summaryrefslogtreecommitdiff
path: root/policy
diff options
context:
space:
mode:
authorChris PeBenito <cpebenito@tresys.com>2006-07-25 15:23:13 +0000
committerChris PeBenito <cpebenito@tresys.com>2006-07-25 15:23:13 +0000
commit8b9ebd37693b8abb422f748b4b71e4c8bf5613fe (patch)
tree1664af267bb7246ea841024c667cbbcfa5031eb7 /policy
parent19ebf01d6ab7fa4e39b61e8a902b66e21ffc7e86 (diff)
some cleanup in the kernel layer
Diffstat (limited to 'policy')
-rw-r--r--policy/modules/kernel/devices.te10
-rw-r--r--policy/modules/kernel/selinux.if29
-rw-r--r--policy/modules/kernel/terminal.if1
3 files changed, 15 insertions, 25 deletions
diff --git a/policy/modules/kernel/devices.te b/policy/modules/kernel/devices.te
index 8edb0f58..a1940b41 100644
--- a/policy/modules/kernel/devices.te
+++ b/policy/modules/kernel/devices.te
@@ -20,14 +20,6 @@ files_type(device_t)
files_mountpoint(device_t)
files_associate_tmp(device_t)
-# Only directories and symlinks should be labeled device_t.
-# If there are other files with this type, it is wrong.
-# Relabelto is allowed for setfiles to function, in case
-# a device node has no specific type yet, but is for some
-# reason labeled with a specific type
-#cjp: want this, but udev policy breaks this
-#neverallow domain device_t:{ file fifo_file sock_file chr_file blk_file } ~{ getattr setattr relabelfrom relabelto };
-
#
# Type for /dev/agpgart
#
@@ -206,4 +198,4 @@ files_associate_tmp(device_node)
allow devices_unconfined_type self:capability sys_rawio;
allow devices_unconfined_type device_node:{ blk_file chr_file } *;
-allow devices_unconfined_type mtrr_device_t:{ dir file } *;
+allow devices_unconfined_type mtrr_device_t:file *;
diff --git a/policy/modules/kernel/selinux.if b/policy/modules/kernel/selinux.if
index f080e2a0..c4f9d7e3 100644
--- a/policy/modules/kernel/selinux.if
+++ b/policy/modules/kernel/selinux.if
@@ -55,7 +55,7 @@ interface(`selinux_search_fs',`
type security_t;
')
- allow $1 security_t:dir search;
+ allow $1 security_t:dir search_dir_perms;
')
########################################
@@ -73,7 +73,7 @@ interface(`selinux_dontaudit_search_fs',`
type security_t;
')
- dontaudit $1 security_t:dir search;
+ dontaudit $1 security_t:dir search_dir_perms;
')
########################################
@@ -92,7 +92,7 @@ interface(`selinux_dontaudit_read_fs',`
type security_t;
')
- dontaudit $1 security_t:dir search;
+ dontaudit $1 security_t:dir search_dir_perms;
dontaudit $1 security_t:file { getattr read };
')
@@ -112,7 +112,7 @@ interface(`selinux_get_enforce_mode',`
type security_t;
')
- allow $1 security_t:dir { read search getattr };
+ allow $1 security_t:dir list_dir_perms;
allow $1 security_t:file { getattr read };
')
@@ -144,7 +144,7 @@ interface(`selinux_set_enforce_mode',`
bool secure_mode_policyload;
')
- allow $1 security_t:dir { read search getattr };
+ allow $1 security_t:dir list_dir_perms;
allow $1 security_t:file { getattr read write };
typeattribute $1 can_setenforce;
@@ -171,7 +171,7 @@ interface(`selinux_load_policy',`
bool secure_mode_policyload;
')
- allow $1 security_t:dir { read search getattr };
+ allow $1 security_t:dir list_dir_perms;
allow $1 security_t:file { getattr read write };
typeattribute $1 can_load_policy;
@@ -208,8 +208,7 @@ interface(`selinux_set_boolean',`
bool secure_mode_policyload;
')
- allow $1 security_t:dir search;
- allow $1 security_t:dir { getattr search read };
+ allow $1 security_t:dir list_dir_perms;
allow $1 security_t:file { getattr read write };
if(!secure_mode_policyload) {
@@ -249,7 +248,7 @@ interface(`selinux_set_parameters',`
attribute can_setsecparam;
')
- allow $1 security_t:dir { read search getattr };
+ allow $1 security_t:dir list_dir_perms;
allow $1 security_t:file { getattr read write };
allow $1 security_t:security setsecparam;
auditallow $1 security_t:security setsecparam;
@@ -271,7 +270,7 @@ interface(`selinux_validate_context',`
type security_t;
')
- allow $1 security_t:dir { read search getattr };
+ allow $1 security_t:dir list_dir_perms;
allow $1 security_t:file { getattr read write };
allow $1 security_t:security check_context;
')
@@ -291,7 +290,7 @@ interface(`selinux_compute_access_vector',`
type security_t;
')
- allow $1 security_t:dir { read search getattr };
+ allow $1 security_t:dir list_dir_perms;
allow $1 security_t:file { getattr read write };
allow $1 security_t:security compute_av;
')
@@ -311,7 +310,7 @@ interface(`selinux_compute_create_context',`
type security_t;
')
- allow $1 security_t:dir { read search getattr };
+ allow $1 security_t:dir list_dir_perms;
allow $1 security_t:file { getattr read write };
allow $1 security_t:security compute_create;
')
@@ -332,7 +331,7 @@ interface(`selinux_compute_member',`
type security_t;
')
- allow $1 security_t:dir { read search getattr };
+ allow $1 security_t:dir list_dir_perms;
allow $1 security_t:file { getattr read write };
allow $1 security_t:security compute_member;
')
@@ -361,7 +360,7 @@ interface(`selinux_compute_relabel_context',`
type security_t;
')
- allow $1 security_t:dir { read search getattr };
+ allow $1 security_t:dir list_dir_perms;
allow $1 security_t:file { getattr read write };
allow $1 security_t:security compute_relabel;
')
@@ -381,7 +380,7 @@ interface(`selinux_compute_user_contexts',`
type security_t;
')
- allow $1 security_t:dir { read search getattr };
+ allow $1 security_t:dir list_dir_perms;
allow $1 security_t:file { getattr read write };
allow $1 security_t:security compute_user;
')
diff --git a/policy/modules/kernel/terminal.if b/policy/modules/kernel/terminal.if
index 04b2dc25..f0a216c1 100644
--- a/policy/modules/kernel/terminal.if
+++ b/policy/modules/kernel/terminal.if
@@ -308,7 +308,6 @@ interface(`term_dontaudit_search_ptys',`
type devpts_t;
')
- dev_dontaudit_list_all_dev_nodes($1)
dontaudit $1 devpts_t:dir search;
')