diff --git a/docs/macro_conversion_guide b/docs/macro_conversion_guide index cebb782..37e2e30 100644 --- a/docs/macro_conversion_guide +++ b/docs/macro_conversion_guide @@ -976,6 +976,7 @@ kernel_read_all_sysctl($1) # # rhgb_domain(): # +# # # rw_dir_create_file(): complete diff --git a/refpolicy/policy/modules/admin/updfstab.if b/refpolicy/policy/modules/admin/updfstab.if index ec216aa..753454f 100644 --- a/refpolicy/policy/modules/admin/updfstab.if +++ b/refpolicy/policy/modules/admin/updfstab.if @@ -11,9 +11,6 @@ interface(`updfstab_domtrans',` gen_require(` type updfstab_t, updfstab_exec_t; - class process sigchld; - class fd use; - class fifo_file rw_file_perms; ') files_search_usr($1) diff --git a/refpolicy/policy/modules/admin/updfstab.te b/refpolicy/policy/modules/admin/updfstab.te index f429e86..9550ee0 100644 --- a/refpolicy/policy/modules/admin/updfstab.te +++ b/refpolicy/policy/modules/admin/updfstab.te @@ -8,7 +8,7 @@ policy_module(updfstab,1.0) type updfstab_t; type updfstab_exec_t; -init_daemon_domain(updfstab_t,updfstab_exec_t) +init_system_domain(updfstab_t,updfstab_exec_t) ######################################## # @@ -43,8 +43,8 @@ selinux_compute_user_contexts(updfstab_t) storage_raw_read_fixed_disk(updfstab_t) storage_raw_write_fixed_disk(updfstab_t) -storage_raw_read_fixed_disk(updfstab_t) -storage_raw_write_fixed_disk(updfstab_t) +storage_raw_read_removable_device(updfstab_t) +storage_raw_write_removable_device(updfstab_t) storage_read_scsi_generic(updfstab_t) storage_write_scsi_generic(updfstab_t) @@ -104,6 +104,10 @@ optional_policy(`modutils.te',` modutils_read_mods_deps(updfstab_t) ') +optional_policy(`nscd.te',` + nscd_use_socket(updfstab_t) +') + optional_policy(`selinuxutil.te',` seutil_sigchld_newrole(updfstab_t) ') diff --git a/refpolicy/policy/modules/apps/webalizer.te b/refpolicy/policy/modules/apps/webalizer.te index 529fa63..e39a9d2 100644 --- a/refpolicy/policy/modules/apps/webalizer.te +++ b/refpolicy/policy/modules/apps/webalizer.te @@ -34,6 +34,7 @@ allow webalizer_t self:capability dac_override; allow webalizer_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap }; allow webalizer_t self:fd use; allow webalizer_t self:fifo_file rw_file_perms; +allow webalizer_t self:sock_file r_file_perms; allow webalizer_t self:shm create_shm_perms; allow webalizer_t self:sem create_sem_perms; allow webalizer_t self:msgq create_msgq_perms; diff --git a/refpolicy/policy/modules/services/samba.te b/refpolicy/policy/modules/services/samba.te index ae2542d..87cb644 100644 --- a/refpolicy/policy/modules/services/samba.te +++ b/refpolicy/policy/modules/services/samba.te @@ -671,6 +671,11 @@ logging_send_syslog_msg(winbind_helper_t) miscfiles_read_localization(winbind_helper_t) +ifdef(`targeted_policy',` + term_use_generic_pty(winbind_helper_t) + term_use_unallocated_tty(winbind_helper_t) +') + optional_policy(`nscd.te',` nscd_use_socket(winbind_helper_t) ') diff --git a/refpolicy/policy/modules/system/modutils.te b/refpolicy/policy/modules/system/modutils.te index dc40fc9..5f68f1b 100644 --- a/refpolicy/policy/modules/system/modutils.te +++ b/refpolicy/policy/modules/system/modutils.te @@ -259,3 +259,8 @@ logging_send_syslog_msg(update_modules_t) miscfiles_read_localization(update_modules_t) userdom_dontaudit_search_sysadm_home_dir(update_modules_t) + +ifdef(`targeted_policy',` + term_use_generic_pty(update_modules_t) + term_use_unallocated_tty(update_modules_t) +') diff --git a/refpolicy/policy/modules/system/selinuxutil.if b/refpolicy/policy/modules/system/selinuxutil.if index 925a055..fa906c6 100644 --- a/refpolicy/policy/modules/system/selinuxutil.if +++ b/refpolicy/policy/modules/system/selinuxutil.if @@ -549,14 +549,13 @@ interface(`seutil_read_default_contexts',` interface(`seutil_read_file_contexts',` gen_require(` type selinux_config_t, file_context_t; - class dir r_dir_perms; - class file r_file_perms; ') files_search_etc($1) allow $1 selinux_config_t:dir search; allow $1 file_context_t:dir r_dir_perms; allow $1 file_context_t:file r_file_perms; + allow $1 file_context_t:lnk_file { getattr read }; ') ######################################## diff --git a/refpolicy/policy/modules/system/unconfined.te b/refpolicy/policy/modules/system/unconfined.te index 748bb7a..c9a5d38 100644 --- a/refpolicy/policy/modules/system/unconfined.te +++ b/refpolicy/policy/modules/system/unconfined.te @@ -66,6 +66,10 @@ ifdef(`targeted_policy',` su_per_userdomain_template(sysadm,unconfined_t,system_r) ') + optional_policy(`webalizer.te',` + webalizer_domtrans(unconfined_t) + ') + ifdef(`TODO',` ifdef(`use_mcs',` rw_dir_create_file(sysadm_su_t, home_dir_type)