From a7197232e8d45537452257700184bf6c935e2bca Mon Sep 17 00:00:00 2001 From: Chris PeBenito Date: Wed, 8 Jun 2005 13:41:05 +0000 Subject: [PATCH] add can_exec --- refpolicy/policy/modules/system/clock.if | 11 ++++------- refpolicy/policy/support/support_macros | 1 + 2 files changed, 5 insertions(+), 7 deletions(-) diff --git a/refpolicy/policy/modules/system/clock.if b/refpolicy/policy/modules/system/clock.if index fa75c75c7..aab599dc4 100644 --- a/refpolicy/policy/modules/system/clock.if +++ b/refpolicy/policy/modules/system/clock.if @@ -15,10 +15,7 @@ define(`clock_transition',` requires_block_template(`$0'_depend) - allow $1 hwclock_exec_t:file { getattr read execute }; - allow $1 hwclock_t:process transition; - type_transition $1 hwclock_exec_t:process hwclock_t; - dontaudit $1 hwclock_t:process { noatsecure siginh rlimitinh }; + domain_auto_trans($1,hwclock_exec_t,hwclock_t) allow $1 hwclock_t:fd use; allow hwclock_t $1:fd use; @@ -81,7 +78,7 @@ define(`clock_transition_add_role_use_terminal_depend',` define(`clock_execute',` requires_block_template(`$0'_depend) - allow $1 hwclock_exec_t:file { getattr read execute execute_no_trans }; + can_exec($1,hwclock_exec_t) ') define(`clock_execute_depend',` @@ -104,14 +101,14 @@ define(`clock_execute_depend',` define(`clock_modify_drift_records',` requires_block_template(`$0'_depend) - allow $1 adjtime_t:file { getattr read write ioctl lock append }; + allow $1 adjtime_t:file rw_file_perms; files_read_general_system_config_directory($1) ') define(`clock_modify_drift_records_depend',` type adjtime_t; - class file { getattr read write ioctl lock append }; + class file rw_file_perms; ') ## diff --git a/refpolicy/policy/support/support_macros b/refpolicy/policy/support/support_macros index 48b5ba0d1..1f2ea80b3 100644 --- a/refpolicy/policy/support/support_macros +++ b/refpolicy/policy/support/support_macros @@ -25,3 +25,4 @@ define(`context_template',`ifdef(`enable_mls',`$1:$2',`$1')') dnl # define(`user_mls',`ifdef(`enable_mls',`level $1 range $2')') dnl +define(`can_exec',`allow $1 $2:file { getattr read execute execute_no_trans };')