diff --git a/refpolicy/Makefile b/refpolicy/Makefile index 6f3ac9f..c49cfdb 100644 --- a/refpolicy/Makefile +++ b/refpolicy/Makefile @@ -71,7 +71,7 @@ MONOLITHIC=y PREFIX := /usr BINDIR := $(PREFIX)/bin SBINDIR := $(PREFIX)/sbin -CHECKPOLICY := $(BINDIR)/checkpolicy +CHECKPOLICY := /tmp/$(BINDIR)/checkpolicy CHECKMODULE := $(BINDIR)/checkmodule SEMOD_PKG := $(BINDIR)/semodule_package LOADPOLICY := $(SBINDIR)/load_policy diff --git a/refpolicy/policy/modules/services/cpucontrol.te b/refpolicy/policy/modules/services/cpucontrol.te index ddb5869..c858827 100644 --- a/refpolicy/policy/modules/services/cpucontrol.te +++ b/refpolicy/policy/modules/services/cpucontrol.te @@ -8,14 +8,14 @@ policy_module(cpucontrol,1.0) type cpucontrol_t; type cpucontrol_exec_t; -init_daemon_domain(cpucontrol_t,cpucontrol_exec_t) +init_system_domain(cpucontrol_t,cpucontrol_exec_t) type cpucontrol_conf_t; files_type(cpucontrol_conf_t) type cpuspeed_t; type cpuspeed_exec_t; -init_daemon_domain(cpuspeed_t,cpuspeed_exec_t) +init_system_domain(cpuspeed_t,cpuspeed_exec_t) ######################################## # @@ -61,6 +61,10 @@ ifdef(`targeted_policy',` files_dontaudit_read_root_file(cpucontrol_t) ') +optional_policy(`nscd.te',` + nscd_use_socket(cpucontrol_t) +') + optional_policy(`selinuxutil.te',` seutil_sigchld_newrole(cpucontrol_t) ') @@ -117,6 +121,10 @@ ifdef(`targeted_policy',` files_dontaudit_read_root_file(cpuspeed_t) ') +optional_policy(`nscd.te',` + nscd_use_socket(cpuspeed_t) +') + optional_policy(`selinuxutil.te',` seutil_sigchld_newrole(cpuspeed_t) ') diff --git a/refpolicy/policy/modules/services/finger.te b/refpolicy/policy/modules/services/finger.te index 64c4d5d..72c467f 100644 --- a/refpolicy/policy/modules/services/finger.te +++ b/refpolicy/policy/modules/services/finger.te @@ -7,7 +7,7 @@ policy_module(finger,1.0) # type fingerd_t; type fingerd_exec_t; -init_daemon_domain(fingerd_t,fingerd_exec_t) +init_system_domain(fingerd_t,fingerd_exec_t) inetd_tcp_service_domain(fingerd_t,fingerd_exec_t) type fingerd_etc_t; diff --git a/refpolicy/policy/modules/services/inetd.if b/refpolicy/policy/modules/services/inetd.if index 4a85162..3d97f1c 100644 --- a/refpolicy/policy/modules/services/inetd.if +++ b/refpolicy/policy/modules/services/inetd.if @@ -32,14 +32,37 @@ interface(`inetd_core_service_domain',` role system_r types $1; - domain_auto_trans(inetd_t,$2,$1) - - allow $1 inetd_t:fd use; - allow inetd_t $1:fd use; - allow $1 inetd_t:fifo_file rw_file_perms; - allow $1 inetd_t:process sigchld; - allow inetd_t $1:process sigkill; + + ifdef(`targeted_policy',` + # this regex is a hack, since it assumes there is a + # _t at the end of the domain type. If there is no _t + # at the end of the type, it returns empty! + bool regexp($1, `\(\w+\)_t', `\1_disable_trans') false; + if(regexp($1, `\(\w+\)_t', `\1_disable_trans') ) { + can_exec(inetd_t,$2) + } else { + domain_auto_trans(inetd_t,$2,$1) + allow inetd_t $1:fd use; + allow $1 inetd_t:fd use; + allow $1 inetd_t:fifo_file rw_file_perms; + allow $1 inetd_t:process sigchld; + dontaudit inetd_t $1:process { noatsecure siginh rlimitinh }; + + # make sediff happy + allow $1 $2:file { rx_file_perms entrypoint }; + } + ',` + domain_auto_trans(inetd_t,$2,$1) + allow inetd_t $1:fd use; + allow $1 inetd_t:fd use; + allow $1 inetd_t:fifo_file rw_file_perms; + allow $1 inetd_t:process sigchld; + dontaudit inetd_t $1:process { noatsecure siginh rlimitinh }; + + # make sediff happy + allow $1 $2:file { rx_file_perms entrypoint }; + ') ') ######################################## diff --git a/refpolicy/policy/modules/services/tftp.te b/refpolicy/policy/modules/services/tftp.te index d6e1096..2b791ad 100644 --- a/refpolicy/policy/modules/services/tftp.te +++ b/refpolicy/policy/modules/services/tftp.te @@ -8,7 +8,7 @@ policy_module(tftp,1.0) type tftpd_t; type tftpd_exec_t; -init_daemon_domain(tftpd_t,tftpd_exec_t) +init_system_domain(tftpd_t,tftpd_exec_t) inetd_udp_service_domain(tftpd_t,tftpd_exec_t) type tftpd_var_run_t; diff --git a/refpolicy/policy/modules/system/init.if b/refpolicy/policy/modules/system/init.if index 8623dd5..d4b8319 100644 --- a/refpolicy/policy/modules/system/init.if +++ b/refpolicy/policy/modules/system/init.if @@ -99,6 +99,9 @@ interface(`init_daemon_domain',` allow $1 initrc_t:fifo_file rw_file_perms; allow $1 initrc_t:process sigchld; allow initrc_t $1:process { noatsecure siginh rlimitinh }; + + # make sediff happy + allow $1 $2:file { rx_file_perms entrypoint }; } ',` domain_auto_trans(initrc_t,$2,$1) @@ -107,6 +110,9 @@ interface(`init_daemon_domain',` allow $1 initrc_t:fifo_file rw_file_perms; allow $1 initrc_t:process sigchld; dontaudit initrc_t $1:process { noatsecure siginh rlimitinh }; + + # make sediff happy + allow $1 $2:file { rx_file_perms entrypoint }; ') optional_policy(`nscd.te',` diff --git a/refpolicy/policy/modules/system/unconfined.te b/refpolicy/policy/modules/system/unconfined.te index 01962c1..99fbe40 100644 --- a/refpolicy/policy/modules/system/unconfined.te +++ b/refpolicy/policy/modules/system/unconfined.te @@ -49,4 +49,5 @@ ifdef(`targeted_policy',` ') ') dnl end TODO + typeattribute unconfined_t direct_run_init; ')