RepoMirrors
/
selinux-refpolicy
mirror of https://github.com/SELinuxProject/refpolicy
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

fixes just so sediff is easier to handle

This commit is contained in:
Chris PeBenito 2005-11-01 21:15:11 +00:00
parent b488014fd7
commit 73ef293bc5
4 changed files with 34 additions and 16 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

23
refpolicy/policy/modules/admin/su.if
View File

@ -206,18 +206,25 @@ template(`su_per_userdomain_template',`
userdom_use_user_terminals($1,$1_su_t) userdom_use_user_terminals($1,$1_su_t)
userdom_search_user_home($1,$1_su_t) userdom_search_user_home($1,$1_su_t)
if(secure_mode) {
# Only allow transitions to unprivileged user domains.
userdom_spec_domtrans_unpriv_users($1_su_t)
} else {
# Allow transitions to all user domains
userdom_spec_domtrans_all_users($1_su_t)
}
ifdef(`targeted_policy',` ifdef(`targeted_policy',`
corecmd_exec_bin($1_su_t) corecmd_exec_bin($1_su_t)
userdom_manage_all_user_files($1_su_t) userdom_manage_all_user_files($1_su_t)
userdom_manage_all_user_symlinks($1_su_t) userdom_manage_all_user_symlinks($1_su_t)
# newrole does not make any sense in
# the targeted policy. This is to
# make sediff easier.
if(!secure_mode) {
unconfined_domtrans($1_su_t)
}
',`
if(secure_mode) {
# Only allow transitions to unprivileged user domains.
userdom_spec_domtrans_unpriv_users($1_su_t)
} else {
# Allow transitions to all user domains
userdom_spec_domtrans_all_users($1_su_t)
}
') ')
tunable_policy(`use_nfs_home_dirs',` tunable_policy(`use_nfs_home_dirs',`

2
refpolicy/policy/modules/kernel/filesystem.if
View File

@ -660,7 +660,7 @@ interface(`fs_execute_cifs_files',`
## The type of the domain to not audit. ## The type of the domain to not audit.
## </param> ## </param>
# #
interface(`fs_read_cifs_files',` interface(`fs_dontaudit_read_cifs_files',`
gen_require(` gen_require(`
type cifs_t; type cifs_t;
class file { read write }; class file { read write };

2
refpolicy/policy/modules/services/ftp.te
View File

@ -184,6 +184,8 @@ optional_policy(`inetd.te',`
# inetd_tcp_service_domain(ftpd_t,ftpd_exec_t) # inetd_tcp_service_domain(ftpd_t,ftpd_exec_t)
#') #')
inetd_tcp_service_domain(ftpd_t,ftpd_exec_t)
optional_policy(`tcpd.te',` optional_policy(`tcpd.te',`
tunable_policy(`! ftpd_is_daemon',` tunable_policy(`! ftpd_is_daemon',`
tcpd_domtrans(tcpd_t) tcpd_domtrans(tcpd_t)

23
refpolicy/policy/modules/system/selinuxutil.te
View File

@ -263,13 +263,22 @@ userdom_use_unpriv_users_fd(newrole_t)
# for some PAM modules and for cwd # for some PAM modules and for cwd
userdom_dontaudit_search_all_users_home(newrole_t) userdom_dontaudit_search_all_users_home(newrole_t)
# if secure mode is enabled, then newrole ifdef(`targeted_policy',`
# can only transition to unprivileged users # newrole does not make any sense in
if(secure_mode) { # the targeted policy. This is to
userdom_spec_domtrans_unpriv_users(newrole_t) # make sediff easier.
} else { if(!secure_mode) {
userdom_spec_domtrans_all_users(newrole_t) unconfined_domtrans(newrole_t)
} }
',`
# if secure mode is enabled, then newrole
# can only transition to unprivileged users
if(secure_mode) {
userdom_spec_domtrans_unpriv_users(newrole_t)
} else {
userdom_spec_domtrans_all_users(newrole_t)
}
')
optional_policy(`nis.te',` optional_policy(`nis.te',`
nis_use_ypbind(newrole_t) nis_use_ypbind(newrole_t)