nscd.if b/refpolicy/policy/modules/services/nscd.if index 08c7152..26740c9 100644 --- a/refpolicy/policy/modules/services/nscd.if +++ b/refpolicy/policy/modules/services/nscd.if @@ -11,9 +11,6 @@ interface(`nscd_domtrans',` gen_require(` type nscd_t, nscd_exec_t; - class process sigchld; - class fd use; - class fifo_file rw_file_perms; ') corecmd_search_sbin($1) @@ -37,12 +34,6 @@ interface(`nscd_domtrans',` interface(`nscd_use_socket',` gen_require(` type nscd_t, nscd_var_run_t; - class fd use; - class nscd { getpwd getgrp gethost shmempwd shmemgrp shmemhost }; - class unix_stream_socket { create_socket_perms connectto }; - class dir { search getattr }; - class sock_file rw_file_perms; - class file { getattr read }; ') allow $1 self:unix_stream_socket create_socket_perms; @@ -70,12 +61,6 @@ interface(`nscd_use_socket',` interface(`nscd_use_shared_mem',` gen_require(` type nscd_t, nscd_var_run_t; - class fd use; - class nscd { getpwd getgrp gethost shmempwd shmemgrp shmemhost }; - class unix_stream_socket { create_stream_socket_perms connectto }; - class dir r_dir_perms; - class sock_file rw_file_perms; - class file { getattr read }; ') allow $1 nscd_var_run_t:dir r_dir_perms; @@ -106,8 +91,6 @@ interface(`nscd_use_shared_mem',` interface(`nscd_read_pid',` gen_require(` type nscd_var_run_t; - class dir search; - class file { getattr read }; ') files_search_pids($1) @@ -126,6 +109,7 @@ interface(`nscd_read_pid',` interface(`nscd_unconfined',` gen_require(` type nscd_t; + class nscd all_nscd_perms; ') allow $1 nscd_t:nscd *; diff --git a/refpolicy/policy/modules/services/nscd.te b/refpolicy/policy/modules/services/nscd.te index 0cb99bd..abb9b6e 100644 --- a/refpolicy/policy/modules/services/nscd.te +++ b/refpolicy/policy/modules/services/nscd.te @@ -1,6 +1,10 @@ policy_module(nscd,1.0) +gen_require(` + class nscd { admin getstat }; +') + ######################################## # # Declarations @@ -35,7 +39,6 @@ allow nscd_t self:udp_socket create_socket_perms; # For client program operation, invoked from sysadm_t. # Transition occurs to nscd_t due to direct_sysadm_daemon. -# cjp: this should probably be in a direct_sysadm_daemon tunable allow nscd_t self:nscd { admin getstat }; allow nscd_t nscd_log_t:file create_file_perms; diff --git a/refpolicy/policy/modules/services/samba.if b/refpolicy/policy/modules/services/samba.if index da8ca03..567cdb2 100644 --- a/refpolicy/policy/modules/services/samba.if +++ b/refpolicy/policy/modules/services/samba.if @@ -52,9 +52,6 @@ template(`samba_per_userdomain_template',` interface(`samba_domtrans_net',` gen_require(` type samba_net_t, samba_net_exec_t; - class process sigchld; - class fd use; - class fifo_file rw_file_perms; ') corecmd_search_bin($1) @@ -84,7 +81,6 @@ interface(`samba_domtrans_net',` interface(`samba_run_net',` gen_require(` type samba_net_t; - class chr_file rw_term_perms; ') samba_domtrans_net($1) @@ -103,9 +99,6 @@ interface(`samba_run_net',` interface(`samba_domtrans_smbmount',` gen_require(` type smbmount_t, smbmount_exec_t; - class process sigchld; - class fd use; - class fifo_file rw_file_perms; ') corecmd_search_bin($1) @@ -129,7 +122,6 @@ interface(`samba_domtrans_smbmount',` interface(`samba_read_config',` gen_require(` type samba_etc_t; - class file { read getattr lock }; ') files_search_etc($1) @@ -148,7 +140,6 @@ interface(`samba_read_config',` interface(`samba_rw_config',` gen_require(` type samba_etc_t; - class file rw_file_perms; ') files_search_etc($1) @@ -166,7 +157,6 @@ interface(`samba_rw_config',` interface(`samba_read_log',` gen_require(` type samba_log_t; - class file { read getattr lock }; ') logging_search_logs($1) @@ -201,7 +191,6 @@ interface(`samba_exec_log',` interface(`samba_read_secrets',` gen_require(` type samba_secrets_t; - class file { read getattr lock }; ') files_search_etc($1) @@ -219,7 +208,6 @@ interface(`samba_read_secrets',` interface(`samba_write_smbmount_tcp_socket',` gen_require(` type smbmount_t; - class tcp_socket write; ') allow $1 smbmount_t:tcp_socket write; @@ -236,7 +224,6 @@ interface(`samba_write_smbmount_tcp_socket',` interface(`samba_rw_smbmount_tcp_socket',` gen_require(` type smbmount_t; - class tcp_socket { read write }; ') allow $1 smbmount_t:tcp_socket { read write }; diff --git a/refpolicy/policy/modules/system/domain.if b/refpolicy/policy/modules/system/domain.if index 6f56a29..6e5af0f 100644 --- a/refpolicy/policy/modules/system/domain.if +++ b/refpolicy/policy/modules/system/domain.if @@ -875,12 +875,7 @@ interface(`domain_unconfined',` attribute can_change_process_identity; attribute can_change_process_role; attribute can_change_object_identity; - class fd use; - class fifo_file rw_file_perms; - class process { transition dyntransition execmem }; - class dir r_dir_perms; - class file r_file_perms; - class lnk_file r_file_perms; + attribute unconfined_domain; ') typeattribute $1 unconfined_domain; diff --git a/refpolicy/policy/modules/system/files.if b/refpolicy/policy/modules/system/files.if index df31a4e..c22f519 100644 --- a/refpolicy/policy/modules/system/files.if +++ b/refpolicy/policy/modules/system/files.if @@ -700,7 +700,6 @@ interface(`files_mounton_default',` interface(`files_dontaudit_getattr_default_files',` gen_require(` type default_t; - class files getattr; ') dontaudit $1 default_t:file getattr; diff --git a/refpolicy/policy/support/loadable_module.spt b/refpolicy/policy/support/loadable_module.spt index 71954e1..787957e 100644 --- a/refpolicy/policy/support/loadable_module.spt +++ b/refpolicy/policy/support/loadable_module.spt @@ -22,9 +22,11 @@ define(`policy_module',` # define(`gen_require',` ifdef(`monolithic_policy',`',` + define(`in_gen_require_block') require { $1 } + undefine(`in_gen_require_block') ') ') @@ -107,15 +109,28 @@ define(`dflt_or_overr',`ifdef(`$1',$1,$2)') # Tunable declaration # define(`gen_tunable',` - ifdef(`monolithic_policy',` - bool $1 dflt_or_overr(`$1'_conf,$2); + ifdef(`in_gen_require_block',` + ifdef(`monolithic_policy',` + bool $1; + ',` + # loadable module tunable + # declaration will go here + # instead of bool when + # loadable modules support + # tunables + bool $1; + ') ',` - # loadable module tunable - # declaration will go here - # instead of bool when - # loadable modules support - # tunables - bool $1 dflt_or_overr(`$1'_conf,$2); + ifdef(`monolithic_policy',` + bool $1 dflt_or_overr(`$1'_conf,$2); + ',` + # loadable module tunable + # declaration will go here + # instead of bool when + # loadable modules support + # tunables + bool $1 dflt_or_overr(`$1'_conf,$2); + ') ') ')