From 156204a3853857c16591820f69ca34d9f1758919 Mon Sep 17 00:00:00 2001 From: Chris PeBenito Date: Tue, 24 Feb 2009 20:00:15 +0000 Subject: [PATCH] trunk: Drop write permission from fs_read_rpc_sockets(). --- Changelog | 1 + policy/modules/kernel/filesystem.if | 18 ++++++++++++++++++ policy/modules/kernel/filesystem.te | 2 +- policy/modules/services/rpc.te | 6 +++--- 4 files changed, 23 insertions(+), 4 deletions(-) diff --git a/Changelog b/Changelog index 95db6c114..6c85f15b2 100644 --- a/Changelog +++ b/Changelog @@ -1,3 +1,4 @@ +- Drop write permission from fs_read_rpc_sockets(). - Remove unused udev_runtime_t type. - Patch for RadSec port from Glen Turner. - Enable network_peer_controls policy capability from Paul Moore. diff --git a/policy/modules/kernel/filesystem.if b/policy/modules/kernel/filesystem.if index 98607ab9f..16c72d7e7 100644 --- a/policy/modules/kernel/filesystem.if +++ b/policy/modules/kernel/filesystem.if @@ -1935,6 +1935,24 @@ interface(`fs_read_rpc_sockets',` type rpc_pipefs_t; ') + allow $1 rpc_pipefs_t:sock_file read; +') + +######################################## +## +## Read and write sockets of RPC file system pipes. +## +## +## +## Domain allowed access. +## +## +# +interface(`fs_rw_rpc_sockets',` + gen_require(` + type rpc_pipefs_t; + ') + allow $1 rpc_pipefs_t:sock_file { read write }; ') diff --git a/policy/modules/kernel/filesystem.te b/policy/modules/kernel/filesystem.te index a95ed4be5..cf66fb440 100644 --- a/policy/modules/kernel/filesystem.te +++ b/policy/modules/kernel/filesystem.te @@ -1,5 +1,5 @@ -policy_module(filesystem, 1.11.1) +policy_module(filesystem, 1.11.2) ######################################## # diff --git a/policy/modules/services/rpc.te b/policy/modules/services/rpc.te index 02c3fcdca..012cb3411 100644 --- a/policy/modules/services/rpc.te +++ b/policy/modules/services/rpc.te @@ -1,5 +1,5 @@ -policy_module(rpc, 1.10.2) +policy_module(rpc, 1.10.3) ######################################## # @@ -76,7 +76,7 @@ files_manage_mounttab(rpcd_t) fs_list_rpc(rpcd_t) fs_read_rpc_files(rpcd_t) fs_read_rpc_symlinks(rpcd_t) -fs_read_rpc_sockets(rpcd_t) +fs_rw_rpc_sockets(rpcd_t) selinux_dontaudit_read_fs(rpcd_t) @@ -163,7 +163,7 @@ kernel_search_network_sysctl(gssd_t) corecmd_exec_bin(gssd_t) fs_list_rpc(gssd_t) -fs_read_rpc_sockets(gssd_t) +fs_rw_rpc_sockets(gssd_t) fs_read_rpc_files(gssd_t) files_list_tmp(gssd_t)