From a9e03b375241b0f875efb4d97b7b590f1898b58b Mon Sep 17 00:00:00 2001 From: Chris PeBenito Date: Thu, 21 Sep 2006 15:48:15 +0000 Subject: [PATCH] * add a macro for generating category declarations * fix userdom_search_all_users_home_content() to use search_dir_perms; * change ssh daemon macro to use userdom_search_all_users_home_dirs() instead of _home_content() --- policy/mcs | 67 ++-------------------------- policy/mls | 68 ++--------------------------- policy/modules/services/ssh.if | 2 +- policy/modules/services/ssh.te | 2 +- policy/modules/system/userdomain.if | 2 +- policy/modules/system/userdomain.te | 2 +- policy/support/misc_macros.spt | 15 +++++++ 7 files changed, 25 insertions(+), 133 deletions(-) diff --git a/policy/mcs b/policy/mcs index 5a4787704..89cdec9ed 100644 --- a/policy/mcs +++ b/policy/mcs @@ -19,70 +19,9 @@ dominance { s0 } # # Each category has a name and zero or more aliases. # -category c0; category c1; category c2; category c3; -category c4; category c5; category c6; category c7; -category c8; category c9; category c10; category c11; -category c12; category c13; category c14; category c15; -category c16; category c17; category c18; category c19; -category c20; category c21; category c22; category c23; -category c24; category c25; category c26; category c27; -category c28; category c29; category c30; category c31; -category c32; category c33; category c34; category c35; -category c36; category c37; category c38; category c39; -category c40; category c41; category c42; category c43; -category c44; category c45; category c46; category c47; -category c48; category c49; category c50; category c51; -category c52; category c53; category c54; category c55; -category c56; category c57; category c58; category c59; -category c60; category c61; category c62; category c63; -category c64; category c65; category c66; category c67; -category c68; category c69; category c70; category c71; -category c72; category c73; category c74; category c75; -category c76; category c77; category c78; category c79; -category c80; category c81; category c82; category c83; -category c84; category c85; category c86; category c87; -category c88; category c89; category c90; category c91; -category c92; category c93; category c94; category c95; -category c96; category c97; category c98; category c99; -category c100; category c101; category c102; category c103; -category c104; category c105; category c106; category c107; -category c108; category c109; category c110; category c111; -category c112; category c113; category c114; category c115; -category c116; category c117; category c118; category c119; -category c120; category c121; category c122; category c123; -category c124; category c125; category c126; category c127; -category c128; category c129; category c130; category c131; -category c132; category c133; category c134; category c135; -category c136; category c137; category c138; category c139; -category c140; category c141; category c142; category c143; -category c144; category c145; category c146; category c147; -category c148; category c149; category c150; category c151; -category c152; category c153; category c154; category c155; -category c156; category c157; category c158; category c159; -category c160; category c161; category c162; category c163; -category c164; category c165; category c166; category c167; -category c168; category c169; category c170; category c171; -category c172; category c173; category c174; category c175; -category c176; category c177; category c178; category c179; -category c180; category c181; category c182; category c183; -category c184; category c185; category c186; category c187; -category c188; category c189; category c190; category c191; -category c192; category c193; category c194; category c195; -category c196; category c197; category c198; category c199; -category c200; category c201; category c202; category c203; -category c204; category c205; category c206; category c207; -category c208; category c209; category c210; category c211; -category c212; category c213; category c214; category c215; -category c216; category c217; category c218; category c219; -category c220; category c221; category c222; category c223; -category c224; category c225; category c226; category c227; -category c228; category c229; category c230; category c231; -category c232; category c233; category c234; category c235; -category c236; category c237; category c238; category c239; -category c240; category c241; category c242; category c243; -category c244; category c245; category c246; category c247; -category c248; category c249; category c250; category c251; -category c252; category c253; category c254; category c255; + +# generate declarations for c0 to c255 +gen_cats(256) # # Each MCS level specifies a sensitivity and zero or more categories which may diff --git a/policy/mls b/policy/mls index a8e2a9072..5a136d1f1 100644 --- a/policy/mls +++ b/policy/mls @@ -1,4 +1,3 @@ - ifdef(`enable_mls',` # # Define sensitivities @@ -33,70 +32,9 @@ dominance { s0 s1 s2 s3 s4 s5 s6 s7 s8 s9 s10 s11 s12 s13 s14 s15 } # # Each category has a name and zero or more aliases. # -category c0; category c1; category c2; category c3; -category c4; category c5; category c6; category c7; -category c8; category c9; category c10; category c11; -category c12; category c13; category c14; category c15; -category c16; category c17; category c18; category c19; -category c20; category c21; category c22; category c23; -category c24; category c25; category c26; category c27; -category c28; category c29; category c30; category c31; -category c32; category c33; category c34; category c35; -category c36; category c37; category c38; category c39; -category c40; category c41; category c42; category c43; -category c44; category c45; category c46; category c47; -category c48; category c49; category c50; category c51; -category c52; category c53; category c54; category c55; -category c56; category c57; category c58; category c59; -category c60; category c61; category c62; category c63; -category c64; category c65; category c66; category c67; -category c68; category c69; category c70; category c71; -category c72; category c73; category c74; category c75; -category c76; category c77; category c78; category c79; -category c80; category c81; category c82; category c83; -category c84; category c85; category c86; category c87; -category c88; category c89; category c90; category c91; -category c92; category c93; category c94; category c95; -category c96; category c97; category c98; category c99; -category c100; category c101; category c102; category c103; -category c104; category c105; category c106; category c107; -category c108; category c109; category c110; category c111; -category c112; category c113; category c114; category c115; -category c116; category c117; category c118; category c119; -category c120; category c121; category c122; category c123; -category c124; category c125; category c126; category c127; -category c128; category c129; category c130; category c131; -category c132; category c133; category c134; category c135; -category c136; category c137; category c138; category c139; -category c140; category c141; category c142; category c143; -category c144; category c145; category c146; category c147; -category c148; category c149; category c150; category c151; -category c152; category c153; category c154; category c155; -category c156; category c157; category c158; category c159; -category c160; category c161; category c162; category c163; -category c164; category c165; category c166; category c167; -category c168; category c169; category c170; category c171; -category c172; category c173; category c174; category c175; -category c176; category c177; category c178; category c179; -category c180; category c181; category c182; category c183; -category c184; category c185; category c186; category c187; -category c188; category c189; category c190; category c191; -category c192; category c193; category c194; category c195; -category c196; category c197; category c198; category c199; -category c200; category c201; category c202; category c203; -category c204; category c205; category c206; category c207; -category c208; category c209; category c210; category c211; -category c212; category c213; category c214; category c215; -category c216; category c217; category c218; category c219; -category c220; category c221; category c222; category c223; -category c224; category c225; category c226; category c227; -category c228; category c229; category c230; category c231; -category c232; category c233; category c234; category c235; -category c236; category c237; category c238; category c239; -category c240; category c241; category c242; category c243; -category c244; category c245; category c246; category c247; -category c248; category c249; category c250; category c251; -category c252; category c253; category c254; category c255; + +# generate declarations for c0 to c255 +gen_cats(256) # diff --git a/policy/modules/services/ssh.if b/policy/modules/services/ssh.if index 07350731e..a91983a59 100644 --- a/policy/modules/services/ssh.if +++ b/policy/modules/services/ssh.if @@ -526,7 +526,7 @@ template(`ssh_server_template', ` sysnet_read_config($1_t) userdom_dontaudit_relabelfrom_unpriv_users_ptys($1_t) - userdom_search_all_users_home_content($1_t) + userdom_search_all_users_home_dirs($1_t) # Allow checking users mail at login mta_getattr_spool($1_t) diff --git a/policy/modules/services/ssh.te b/policy/modules/services/ssh.te index 399e91327..038743aa2 100644 --- a/policy/modules/services/ssh.te +++ b/policy/modules/services/ssh.te @@ -1,5 +1,5 @@ -policy_module(ssh,1.3.11) +policy_module(ssh,1.3.12) ######################################## # diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if index c60c146f4..d0cd6e1bd 100644 --- a/policy/modules/system/userdomain.if +++ b/policy/modules/system/userdomain.if @@ -4451,7 +4451,7 @@ interface(`userdom_search_all_users_home_content',` ') files_list_home($1) - allow $1 { home_dir_type home_type }:dir search; + allow $1 { home_dir_type home_type }:dir search_dir_perms; ') ######################################## diff --git a/policy/modules/system/userdomain.te b/policy/modules/system/userdomain.te index 9a687da5e..323c400fb 100644 --- a/policy/modules/system/userdomain.te +++ b/policy/modules/system/userdomain.te @@ -1,5 +1,5 @@ -policy_module(userdomain,1.3.33) +policy_module(userdomain,1.3.34) gen_require(` role sysadm_r, staff_r, user_r; diff --git a/policy/support/misc_macros.spt b/policy/support/misc_macros.spt index 3482d3318..94e209f7b 100644 --- a/policy/support/misc_macros.spt +++ b/policy/support/misc_macros.spt @@ -28,6 +28,7 @@ define(`ifndef',`ifdef(`$1',`$3',`$2')') define(`__endline__',` ') +######################################## # # refpolwarn(message) # @@ -35,6 +36,7 @@ define(`__endline__',` # define(`refpolicywarn',`errprint(__file__:__line__: Warning: `$1'__endline__)') +######################################## # # refpolerr(message) # @@ -74,3 +76,16 @@ define(`can_exec',`allow $1 $2:file { rx_file_perms execute_no_trans };') define(`gen_bool',` bool $1 dflt_or_overr(`$1'_conf,$2); ') + +######################################## +# +# gen_cats(N) +# +# declares categores c0 to c(N-1) +# +define(`decl_cats',`dnl +category c$1; +ifelse(`$1',`$2',,`decl_cats(incr($1),$2)')dnl +') + +define(`gen_cats',`decl_cats(0,decr($1))')