targeted and distro fixes for loadable modules

2005-10-19 16:44:24 +00:00 · 2005-10-19 16:44:24 +00:00 · af4752bcb9
parent 0efe52ae99
commit af4752bcb9
4 changed files with 12 additions and 22 deletions
--- a/refpolicy/policy/modules/services/bind.if
+++ b/refpolicy/policy/modules/services/bind.if
@ -11,9 +11,6 @@
 interface(`bind_domtrans_ndc',`
 	gen_require(`
 		type ndc_t, ndc_exec_t;
-		class process sigchld;
-		class fd use;
-		class fifo_file rw_file_perms;
 	')

 	domain_auto_trans($1,ndc_exec_t,ndc_t)
@ -42,7 +39,6 @@ interface(`bind_domtrans_ndc',`
 interface(`bind_run_ndc',`
 	gen_require(`
 		type ndc_t;
-		class chr_file rw_term_perms;
 	')

 	bind_domtrans_ndc($1)
@ -61,9 +57,6 @@ interface(`bind_run_ndc',`
 interface(`bind_domtrans',`
 	gen_require(`
 		type named_t, named_exec_t;
-		class process sigchld;
-		class fd use;
-		class fifo_file rw_file_perms;
 	')

 	domain_auto_trans($1,named_exec_t,named_t)
@ -85,8 +78,6 @@ interface(`bind_domtrans',`
 interface(`bind_read_dnssec_keys',`
 	gen_require(`
 		type named_conf_t, named_zone_t, dnssec_t;
-		class dir search;
-		class file { getattr read };
 	')

 	allow $1 { named_conf_t named_zone_t }:dir search;
@ -104,8 +95,6 @@ interface(`bind_read_dnssec_keys',`
 interface(`bind_read_config',`
 	gen_require(`
 		type named_conf_t;
-		class dir search;
-		class file { getattr read };
 	')

 	allow $1 named_conf_t:dir search;
@ -123,8 +112,6 @@ interface(`bind_read_config',`
 interface(`bind_write_config',`
 	gen_require(`
 		type named_conf_t;
-		class dir search;
-		class file { write setattr };
 	')

 	allow $1 named_conf_t:dir search;
@ -143,7 +130,6 @@ interface(`bind_write_config',`
 interface(`bind_manage_config_dir',`
 	gen_require(`
 		type named_conf_t;
-		class dir perms;
 	')

 	allow $1 named_conf_t:dir create_dir_perms;
@ -161,7 +147,6 @@ interface(`bind_manage_config_dir',`
 interface(`bind_setattr_pid_dir',`
 	gen_require(`
 		type named_var_run_t;
-		class dir setattr;
 	')

 	allow $1 named_var_run_t:dir setattr;
--- a/refpolicy/policy/modules/services/mta.te
+++ b/refpolicy/policy/modules/services/mta.te
@ -105,7 +105,8 @@ ifdef(`targeted_policy',`
 	allow system_mail_t mqueue_spool_t:file create_file_perms;
 	allow system_mail_t mqueue_spool_t:lnk_file create_lnk_perms;

-	optional_policy(`postfix.te',`',`
+# cjp: another require-in-else to resolve
+#	optional_policy(`postfix.te',`',`
 		corecmd_exec_bin(system_mail_t)
 		corecmd_exec_sbin(system_mail_t)

@ -117,7 +118,7 @@ ifdef(`targeted_policy',`
 		libs_use_shared_libs(system_mail_t)
 		libs_exec_ld_so(system_mail_t)
 		libs_exec_lib_files(system_mail_t)
-	')
+#	')
 ')

 optional_policy(`apache.te',`
--- a/refpolicy/policy/modules/services/mysql.if
+++ b/refpolicy/policy/modules/services/mysql.if
@ -99,7 +99,7 @@ interface(`mysql_rw_db_dir',`
 #
 interface(`mysql_manage_db_dir',`
 	gen_require(`
-		type mysql_db_t;
+		type mysqld_db_t;
 	')

 	files_search_var_lib($1)
--- a/refpolicy/policy/modules/system/userdomain.if
+++ b/refpolicy/policy/modules/system/userdomain.if
@ -1560,11 +1560,15 @@ interface(`userdom_read_staff_home_files',`
 ## </param>
 #
 interface(`userdom_sigchld_sysadm',`
-	gen_require(`
-		type sysadm_t;
-	')
+	ifdef(`targeted_policy',`
+		unconfined_sigchld($1)
+	',`
+		gen_require(`
+			type sysadm_t;
+		')

-	allow $1 sysadm_t:process sigchld;
+		allow $1 sysadm_t:process sigchld;
+	')
 ')

 ########################################