make a reasonable lib_t interface

2005-05-11 15:46:51 +00:00 · 2005-05-11 15:46:51 +00:00 · 118186e3dc
parent 1832271029
commit 118186e3dc
8 changed files with 15 additions and 26 deletions
--- a/refpolicy/policy/modules/kernel/bootloader.te
+++ b/refpolicy/policy/modules/kernel/bootloader.te
@ -91,6 +91,7 @@ domain_use_widely_inheritable_file_descriptors(bootloader_t)

 libraries_use_dynamic_loader(bootloader_t)
 libraries_read_shared_libraries(bootloader_t)
+libraries_read_library_resources(bootloader_t)

 files_read_general_system_config(bootloader_t)
 files_read_runtime_system_config(bootloader_t)
@ -186,8 +187,6 @@ allow bootloader_t admin_tty_type:chr_file rw_file_perms;

 allow bootloader_t initrc_t:fifo_file { read write };

-allow bootloader_t lib_t:file { getattr read };
-
 allow bootloader_t sysfs_t:dir getattr;

 allow bootloader_t var_t:dir search;
--- a/refpolicy/policy/modules/system/hotplug.te
+++ b/refpolicy/policy/modules/system/hotplug.te
@ -82,6 +82,8 @@ logging_send_system_log_message(hotplug_t)

 libraries_use_dynamic_loader(hotplug_t)
 libraries_read_shared_libraries(hotplug_t)
+# Read /usr/lib/gconv/.*
+libraries_read_library_resources(hotplug_t)

 modutils_insmod_transition(hotplug_t)
 modutils_read_kernel_module_dependencies(hotplug_t)
@ -155,9 +157,6 @@ allow hotplug_t kernel_t:process sigchld;
 # for when filesystems are not mounted early in the boot
 dontaudit hotplug_t file_t:dir { search getattr };

-# Read /usr/lib/gconv/.*
-allow hotplug_t lib_t:file { getattr read };
-
 allow hotplug_t udev_runtime_t:file rw_file_perms;

 allow hotplug_t var_log_t:dir search;
--- a/refpolicy/policy/modules/system/init.te
+++ b/refpolicy/policy/modules/system/init.te
@ -145,8 +145,6 @@ allow init_t self:capability ~sys_module;
 allow init_t initrc_var_run_t:file { getattr read write setattr };

 ifdef(`TODO',`
-# something other then static libs
-allow init_t lib_t:file { getattr read };

 # for mount points
 allow init_t file_t:dir search;
@ -438,14 +436,8 @@ domain_trans(initrc_t, shell_exec_t, unconfined_t)
 ', `
 domain_auto_trans(sysadm_t, run_init_exec_t, run_init_t)
 role sysadm_r types run_init_t;
-
 domain_auto_trans(run_init_t, chkpwd_exec_t, sysadm_chkpwd_t)
-
-# for utmp
 allow run_init_t admin_tty_type:chr_file rw_file_perms;
-
-allow run_init_t lib_t:file { getattr read };
-
 ') dnl endif targeted policy

 tunable_policy(`distro_gentoo', `
--- a/refpolicy/policy/modules/system/libraries.if
+++ b/refpolicy/policy/modules/system/libraries.if
@ -87,15 +87,15 @@ class file execmod;

 ########################################
 #
-# libraries_read_static_libraries(domain)
+# libraries_read_library_resources(domain)
 #
-define(`libraries_read_static_libraries',`
+define(`libraries_read_library_resources',`
 requires_block_template(`$0'_depend)
 allow $1 lib_t:dir { getattr read search };
 allow $1 lib_t:{ file lnk_file } { getattr read };
 ')

-define(`libraries_read_static_libraries_depend',`
+define(`libraries_read_library_resources_depend',`
 type lib_t;
 class dir { getattr read search };
 class lnk_file { getattr read };
--- a/refpolicy/policy/modules/system/miscfiles.if
+++ b/refpolicy/policy/modules/system/miscfiles.if
@ -27,7 +27,10 @@ define(`miscfiles_read_localization',`
 requires_block_template(`$0'_depend)
 # FIXME: $1 read etc_t:lnk_file here
 # FIXME: $1 search usr_t:dir here
-# FIXME: $1 read lib_t:file(?)
+
+# why?
+libraries_read_library_resources($1)
+
 allow $1 locale_t:dir { getattr read search };
 allow $1 locale_t:lnk_file { getattr read };
 allow $1 locale_t:file { getattr read };
--- a/refpolicy/policy/modules/system/modutils.te
+++ b/refpolicy/policy/modules/system/modutils.te
@ -2,6 +2,11 @@

 policy_module(modutils,1.0)

+########################################
+#
+# Declarations
+#
+
 # module loading config
 type modules_conf_t;
 files_make_file(modules_conf_t)
@ -92,7 +97,6 @@ ifdef(`TODO',`

 allow insmod_t initrc_t:fifo_file { getattr read write };

-allow insmod_t lib_t:file { getattr read };
 allow insmod_t { var_t var_log_t }:dir search;

 allow insmod_t apm_bios_t:chr_file { read write };
@ -229,6 +233,4 @@ role sysadm_r types update_modules_t;
 domain_auto_trans(sysadm_t, update_modules_exec_t, update_modules_t)
 allow update_modules_t admin_tty_type:chr_file rw_file_perms;
 dontaudit update_modules_t sysadm_home_dir_t:dir search;
-
-allow update_modules_t lib_t:file { getattr read };
 ') dnl endif TODO
--- a/refpolicy/policy/modules/system/mount.te
+++ b/refpolicy/policy/modules/system/mount.te
@ -67,9 +67,6 @@ ifdef(`TODO',`
 # nfsv4 has a filesystem to mount for its userspace daemons
 allow mount_t var_lib_nfs_t:dir mounton;

-# for localization
-allow mount_t lib_t:file { getattr read };
-
 # TODO: Need to examine this further. Not sure how to handle this
 #type sysadm_mount_source_t, file_type, sysadmfile, $1_file_type;
 #allow sysadm_t sysadm_mount_source_t:file create_file_perms;
--- a/refpolicy/policy/modules/system/sysnetwork.te
+++ b/refpolicy/policy/modules/system/sysnetwork.te
@ -165,9 +165,6 @@ allow dhcpc_t rhgb_t:fifo_file { read write };

 can_ypbind(dhcpc_t)

-# for localization
-allow dhcpc_t lib_t:file { getattr read };
-
 ifdef(`cardmgr.te', `
 domain_auto_trans(cardmgr_t, dhcpc_exec_t, dhcpc_t)
 allow cardmgr_t dhcpc_var_run_t:file { getattr read };