diff --git a/refpolicy/policy/modules/admin/consoletype.te b/refpolicy/policy/modules/admin/consoletype.te index 1b117a0..e7ab89a 100644 --- a/refpolicy/policy/modules/admin/consoletype.te +++ b/refpolicy/policy/modules/admin/consoletype.te @@ -9,8 +9,8 @@ policy_module(consoletype, 1.0) type consoletype_t; type consoletype_exec_t; -domain_make_init_domain(consoletype_t,consoletype_exec_t) -domain_make_system_domain(consoletype_t,consoletype_exec_t) +init_make_init_domain(consoletype_t,consoletype_exec_t) +init_make_system_domain(consoletype_t,consoletype_exec_t) role system_r types consoletype_t; ######################################## diff --git a/refpolicy/policy/modules/admin/netutils.te b/refpolicy/policy/modules/admin/netutils.te index 92ca0bd..060c777 100644 --- a/refpolicy/policy/modules/admin/netutils.te +++ b/refpolicy/policy/modules/admin/netutils.te @@ -9,7 +9,7 @@ policy_module(devices,1.0) type netutils_t; type netutils_exec_t; -domain_make_system_domain(netutils_t,netutils_exec_t) +init_make_system_domain(netutils_t,netutils_exec_t) role system_r types netutils_t; type netutils_tmp_t; @@ -17,12 +17,12 @@ files_make_temporary_file(netutils_tmp_t) type ping_t; #, nscd_client_domain; type ping_exec_t; -domain_make_system_domain(ping_t,ping_exec_t) +init_make_system_domain(ping_t,ping_exec_t) role system_r types ping_t; type traceroute_t; #, nscd_client_domain; type traceroute_exec_t; -domain_make_system_domain(traceroute_t,traceroute_exec_t) +init_make_system_domain(traceroute_t,traceroute_exec_t) role system_r types traceroute_t; # diff --git a/refpolicy/policy/modules/admin/usermanage.te b/refpolicy/policy/modules/admin/usermanage.te index 6b95a66..c3457c4 100644 --- a/refpolicy/policy/modules/admin/usermanage.te +++ b/refpolicy/policy/modules/admin/usermanage.te @@ -33,7 +33,7 @@ files_make_temporary_file(crack_tmp_t) type groupadd_t; #, nscd_client_domain; type groupadd_exec_t; kernel_make_object_identity_change_constraint_exception(groupadd_t) -domain_make_system_domain(groupadd_t,groupadd_exec_t) +init_make_system_domain(groupadd_t,groupadd_exec_t) role system_r types groupadd_t; type passwd_t; @@ -55,7 +55,7 @@ files_make_file(sysadm_passwd_tmp_t) type useradd_t; # nscd_client_domain; type useradd_exec_t; kernel_make_object_identity_change_constraint_exception(useradd_t) -domain_make_system_domain(useradd_t,useradd_exec_t) +init_make_system_domain(useradd_t,useradd_exec_t) role system_r types useradd_t; ######################################## diff --git a/refpolicy/policy/modules/kernel/kernel.if b/refpolicy/policy/modules/kernel/kernel.if index 3bea5c3..9d6420c 100644 --- a/refpolicy/policy/modules/kernel/kernel.if +++ b/refpolicy/policy/modules/kernel/kernel.if @@ -2,6 +2,24 @@ ######################################## # +# kernel_make_userland_entrypoint(domain,entrypoint) +# +define(`kernel_make_userland_entrypoint',` +requires_block_template(`$0'_depend) +allow kernel_t $2:file { getattr read execute }; +allow kernel_t $1:process transition; +type_transition kernel_t $2:process $1; +dontaudit kernel_t $1:process { noatsecure siginh rlimitinh }; +') + +define(`kernel_make_userland_entrypoint_depend',` +type kernel_t; +class process { transition noatsecure siginh rlimitinh }; +class file { getattr read execute }; +') + +######################################## +# # kernel_share_state(domain) # define(`kernel_share_state',` @@ -1071,24 +1089,6 @@ class lnk_file { getattr read }; ######################################## # -# kernel_transition_from(domain,entrypoint) -# -define(`kernel_transition_from',` -requires_block_template(`$0'_depend) -allow kernel_t $2:file { getattr read execute }; -allow kernel_t $1:process transition; -type_transition kernel_t $2:process $1; -dontaudit kernel_t $1:process { noatsecure siginh rlimitinh }; -') - -define(`kernel_transition_from_depend',` -type kernel_t; -class file { getattr read execute }; -class process transition; -') - -######################################## -# # kernel_sigchld_from(domain) # define(`kernel_sigchld_from',` diff --git a/refpolicy/policy/modules/services/cron.te b/refpolicy/policy/modules/services/cron.te index bca41c4..05939c0 100644 --- a/refpolicy/policy/modules/services/cron.te +++ b/refpolicy/policy/modules/services/cron.te @@ -18,7 +18,7 @@ files_make_file(cron_spool_t) type crond_t; #, privmail, nscd_client_domain type crond_exec_t; -domain_make_daemon_domain(crond_t,crond_exec_t) +init_make_daemon_domain(crond_t,crond_exec_t) domain_make_file_descriptors_widely_inheritable(crond_t) type crond_log_t; @@ -35,7 +35,7 @@ files_make_file(crontab_exec_t) type system_cron_spool_t; type system_crond_t; #, privmail, nscd_client_domain; -domain_make_daemon_domain(system_crond_t,anacron_exec_t) +init_make_daemon_domain(system_crond_t,anacron_exec_t) corecommands_make_shell_entrypoint(system_crond_t) role system_r types system_crond_t; diff --git a/refpolicy/policy/modules/services/mta.if b/refpolicy/policy/modules/services/mta.if index 7cdb652..0200795 100644 --- a/refpolicy/policy/modules/services/mta.if +++ b/refpolicy/policy/modules/services/mta.if @@ -142,7 +142,7 @@ define(`mta_per_userdomain_template_depend',` # define(`mta_make_mailserver_domain',` requires_block_template(`$0'_depend) -domain_make_daemon_domain($1,$2) +init_make_daemon_domain($1,$2) typeattribute $1 mailserver_domain; ') diff --git a/refpolicy/policy/modules/services/mta.te b/refpolicy/policy/modules/services/mta.te index 843edfb..f187620 100644 --- a/refpolicy/policy/modules/services/mta.te +++ b/refpolicy/policy/modules/services/mta.te @@ -32,7 +32,7 @@ tunable_policy(`targeted_policy',`',` optional_policy(`sendmail.te', ` domain_make_entrypoint_file(system_mail_t,sendmail_exec_t) ', ` -domain_make_system_domain(system_mail_t,sendmail_exec_t) +init_make_system_domain(system_mail_t,sendmail_exec_t) ') dnl end if sendmail ') dnl end targeted_policy diff --git a/refpolicy/policy/modules/system/authlogin.te b/refpolicy/policy/modules/system/authlogin.te index c52265f..c1f35ed 100644 --- a/refpolicy/policy/modules/system/authlogin.te +++ b/refpolicy/policy/modules/system/authlogin.te @@ -25,7 +25,7 @@ files_make_file(login_exec_t) type pam_console_t; type pam_console_exec_t; -domain_make_system_domain(pam_console_t,pam_console_exec_t) +init_make_system_domain(pam_console_t,pam_console_exec_t) role system_r types pam_console_t; domain_make_entrypoint_file(pam_console_t,pam_console_exec_t) diff --git a/refpolicy/policy/modules/system/clock.te b/refpolicy/policy/modules/system/clock.te index cf39327..3bd5bf7 100644 --- a/refpolicy/policy/modules/system/clock.te +++ b/refpolicy/policy/modules/system/clock.te @@ -12,7 +12,7 @@ files_make_file(adjtime_t) type hwclock_t; type hwclock_exec_t; -domain_make_system_domain(hwclock_t,hwclock_exec_t) +init_make_system_domain(hwclock_t,hwclock_exec_t) role system_r types hwclock_t; ######################################## diff --git a/refpolicy/policy/modules/system/domain.if b/refpolicy/policy/modules/system/domain.if index d7a8821..69c8de8 100644 --- a/refpolicy/policy/modules/system/domain.if +++ b/refpolicy/policy/modules/system/domain.if @@ -64,60 +64,6 @@ class file entrypoint; ######################################## # -# domain_make_init_domain(domain,entrypointfile) -# -define(`domain_make_init_domain',` -requires_block_template(`$0'_depend) -domain_make_domain($1) -domain_make_entrypoint_file($1,$2) -typeattribute $1 init_domain; -typeattribute $2 init_domain_entry; -role system_r types $1; -') - -define(`domain_make_init_domain_depend',` -attribute init_domain, init_domain_entry; -role system_r; -') - -######################################## -# -# domain_make_daemon_domain(domain,entrypointfile) -# -define(`domain_make_daemon_domain',` -requires_block_template(`$0'_depend) -domain_make_domain($1) -domain_make_entrypoint_file($1,$2) -typeattribute $1 daemon_domain; -typeattribute $2 daemon_domain_entry; -role system_r types $1; -') - -define(`domain_make_daemon_domain_depend',` -attribute init_domain, init_domain_entry; -role system_r; -') - -######################################## -# -# domain_make_system_domain(domain,entrypointfile) -# -define(`domain_make_system_domain',` -requires_block_template(`$0'_depend) -domain_make_domain($1) -domain_make_entrypoint_file($1,$2) -typeattribute $1 system_domain; -typeattribute $2 system_domain_entry; -role system_r types $1; -') - -define(`domain_make_system_domain_depend',` -attribute system_domain, system_domain_entry; -role system_r; -') - -######################################## -# # domain_make_file_descriptors_widely_inheritable(domain) # define(`domain_make_file_descriptors_widely_inheritable',` @@ -159,60 +105,6 @@ class fd use; ######################################## # -# domain_all_init_domains_transition(domain) -# -define(`domain_all_init_domains_transition',` -requires_block_template(`$0'_depend) -allow $1 init_domain:process transition; -allow $1 init_domain_entry:file { getattr read execute }; -dontaudit $1 init_domain:process { noatsecure siginh rlimitinh }; -') - -define(`domain_all_init_domains_transition_depend',` -attribute init_domain, init_domain_entry; -class process { transition noatsecure siginh rlimitinh }; -class file { getattr read execute }; -') - -######################################## -# -# domain_all_daemon_domains_transition(domain) -# -define(`domain_all_daemon_domains_transition',` -requires_block_template(`$0'_depend) -allow $1 daemon_domain:process transition; -allow $1 daemon_domain_entry:file { getattr read execute }; -allow daemon_domain $1:fd use; -allow $1 daemon_domain:process { noatsecure siginh rlimitinh }; -') - -define(`domain_all_daemon_domains_transition_depend',` -attribute daemon_domain, daemon_domain_entry; -class process { transition noatsecure siginh rlimitinh }; -class file { getattr read execute }; -') - -######################################## -# -# domain_all_system_domains_transition(domain) -# -define(`domain_all_system_domains_transition',` -requires_block_template(`$0'_depend) -allow $1 system_domain:process transition; -allow $1 system_domain_entry:file { getattr read execute }; -allow system_domain $1:fd use; -allow $1 system_domain:process { noatsecure siginh rlimitinh }; -') - -define(`domain_all_system_domains_transition_depend',` -attribute system_domain, system_domain_entry; -class process { transition noatsecure siginh rlimitinh }; -class file { getattr read execute }; -') - - -######################################## -# # domain_signal_all_domains(domain) # define(`domain_signal_all_domains',` diff --git a/refpolicy/policy/modules/system/domain.te b/refpolicy/policy/modules/system/domain.te index 62eeef5..fb2c54a 100644 --- a/refpolicy/policy/modules/system/domain.te +++ b/refpolicy/policy/modules/system/domain.te @@ -8,20 +8,6 @@ attribute domain; # entrypoint executables attribute entry_type; -# processes started by init itself -attribute init_domain; -attribute init_domain_entry; - -# short running processes started by init scripts, -# such as mount, usually for initializing the system -attribute system_domain; -attribute system_domain_entry; - -# long running application processes started by -# init scripts, such as sshd -attribute daemon_domain; -attribute daemon_domain_entry; - # widely-inheritable file descriptors attribute privfd; diff --git a/refpolicy/policy/modules/system/getty.te b/refpolicy/policy/modules/system/getty.te index ca2feb1..09a7a0b 100644 --- a/refpolicy/policy/modules/system/getty.te +++ b/refpolicy/policy/modules/system/getty.te @@ -4,7 +4,7 @@ policy_module(getty,1.0) type getty_t; type getty_exec_t; -domain_make_init_domain(getty_t,getty_exec_t) +init_make_init_domain(getty_t,getty_exec_t) domain_make_file_descriptors_widely_inheritable(getty_t) type getty_etc_t; diff --git a/refpolicy/policy/modules/system/hostname.te b/refpolicy/policy/modules/system/hostname.te index dd3ebe2..f5c9f26 100644 --- a/refpolicy/policy/modules/system/hostname.te +++ b/refpolicy/policy/modules/system/hostname.te @@ -9,7 +9,7 @@ policy_module(hostname,1.0) type hostname_t; type hostname_exec_t; -domain_make_system_domain(hostname_t,hostname_exec_t) +init_make_system_domain(hostname_t,hostname_exec_t) role system_r types hostname_t; diff --git a/refpolicy/policy/modules/system/hotplug.te b/refpolicy/policy/modules/system/hotplug.te index 10e5d1b..cad4a31 100644 --- a/refpolicy/policy/modules/system/hotplug.te +++ b/refpolicy/policy/modules/system/hotplug.te @@ -9,7 +9,8 @@ policy_module(hotplug, 1.0) type hotplug_t; type hotplug_exec_t; -domain_make_system_domain(hotplug_t,hotplug_exec_t) +kernel_make_userland_entrypoint(hotplug_t,hotplug_exec_t) +init_make_system_domain(hotplug_t,hotplug_exec_t) type hotplug_etc_t; #, usercanread; files_make_file(hotplug_etc_t) @@ -46,7 +47,6 @@ kernel_read_kernel_sysctl(hotplug_t) kernel_read_hardware_state(hotplug_t) kernel_read_network_sysctl(hotplug_t) kernel_read_usb_hardware_state(hotplug_t) -kernel_transition_from(hotplug_t,hotplug_exec_t) bootloader_read_kernel_modules(hotplug_t) diff --git a/refpolicy/policy/modules/system/init.if b/refpolicy/policy/modules/system/init.if index 23b3877..a701982 100644 --- a/refpolicy/policy/modules/system/init.if +++ b/refpolicy/policy/modules/system/init.if @@ -2,6 +2,78 @@ ######################################## # +# init_make_init_domain(domain,entrypointfile) +# +define(`init_make_init_domain',` +requires_block_template(`$0'_depend) +domain_make_domain($1) +domain_make_entrypoint_file($1,$2) +role system_r types $1; +allow init_t $1:process transition; +allow init_t $2:file { getattr read execute }; +dontaudit init_t $1:process { noatsecure siginh rlimitinh }; +type_transition init_t $2:process $1; +') + +define(`init_make_init_domain_depend',` +type init_t; +class file { getattr read execute }; +class fd use; +class process { transition noatsecure siginh rlimitinh }; +role system_r; +') + +######################################## +# +# init_make_daemon_domain(domain,entrypointfile) +# +define(`init_make_daemon_domain',` +requires_block_template(`$0'_depend) +domain_make_domain($1) +domain_make_entrypoint_file($1,$2) +role system_r types $1; +allow initrc_t $1:process transition; +allow initrc_t $2:file { getattr read execute }; +dontaudit initrc_t $1:process { noatsecure siginh rlimitinh }; +allow $1 initrc_t:fd use; +type_transition initrc_t $2:process $1; +') + +define(`init_make_daemon_domain_depend',` +type initrc_t; +class file { getattr read execute }; +class fd use; +class process { transition noatsecure siginh rlimitinh }; +role system_r; +') + +######################################## +# +# init_make_system_domain(domain,entrypointfile) +# +define(`init_make_system_domain',` +requires_block_template(`$0'_depend) +domain_make_domain($1) +domain_make_entrypoint_file($1,$2) +role system_r types $1; +allow initrc_t $1:process transition; +allow initrc_t $2:file { getattr read execute }; +dontaudit initrc_t $1:process { noatsecure siginh rlimitinh }; +allow $1 initrc_t:fd use; +type_transition initrc_t $2:process $1; +') + +define(`init_make_system_domain_depend',` +type initrc_t; +class file { getattr read execute }; +class fd use; +class process { transition noatsecure siginh rlimitinh }; +role system_r; +') + + +######################################## +# # init_transition(domain) # define(`init_transition',` diff --git a/refpolicy/policy/modules/system/init.te b/refpolicy/policy/modules/system/init.te index 396fe27..bccab0a 100644 --- a/refpolicy/policy/modules/system/init.te +++ b/refpolicy/policy/modules/system/init.te @@ -18,6 +18,7 @@ role system_r types init_t; # init_exec_t is the type of the init program. # type init_exec_t; +kernel_make_userland_entrypoint(init_t,init_exec_t) domain_make_entrypoint_file(init_t,init_exec_t) # @@ -82,7 +83,6 @@ allow init_t initrc_exec_t:file { getattr read execute }; allow init_t self:fifo_file { read write ioctl }; -kernel_transition_from(init_t,init_exec_t) kernel_sigchld_from(init_t) # If you load a new policy that removes active domains, processes can @@ -100,7 +100,6 @@ terminal_use_all_terminals(init_t) domain_signal_all_domains(init_t) domain_kill_all_domains(init_t) -domain_all_init_domains_transition(init_t) files_modify_system_runtime_data(init_t) @@ -233,8 +232,6 @@ bootloader_read_kernel_symbol_table(initrc_t) domain_kill_all_domains(initrc_t) domain_read_all_domains_process_state(initrc_t) -domain_all_daemon_domains_transition(initrc_t) -domain_all_system_domains_transition(initrc_t) domain_use_widely_inheritable_file_descriptors(initrc_t) libraries_modify_dynamic_loader_cache(initrc_t) diff --git a/refpolicy/policy/modules/system/iptables.te b/refpolicy/policy/modules/system/iptables.te index 85c5274..065686e 100644 --- a/refpolicy/policy/modules/system/iptables.te +++ b/refpolicy/policy/modules/system/iptables.te @@ -9,7 +9,7 @@ policy_module(iptables, 1.0) type iptables_t; type iptables_exec_t; -domain_make_system_domain(iptables_t,iptables_exec_t) +init_make_system_domain(iptables_t,iptables_exec_t) role system_r types iptables_t; type iptables_tmp_t; diff --git a/refpolicy/policy/modules/system/locallogin.te b/refpolicy/policy/modules/system/locallogin.te index d9bd857..699519b 100644 --- a/refpolicy/policy/modules/system/locallogin.te +++ b/refpolicy/policy/modules/system/locallogin.te @@ -24,8 +24,8 @@ type sulogin_exec_t; kernel_make_object_identity_change_constraint_exception(sulogin_t) kernel_make_process_identity_change_constraint_exception(sulogin_t) kernel_make_role_change_constraint_exception(sulogin_t) -domain_make_init_domain(sulogin_t,sulogin_exec_t) -domain_make_system_domain(sulogin_t,sulogin_exec_t) +init_make_init_domain(sulogin_t,sulogin_exec_t) +init_make_system_domain(sulogin_t,sulogin_exec_t) domain_make_file_descriptors_widely_inheritable(sulogin_t) role system_r types sulogin_t; diff --git a/refpolicy/policy/modules/system/logging.te b/refpolicy/policy/modules/system/logging.te index 33c518b..b7e3700 100644 --- a/refpolicy/policy/modules/system/logging.te +++ b/refpolicy/policy/modules/system/logging.te @@ -9,7 +9,7 @@ files_make_file(devlog_t) type klogd_t; type klogd_exec_t; -domain_make_daemon_domain(klogd_t,klogd_exec_t) +init_make_daemon_domain(klogd_t,klogd_exec_t) type klogd_tmp_t; files_make_temporary_file(klogd_tmp_t) @@ -19,7 +19,7 @@ files_make_daemon_runtime_file(klogd_var_run_t) type syslogd_t; type syslogd_exec_t; -domain_make_daemon_domain(syslogd_t,syslogd_exec_t) +init_make_daemon_domain(syslogd_t,syslogd_exec_t) type syslogd_tmp_t; files_make_temporary_file(syslogd_tmp_t) diff --git a/refpolicy/policy/modules/system/lvm.te b/refpolicy/policy/modules/system/lvm.te index 196e78d..2b6a3ff 100644 --- a/refpolicy/policy/modules/system/lvm.te +++ b/refpolicy/policy/modules/system/lvm.te @@ -9,7 +9,7 @@ policy_module(lvm,1.0) type lvm_t; type lvm_exec_t; -domain_make_system_domain(lvm_t,lvm_exec_t) +init_make_system_domain(lvm_t,lvm_exec_t) # needs privowner because it assigns the identity system_u to device nodes # but runs as the identity of the sysadmin kernel_make_object_identity_change_constraint_exception(lvm_t) diff --git a/refpolicy/policy/modules/system/modutils.te b/refpolicy/policy/modules/system/modutils.te index c09291b..2af4e81 100644 --- a/refpolicy/policy/modules/system/modutils.te +++ b/refpolicy/policy/modules/system/modutils.te @@ -17,17 +17,18 @@ files_make_file(modules_dep_t) type insmod_t; type insmod_exec_t; -domain_make_system_domain(insmod_t,insmod_exec_t) +kernel_make_userland_entrypoint(insmod_t,insmod_exec_t) +init_make_system_domain(insmod_t,insmod_exec_t) role system_r types insmod_t; type depmod_t; type depmod_exec_t; -domain_make_system_domain(depmod_t,depmod_exec_t) +init_make_system_domain(depmod_t,depmod_exec_t) role system_r types depmod_t; type update_modules_t; type update_modules_exec_t; -domain_make_system_domain(update_modules_t,update_modules_exec_t) +init_make_system_domain(update_modules_t,update_modules_exec_t) role system_r types update_modules_t; type update_modules_tmp_t; @@ -49,8 +50,6 @@ allow insmod_t { modules_conf_t modules_dep_t }:file { getattr read }; allow insmod_t insmod_exec_t:file { getattr read execute execute_no_trans }; -kernel_transition_from(insmod_t,insmod_exec_t) - kernel_load_module(insmod_t) # Rules for /proc/sys/kernel/tainted diff --git a/refpolicy/policy/modules/system/mount.te b/refpolicy/policy/modules/system/mount.te index e8f256f..f3d0d8d 100644 --- a/refpolicy/policy/modules/system/mount.te +++ b/refpolicy/policy/modules/system/mount.te @@ -2,7 +2,7 @@ type mount_t; type mount_exec_t; -domain_make_system_domain(mount_t,mount_exec_t) +init_make_system_domain(mount_t,mount_exec_t) role system_r types mount_t; type mount_tmp_t; diff --git a/refpolicy/policy/modules/system/selinux.te b/refpolicy/policy/modules/system/selinux.te index 7f03aab..f04ed99 100644 --- a/refpolicy/policy/modules/system/selinux.te +++ b/refpolicy/policy/modules/system/selinux.te @@ -67,7 +67,7 @@ files_make_file(policy_src_t) type restorecon_t, can_relabelto_binary_policy; type restorecon_exec_t; kernel_make_object_identity_change_constraint_exception(restorecon_t) -domain_make_system_domain(restorecon_t,restorecon_exec_t) +init_make_system_domain(restorecon_t,restorecon_exec_t) role system_r types restorecon_t; # diff --git a/refpolicy/policy/modules/system/selinuxutil.te b/refpolicy/policy/modules/system/selinuxutil.te index 7f03aab..f04ed99 100644 --- a/refpolicy/policy/modules/system/selinuxutil.te +++ b/refpolicy/policy/modules/system/selinuxutil.te @@ -67,7 +67,7 @@ files_make_file(policy_src_t) type restorecon_t, can_relabelto_binary_policy; type restorecon_exec_t; kernel_make_object_identity_change_constraint_exception(restorecon_t) -domain_make_system_domain(restorecon_t,restorecon_exec_t) +init_make_system_domain(restorecon_t,restorecon_exec_t) role system_r types restorecon_t; # diff --git a/refpolicy/policy/modules/system/sysnetwork.te b/refpolicy/policy/modules/system/sysnetwork.te index e8818fc..b9a48af 100644 --- a/refpolicy/policy/modules/system/sysnetwork.te +++ b/refpolicy/policy/modules/system/sysnetwork.te @@ -9,7 +9,7 @@ policy_module(sysnetwork,1.0) type dhcpc_t; type dhcpc_exec_t; -domain_make_daemon_domain(dhcpc_t,dhcpc_exec_t) +init_make_daemon_domain(dhcpc_t,dhcpc_exec_t) role system_r types dhcpc_t; type dhcpc_state_t; @@ -23,7 +23,7 @@ files_make_daemon_runtime_file(dhcpc_var_run_t) type ifconfig_t; type ifconfig_exec_t; -domain_make_system_domain(ifconfig_t, ifconfig_exec_t) +init_make_system_domain(ifconfig_t, ifconfig_exec_t) role system_r types ifconfig_t; type net_conf_t alias resolv_conf_t; diff --git a/refpolicy/policy/modules/system/udev.te b/refpolicy/policy/modules/system/udev.te index 57598ff..974b819 100644 --- a/refpolicy/policy/modules/system/udev.te +++ b/refpolicy/policy/modules/system/udev.te @@ -10,8 +10,9 @@ policy_module(udev,1.0) type udev_t; # nscd_client_domain type udev_exec_t; type udev_helper_exec_t; +kernel_make_userland_entrypoint(udev_t,udev_exec_t) kernel_make_object_identity_change_constraint_exception(udev_t) -domain_make_daemon_domain(udev_t,udev_exec_t) +init_make_daemon_domain(udev_t,udev_exec_t) domain_make_entrypoint_file(udev_t,udev_helper_exec_t) domain_make_file_descriptors_widely_inheritable(udev_t) @@ -74,7 +75,6 @@ kernel_compute_selinux_av(udev_t) kernel_compute_create(udev_t) kernel_compute_relabel(udev_t) kernel_compute_reachable_user_contexts(udev_t) -kernel_transition_from(udev_t,udev_exec_t) devices_manage_device_nodes(udev_t)