Rearrage interfaces in filesystem.

2010-06-22 10:17:42 -04:00 · 2010-06-22 10:17:42 -04:00 · 3c79f954d1
parent eab2cc89b4
commit 3c79f954d1
1 changed files with 84 additions and 83 deletions
--- a/policy/modules/kernel/filesystem.if
+++ b/policy/modules/kernel/filesystem.if
@ -1132,6 +1132,32 @@ interface(`fs_read_noxattr_fs_symlinks',`
 	read_lnk_files_pattern($1, noxattrfs, noxattrfs)
 ')

+########################################
+## <summary>
+##	Relabel all objets from filesystems that
+##	do not support extended attributes.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`fs_relabelfrom_noxattr_fs',`
+	gen_require(`
+		attribute noxattrfs;
+	')
+
+	allow $1 noxattrfs:dir list_dir_perms;
+	relabelfrom_dirs_pattern($1, noxattrfs, noxattrfs)
+	relabelfrom_files_pattern($1, noxattrfs, noxattrfs)
+	relabelfrom_lnk_files_pattern($1, noxattrfs, noxattrfs)
+	relabelfrom_fifo_files_pattern($1, noxattrfs, noxattrfs)
+	relabelfrom_sock_files_pattern($1, noxattrfs, noxattrfs)
+	relabelfrom_blk_files_pattern($1, noxattrfs, noxattrfs)
+	relabelfrom_chr_files_pattern($1, noxattrfs, noxattrfs)
+')
+
 ########################################
 ## <summary>
 ##	Do not audit attempts to read
@ -4439,6 +4465,25 @@ interface(`fs_getattr_all_files',`
 	getattr_files_pattern($1, filesystem_type, filesystem_type)
 ')

+########################################
+## <summary>
+##	Do not audit attempts to get the attributes
+##	of all files with a filesystem type.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`fs_dontaudit_getattr_all_files',`
+	gen_require(`
+		attribute filesystem_type;
+	')
+
+	dontaudit $1 filesystem_type:file getattr;
+')
+
 ########################################
 ## <summary>
 ##	Get the attributes of all symbolic links with
@ -4458,6 +4503,25 @@ interface(`fs_getattr_all_symlinks',`
 	getattr_lnk_files_pattern($1, filesystem_type, filesystem_type)
 ')

+########################################
+## <summary>
+##	Do not audit attempts to get the attributes
+##	of all symbolic links with a filesystem type.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`fs_dontaudit_getattr_all_symlinks',`
+	gen_require(`
+		attribute filesystem_type;
+	')
+
+	dontaudit $1 filesystem_type:lnk_file getattr;
+')
+
 ########################################
 ## <summary>
 ##	Get the attributes of all named pipes with
@ -4477,6 +4541,25 @@ interface(`fs_getattr_all_pipes',`
 	getattr_fifo_files_pattern($1, filesystem_type, filesystem_type)
 ')

+########################################
+## <summary>
+##	Do not audit attempts to get the attributes
+##	of all named pipes with a filesystem type.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`fs_dontaudit_getattr_all_pipes',`
+	gen_require(`
+		attribute filesystem_type;
+	')
+
+	dontaudit $1 filesystem_type:fifo_file getattr;
+')
+
 ########################################
 ## <summary>
 ##	Get the attributes of all named sockets with
@ -4496,62 +4579,6 @@ interface(`fs_getattr_all_sockets',`
 	getattr_sock_files_pattern($1, filesystem_type, filesystem_type)
 ')

-########################################
-## <summary>
-##	Do not audit attempts to get the attributes
-##	of all files with a filesystem type.
-## </summary>
-## <param name="domain">
-##	<summary>
-##	Domain allowed access.
-##	</summary>
-## </param>
-#
-interface(`fs_dontaudit_getattr_all_files',`
-	gen_require(`
-		attribute filesystem_type;
-	')
-
-	dontaudit $1 filesystem_type:file getattr;
-')
-
-########################################
-## <summary>
-##	Do not audit attempts to get the attributes
-##	of all symbolic links with a filesystem type.
-## </summary>
-## <param name="domain">
-##	<summary>
-##	Domain allowed access.
-##	</summary>
-## </param>
-#
-interface(`fs_dontaudit_getattr_all_symlinks',`
-	gen_require(`
-		attribute filesystem_type;
-	')
-
-	dontaudit $1 filesystem_type:lnk_file getattr;
-')
-
-########################################
-## <summary>
-##	Do not audit attempts to get the attributes
-##	of all named pipes with a filesystem type.
-## </summary>
-## <param name="domain">
-##	<summary>
-##	Domain allowed access.
-##	</summary>
-## </param>
-#
-interface(`fs_dontaudit_getattr_all_pipes',`
-	gen_require(`
-		attribute filesystem_type;
-	')
-
-	dontaudit $1 filesystem_type:fifo_file getattr;
-')

 ########################################
 ## <summary>
@ -4560,7 +4587,7 @@ interface(`fs_dontaudit_getattr_all_pipes',`
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-##	Domain allowed access.
+##	Domain to not audit.
 ##	</summary>
 ## </param>
 #
@ -4627,29 +4654,3 @@ interface(`fs_unconfined',`

 	typeattribute $1 filesystem_unconfined_type;
 ')
-
-########################################
-## <summary>
-##	Relabel all objets from filesystems that
-##	do not support extended attributes.
-## </summary>
-## <param name="domain">
-##	<summary>
-##	Domain allowed access.
-##	</summary>
-## </param>
-#
-interface(`fs_relabelfrom_noxattr_fs',`
-	gen_require(`
-		attribute noxattrfs;
-	')
-
-	allow $1 noxattrfs:dir list_dir_perms;
-	relabelfrom_dirs_pattern($1, noxattrfs, noxattrfs)
-	relabelfrom_files_pattern($1, noxattrfs, noxattrfs)
-	relabelfrom_lnk_files_pattern($1, noxattrfs, noxattrfs)
-	relabelfrom_fifo_files_pattern($1, noxattrfs, noxattrfs)
-	relabelfrom_sock_files_pattern($1, noxattrfs, noxattrfs)
-	relabelfrom_blk_files_pattern($1, noxattrfs, noxattrfs)
-	relabelfrom_chr_files_pattern($1, noxattrfs, noxattrfs)
-')