Remove complement (~) and wildcard (*) in allow rules so that there are no
unintentional additions when new permissions are declared.
This patch does not add or remove permissions from any rules.
This patch is slightly more involved than just running sed. It also adds
typealias rules and doesn't change the FC entries.
The /dev/apm_bios device doesn't exist on modern systems. I have left that
policy in for the moment on the principle of making one change per patch. But
I might send another patch to remove that as it won't exist with modern
kernels.
I have used optional sections for dbus and xserver as requested and also
fixed a minor issue of a rule not being in the correct section.
Please merge this.
Use nscd_use instead of nscd_socket_use. This conditionally allows
nscd_shm_use
Remove the nscd_socket_use from ssh_keygen since it was redundant
already allowed by auth_use_nsswitch
Had to make some ssh_keysign_t rules unconditional else
nscd_use(ssh_keysign_t) would not build (nested booleans) but that does
not matter, the only actual domain transition to ssh_keysign_t is
conditional so the other unconditional ssh_keygen_t rules are
conditional in practice
Signed-off-by: Dominick Grift <dominick.grift@gmail.com>
Reduce the binary policy size by eliminating some set expressions
related to file accesses and make Repolicy easier to convert into CIL.
- Moved the auth_file_type attribute.
- Created a new type attribute called non_auth_file_type.
- Created new interfaces to allow file accesses on non_auth_file_type
files.
Signed-off-by: James Carter <jwcart2@tycho.nsa.gov>
This is based on Fedoras' miscfiles_cert_type implementation.
The idea was that openvpn needs to be able read home certificates (home_cert_t) which is not implemented in refpolicy yet, as well as generic cert_t certificates.
Note that openvpn is allowed to read all cert_types, as i know that it needs access to both generic cert_t as well as (future) home_cert_t. Dwalsh noted that other domains may need this as well but because i do not know exactly which domains i will not changes any other domains call to generic cert type interfaces.
Signed-off-by: Dominick Grift <domg472@gmail.com>