reorganize tun patch changes.

2009-08-31 08:44:11 -04:00 · 2009-08-31 08:44:11 -04:00 · bd75703c7d
commit bd75703c7d
parent 9dc3cd1635
4 changed files with 47 additions and 50 deletions
--- a/policy/flask/access_vectors
+++ b/policy/flask/access_vectors
@ -251,9 +251,6 @@ inherits socket
 class unix_dgram_socket
 inherits socket

-class tun_socket
-inherits socket
-
 #
 # Define the access vector interpretation for process-related objects
 #
@ -802,3 +799,6 @@ class kernel_service
 	use_as_override
 	create_files_as	
 }
+
+class tun_socket
+inherits socket
--- a/policy/modules/services/virt.if
+++ b/policy/modules/services/virt.if
@ -59,6 +59,25 @@ interface(`virt_stream_connect',`
 	stream_connect_pattern($1, virt_var_run_t, virt_var_run_t, virtd_t)
 ')

+########################################
+## <summary>
+##	Allow domain to attach to virt TUN devices
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`virt_attach_tun_iface',`
+	gen_require(`
+		type virtd_t;
+	')
+
+	allow $1 virtd_t:tun_socket relabelfrom;
+	allow $1 self:tun_socket relabelto;
+')
+
 ########################################
 ## <summary>
 ##	Read virt config files.
@ -327,22 +346,3 @@ interface(`virt_admin',`

 	virt_manage_log($1)
 ')
-
-########################################
-## <summary>
-##	Allow domain to attach to virt TUN devices
-## </summary>
-## <param name="domain">
-##	<summary>
-##	Domain allowed access.
-##	</summary>
-## </param>
-#
-interface(`virt_attach_tun_iface',`
-	gen_require(`
-		type virtd_t;
-	')
-
-	allow $1 virtd_t:tun_socket relabelfrom;
-	allow $1 self:tun_socket relabelto;
-')
--- a/policy/modules/system/userdomain.if
+++ b/policy/modules/system/userdomain.if
@ -1055,6 +1055,8 @@ template(`userdom_admin_user_template',`
 	domain_obj_id_change_exemption($1_t)
 	role system_r types $1_t;

+	typeattribute $1_t admin_tun_type;
+
 	ifdef(`direct_sysadm_daemon',`
 		domain_system_change_exemption($1_t)
 	')
@ -1066,18 +1068,13 @@ template(`userdom_admin_user_template',`

 	allow $1_t self:capability ~{ sys_module audit_control audit_write };
 	allow $1_t self:process { setexec setfscreate };
-
+	allow $1_t self:netlink_audit_socket nlmsg_readpriv;
+	allow $1_t self:tun_socket create;
 	# Set password information for other users.
 	allow $1_t self:passwd { passwd chfn chsh };
-
 	# Skip authentication when pam_rootok is specified.
 	allow $1_t self:passwd rootok;

-	allow $1_t self:netlink_audit_socket nlmsg_readpriv;
-
-	allow $1_t self:tun_socket create;
-	typeattribute $1_t admin_tun_type;
-
 	kernel_read_software_raid_state($1_t)
 	kernel_getattr_core_if($1_t)
 	kernel_getattr_message_if($1_t)
@ -1286,6 +1283,25 @@ interface(`userdom_user_home_content',`
 	ubac_constrained($1)
 ')

+########################################
+## <summary>
+##	Allow domain to attach to TUN devices created by administrative users.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`userdom_attach_admin_tun_iface',`
+	gen_require(`
+		attribute admin_tun_type;
+	')
+
+	allow $1 admin_tun_type:tun_socket relabelfrom;
+	allow $1 self:tun_socket relabelto;
+')
+
 ########################################
 ## <summary>
 ##	Set the attributes of a user pty.
@ -3028,22 +3044,3 @@ interface(`userdom_dbus_send_all_users',`

 	allow $1 userdomain:dbus send_msg;
 ')
-
-########################################
-## <summary>
-##	Allow domain to attach to TUN devices created by administrative users.
-## </summary>
-## <param name="domain">
-##	<summary>
-##	Domain allowed access.
-##	</summary>
-## </param>
-#
-interface(`userdom_attach_admin_tun_iface',`
-	gen_require(`
-		attribute admin_tun_type;
-	')
-
-	allow $1 admin_tun_type:tun_socket relabelfrom;
-	allow $1 self:tun_socket relabelto;
-')
--- a/policy/modules/system/userdomain.te
+++ b/policy/modules/system/userdomain.te
@ -49,6 +49,8 @@ gen_tunable(user_rw_noexattrfile, false)
 ## </desc>
 gen_tunable(user_ttyfile_stat, false)

+attribute admin_tun_type;
+
 # all user domains
 attribute userdomain;

@ -58,8 +60,6 @@ attribute unpriv_userdomain;
 attribute untrusted_content_type;
 attribute untrusted_content_tmp_type;

-attribute admin_tun_type;
-
 type user_home_dir_t alias { staff_home_dir_t sysadm_home_dir_t secadm_home_dir_t auditadm_home_dir_t unconfined_home_dir_t };
 fs_associate_tmpfs(user_home_dir_t)
 files_type(user_home_dir_t)