nnd/selinux-refpolicy
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

fix assertions for framework

Browse Source
This commit is contained in:
Chris PeBenito 2005-07-18 20:17:21 +00:00
parent a5f339f134
commit 391edeb577
2 changed files with 12 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
refpolicy/policy/modules/system/domain.if
View File

@ -26,6 +26,14 @@ interface(`domain_base_domain_type',`
# allow $1 to create child processes in this domain # allow $1 to create child processes in this domain
allow $1 self:process { fork sigchld }; allow $1 self:process { fork sigchld };
# Files with domain types are currently only proc files
# self is excepted since domains and files can have
# the same type in SEFramework
# cjp: perhaps this should be a conditional exception,
# so it is excepted only on SEFramework policies
neverallow $1 { domain -$1 }:dir ~r_dir_perms;
neverallow $1 { domain -$1 }:file_class_set ~rw_file_perms;
') ')
######################################## ########################################

7
refpolicy/policy/modules/system/domain.te
View File

@ -32,6 +32,7 @@ neverallow domain ~domain:process { transition dyntransition };
# dynamic transition, you should not be using it!!! # dynamic transition, you should not be using it!!!
neverallow { domain -set_curr_context } self:process setcurrent; neverallow { domain -set_curr_context } self:process setcurrent;
# Files with domain types are currently only proc files # TODO:
neverallow * domain:dir ~r_dir_perms; # cjp: also need to except correctly for SEFramework
neverallow * domain:file_class_set ~rw_file_perms; #neverallow { domain unlabeled_t } file_type:process *;
#neverallow ~{ domain unlabeled_t } *:process *;