Signed-off-by: Dominick Grift <[email protected]>
---
:100644 100644 cecca76... c071664... M policy/modules/system/selinuxutil.if
policy/modules/system/selinuxutil.if | 47 ++++++++++++++++++++++++++-------
1 files changed, 37 insertions(+), 10 deletions(-)
diff --git a/policy/modules/system/selinuxutil.if b/policy/modules/system/selinuxutil.if
index cecca76..c071664 100644
--- a/policy/modules/system/selinuxutil.if
+++ b/policy/modules/system/selinuxutil.if
@@ -1,4 +1,4 @@
-## <summary>Policy for SELinux policy and userland applications.</summary>
+## <summary>SELinux policy and userland applications.</summary>
#######################################
## <summary>
@@ -15,9 +15,12 @@ interface(`seutil_domtrans_checkpolicy',`
type checkpolicy_t, checkpolicy_exec_t;
')
- files_search_usr($1)
corecmd_search_bin($1)
domtrans_pattern($1, checkpolicy_exec_t, checkpolicy_t)
+
+ ifndef(`distro_redhat',`
+ files_search_usr($1)
+ ')
')
########################################
@@ -63,9 +66,12 @@ interface(`seutil_exec_checkpolicy',`
type checkpolicy_exec_t;
')
- files_search_usr($1)
corecmd_search_bin($1)
can_exec($1, checkpolicy_exec_t)
+
+ ifndef(`distro_redhat',`
+ files_search_usr($1)
+ ')
')
#######################################
@@ -167,9 +173,12 @@ interface(`seutil_domtrans_newrole',`
type newrole_t, newrole_exec_t;
')
- files_search_usr($1)
corecmd_search_bin($1)
domtrans_pattern($1, newrole_exec_t, newrole_t)
+
+ ifndef(`distro_redhat',`
+ files_search_usr($1)
+ ')
')
########################################
@@ -216,9 +225,12 @@ interface(`seutil_exec_newrole',`
type newrole_t, newrole_exec_t;
')
- files_search_usr($1)
corecmd_search_bin($1)
can_exec($1, newrole_exec_t)
+
+ ifndef(`distro_redhat',`
+ files_search_usr($1)
+ ')
')
########################################
@@ -374,9 +386,12 @@ interface(`seutil_domtrans_runinit',`
type run_init_t, run_init_exec_t;
')
- files_search_usr($1)
corecmd_search_bin($1)
domtrans_pattern($1, run_init_exec_t, run_init_t)
+
+ ifndef(`distro_redhat',`
+ files_search_usr($1)
+ ')
')
########################################
@@ -511,9 +526,12 @@ interface(`seutil_domtrans_setfiles',`
type setfiles_t, setfiles_exec_t;
')
- files_search_usr($1)
corecmd_search_bin($1)
domtrans_pattern($1, setfiles_exec_t, setfiles_t)
+
+ ifndef(`distro_redhat',`
+ files_search_usr($1)
+ ')
')
########################################
@@ -558,9 +576,12 @@ interface(`seutil_exec_setfiles',`
type setfiles_exec_t;
')
- files_search_usr($1)
corecmd_search_bin($1)
can_exec($1, setfiles_exec_t)
+
+ ifndef(`distro_redhat',`
+ files_search_usr($1)
+ ')
')
########################################
@@ -1002,9 +1023,12 @@ interface(`seutil_domtrans_semanage',`
type semanage_t, semanage_exec_t;
')
- files_search_usr($1)
corecmd_search_bin($1)
domtrans_pattern($1, semanage_exec_t, semanage_t)
+
+ ifndef(`distro_redhat',`
+ files_search_usr($1)
+ ')
')
########################################
@@ -1051,9 +1075,12 @@ interface(`seutil_domtrans_setsebool',`
type setsebool_t, setsebool_exec_t;
')
- files_search_usr($1)
corecmd_search_bin($1)
domtrans_pattern($1, setsebool_exec_t, setsebool_t)
+
+ ifndef(`distro_redhat',`
+ files_search_usr($1)
+ ')
')
########################################
--
1.7.2.1
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 198 bytes
Desc: not available
Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20100903/f754768e/attachment.bin
On 09/03/10 11:49, Dominick Grift wrote:
> Signed-off-by: Dominick Grift<[email protected]>
They still are in /usr on RHEL5. Also, this doesn't matter too much
either way, since everything can search /usr due to libraries in /usr/lib.
> ---
> :100644 100644 cecca76... c071664... M policy/modules/system/selinuxutil.if
> policy/modules/system/selinuxutil.if | 47 ++++++++++++++++++++++++++-------
> 1 files changed, 37 insertions(+), 10 deletions(-)
>
> diff --git a/policy/modules/system/selinuxutil.if b/policy/modules/system/selinuxutil.if
> index cecca76..c071664 100644
> --- a/policy/modules/system/selinuxutil.if
> +++ b/policy/modules/system/selinuxutil.if
> @@ -1,4 +1,4 @@
> -##<summary>Policy for SELinux policy and userland applications.</summary>
> +##<summary>SELinux policy and userland applications.</summary>
>
> #######################################
> ##<summary>
> @@ -15,9 +15,12 @@ interface(`seutil_domtrans_checkpolicy',`
> type checkpolicy_t, checkpolicy_exec_t;
> ')
>
> - files_search_usr($1)
> corecmd_search_bin($1)
> domtrans_pattern($1, checkpolicy_exec_t, checkpolicy_t)
> +
> + ifndef(`distro_redhat',`
> + files_search_usr($1)
> + ')
> ')
>
> ########################################
> @@ -63,9 +66,12 @@ interface(`seutil_exec_checkpolicy',`
> type checkpolicy_exec_t;
> ')
>
> - files_search_usr($1)
> corecmd_search_bin($1)
> can_exec($1, checkpolicy_exec_t)
> +
> + ifndef(`distro_redhat',`
> + files_search_usr($1)
> + ')
> ')
>
> #######################################
> @@ -167,9 +173,12 @@ interface(`seutil_domtrans_newrole',`
> type newrole_t, newrole_exec_t;
> ')
>
> - files_search_usr($1)
> corecmd_search_bin($1)
> domtrans_pattern($1, newrole_exec_t, newrole_t)
> +
> + ifndef(`distro_redhat',`
> + files_search_usr($1)
> + ')
> ')
>
> ########################################
> @@ -216,9 +225,12 @@ interface(`seutil_exec_newrole',`
> type newrole_t, newrole_exec_t;
> ')
>
> - files_search_usr($1)
> corecmd_search_bin($1)
> can_exec($1, newrole_exec_t)
> +
> + ifndef(`distro_redhat',`
> + files_search_usr($1)
> + ')
> ')
>
> ########################################
> @@ -374,9 +386,12 @@ interface(`seutil_domtrans_runinit',`
> type run_init_t, run_init_exec_t;
> ')
>
> - files_search_usr($1)
> corecmd_search_bin($1)
> domtrans_pattern($1, run_init_exec_t, run_init_t)
> +
> + ifndef(`distro_redhat',`
> + files_search_usr($1)
> + ')
> ')
>
> ########################################
> @@ -511,9 +526,12 @@ interface(`seutil_domtrans_setfiles',`
> type setfiles_t, setfiles_exec_t;
> ')
>
> - files_search_usr($1)
> corecmd_search_bin($1)
> domtrans_pattern($1, setfiles_exec_t, setfiles_t)
> +
> + ifndef(`distro_redhat',`
> + files_search_usr($1)
> + ')
> ')
>
> ########################################
> @@ -558,9 +576,12 @@ interface(`seutil_exec_setfiles',`
> type setfiles_exec_t;
> ')
>
> - files_search_usr($1)
> corecmd_search_bin($1)
> can_exec($1, setfiles_exec_t)
> +
> + ifndef(`distro_redhat',`
> + files_search_usr($1)
> + ')
> ')
>
> ########################################
> @@ -1002,9 +1023,12 @@ interface(`seutil_domtrans_semanage',`
> type semanage_t, semanage_exec_t;
> ')
>
> - files_search_usr($1)
> corecmd_search_bin($1)
> domtrans_pattern($1, semanage_exec_t, semanage_t)
> +
> + ifndef(`distro_redhat',`
> + files_search_usr($1)
> + ')
> ')
>
> ########################################
> @@ -1051,9 +1075,12 @@ interface(`seutil_domtrans_setsebool',`
> type setsebool_t, setsebool_exec_t;
> ')
>
> - files_search_usr($1)
> corecmd_search_bin($1)
> domtrans_pattern($1, setsebool_exec_t, setsebool_t)
> +
> + ifndef(`distro_redhat',`
> + files_search_usr($1)
> + ')
> ')
>
> ########################################
>
>
>
> _______________________________________________
> refpolicy mailing list
> refpolicy at oss.tresys.com
> http://oss.tresys.com/mailman/listinfo/refpolicy
--
Chris PeBenito
Tresys Technology, LLC
http://www.tresys.com | oss.tresys.com
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 09/09/2010 09:06 AM, Christopher J. PeBenito wrote:
> On 09/03/10 11:49, Dominick Grift wrote:
>> Signed-off-by: Dominick Grift<[email protected]>
>
> They still are in /usr on RHEL5. Also, this doesn't matter too much
> either way, since everything can search /usr due to libraries in /usr/lib.
>
>> ---
>> :100644 100644 cecca76... c071664... M policy/modules/system/selinuxutil.if
>> policy/modules/system/selinuxutil.if | 47 ++++++++++++++++++++++++++-------
>> 1 files changed, 37 insertions(+), 10 deletions(-)
>>
>> diff --git a/policy/modules/system/selinuxutil.if b/policy/modules/system/selinuxutil.if
>> index cecca76..c071664 100644
>> --- a/policy/modules/system/selinuxutil.if
>> +++ b/policy/modules/system/selinuxutil.if
>> @@ -1,4 +1,4 @@
>> -##<summary>Policy for SELinux policy and userland applications.</summary>
>> +##<summary>SELinux policy and userland applications.</summary>
>>
>> #######################################
>> ##<summary>
>> @@ -15,9 +15,12 @@ interface(`seutil_domtrans_checkpolicy',`
>> type checkpolicy_t, checkpolicy_exec_t;
>> ')
>>
>> - files_search_usr($1)
>> corecmd_search_bin($1)
>> domtrans_pattern($1, checkpolicy_exec_t, checkpolicy_t)
>> +
>> + ifndef(`distro_redhat',`
>> + files_search_usr($1)
>> + ')
>> ')
>>
>> ########################################
>> @@ -63,9 +66,12 @@ interface(`seutil_exec_checkpolicy',`
>> type checkpolicy_exec_t;
>> ')
>>
>> - files_search_usr($1)
>> corecmd_search_bin($1)
>> can_exec($1, checkpolicy_exec_t)
>> +
>> + ifndef(`distro_redhat',`
>> + files_search_usr($1)
>> + ')
>> ')
>>
>> #######################################
>> @@ -167,9 +173,12 @@ interface(`seutil_domtrans_newrole',`
>> type newrole_t, newrole_exec_t;
>> ')
>>
>> - files_search_usr($1)
>> corecmd_search_bin($1)
>> domtrans_pattern($1, newrole_exec_t, newrole_t)
>> +
>> + ifndef(`distro_redhat',`
>> + files_search_usr($1)
>> + ')
>> ')
>>
>> ########################################
>> @@ -216,9 +225,12 @@ interface(`seutil_exec_newrole',`
>> type newrole_t, newrole_exec_t;
>> ')
>>
>> - files_search_usr($1)
>> corecmd_search_bin($1)
>> can_exec($1, newrole_exec_t)
>> +
>> + ifndef(`distro_redhat',`
>> + files_search_usr($1)
>> + ')
>> ')
>>
>> ########################################
>> @@ -374,9 +386,12 @@ interface(`seutil_domtrans_runinit',`
>> type run_init_t, run_init_exec_t;
>> ')
>>
>> - files_search_usr($1)
>> corecmd_search_bin($1)
>> domtrans_pattern($1, run_init_exec_t, run_init_t)
>> +
>> + ifndef(`distro_redhat',`
>> + files_search_usr($1)
>> + ')
>> ')
>>
>> ########################################
>> @@ -511,9 +526,12 @@ interface(`seutil_domtrans_setfiles',`
>> type setfiles_t, setfiles_exec_t;
>> ')
>>
>> - files_search_usr($1)
>> corecmd_search_bin($1)
>> domtrans_pattern($1, setfiles_exec_t, setfiles_t)
>> +
>> + ifndef(`distro_redhat',`
>> + files_search_usr($1)
>> + ')
>> ')
>>
>> ########################################
>> @@ -558,9 +576,12 @@ interface(`seutil_exec_setfiles',`
>> type setfiles_exec_t;
>> ')
>>
>> - files_search_usr($1)
>> corecmd_search_bin($1)
>> can_exec($1, setfiles_exec_t)
>> +
>> + ifndef(`distro_redhat',`
>> + files_search_usr($1)
>> + ')
>> ')
>>
>> ########################################
>> @@ -1002,9 +1023,12 @@ interface(`seutil_domtrans_semanage',`
>> type semanage_t, semanage_exec_t;
>> ')
>>
>> - files_search_usr($1)
>> corecmd_search_bin($1)
>> domtrans_pattern($1, semanage_exec_t, semanage_t)
>> +
>> + ifndef(`distro_redhat',`
>> + files_search_usr($1)
>> + ')
>> ')
>>
>> ########################################
>> @@ -1051,9 +1075,12 @@ interface(`seutil_domtrans_setsebool',`
>> type setsebool_t, setsebool_exec_t;
>> ')
>>
>> - files_search_usr($1)
>> corecmd_search_bin($1)
>> domtrans_pattern($1, setsebool_exec_t, setsebool_t)
>> +
>> + ifndef(`distro_redhat',`
>> + files_search_usr($1)
>> + ')
>> ')
>>
>> ########################################
>>
>>
>>
>> _______________________________________________
>> refpolicy mailing list
>> refpolicy at oss.tresys.com
>> http://oss.tresys.com/mailman/listinfo/refpolicy
>
>
Yes I do not think we need this patch. (I believe we made a mistake
when we did not allow every domain read/execute access to usr_t,bin_t,
lib_t, var_t, var_lib_t, and probably a few others)
But I am probably in the minority.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.16 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/
iEYEARECAAYFAkyI5oUACgkQrlYvE4MpobNk/wCgrMeqm9ys/j6gjpilz67SuCw2
gyUAoKuZ9Zmiosz+R6gZD6oGFqmamPMS
=92Ip
-----END PGP SIGNATURE-----