This patch aims to clean the fstools module, and to apply trivial
modifications to the fstools module.
Refer to [refpolicy patch 1/2] revisit and apply trivial redhat
modifications to fstools module.
Index: /home/domg472/Workspace/refpolicy_trunk/policy/modules/system/fstools.if
===================================================================
--- /home/domg472/Workspace/refpolicy_trunk/policy/modules/system/fstools.if (revision 2758)
+++ /home/domg472/Workspace/refpolicy_trunk/policy/modules/system/fstools.if (working copy)
@@ -16,7 +16,7 @@
')
corecmd_search_bin($1)
- domtrans_pattern($1,fsadm_exec_t,fsadm_t)
+ domtrans_pattern($1, fsadm_exec_t, fsadm_t)
')
########################################
@@ -48,7 +48,7 @@
fstools_domtrans($1)
role $2 types fsadm_t;
- allow fsadm_t $3:chr_file { getattr read write ioctl };
+ rw_chr_files_pattern(fsadm_t, $3, $3)
')
########################################
@@ -66,7 +66,7 @@
type fsadm_exec_t;
')
- can_exec($1,fsadm_exec_t)
+ can_exec($1, fsadm_exec_t)
')
########################################
@@ -84,7 +84,7 @@
type fsadm_t;
')
- allow $1 fsadm_t:fifo_file read_fifo_file_perms;
+ read_fifo_files_pattern($1, fsadm_t, fsadm_t)
')
########################################
@@ -103,7 +103,7 @@
type fsadm_exec_t;
')
- allow $1 fsadm_exec_t:file relabelto;
+ relabelto_files_pattern($1, fsadm_exec_t, fsadm_exec_t)
')
########################################
@@ -122,7 +122,7 @@
type fsadm_exec_t;
')
- allow $1 fsadm_exec_t:file manage_file_perms;
+ manage_files_pattern($1, fsadm_exec_t, fsadm_exec_t)
')
########################################
@@ -140,5 +140,23 @@
type swapfile_t;
')
- allow $1 swapfile_t:file getattr;
+ getattr_files_pattern($1, swapfile_t, swapfile_t)
')
+
+########################################
+## <summary>
+## Signal the fstools domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## The type of the process performing this action.
+## </summary>
+## </param>
+#
+interface(`fstools_signal',`
+ gen_require(`
+ type fsadm_t;
+ ')
+
+ allow $1 fsadm_t:process signal;
+')
Index: /home/domg472/Workspace/refpolicy_trunk/policy/modules/system/fstools.te
===================================================================
--- /home/domg472/Workspace/refpolicy_trunk/policy/modules/system/fstools.te (revision 2758)
+++ /home/domg472/Workspace/refpolicy_trunk/policy/modules/system/fstools.te (working copy)
@@ -1,5 +1,5 @@
-policy_module(fstools,1.10.0)
+policy_module(fstools, 1.10.0)
########################################
#
@@ -8,7 +8,7 @@
type fsadm_t;
type fsadm_exec_t;
-init_system_domain(fsadm_t,fsadm_exec_t)
+init_system_domain(fsadm_t, fsadm_exec_t)
role system_r types fsadm_t;
type fsadm_log_t;
@@ -42,17 +42,16 @@
can_exec(fsadm_t, fsadm_exec_t)
-allow fsadm_t fsadm_tmp_t:dir manage_dir_perms;
-allow fsadm_t fsadm_tmp_t:file manage_file_perms;
+manage_dirs_pattern(fsadm_t, fsadm_tmp_t, fsadm_tmp_t)
+manage_files_pattern(fsadm_t, fsadm_tmp_t, fsadm_tmp_t)
files_tmp_filetrans(fsadm_t, fsadm_tmp_t, { file dir })
-# log files
-allow fsadm_t fsadm_log_t:dir setattr;
-manage_files_pattern(fsadm_t,fsadm_log_t,fsadm_log_t)
-logging_log_filetrans(fsadm_t,fsadm_log_t,file)
+manage_files_pattern(fsadm_t, fsadm_log_t, fsadm_log_t)
+logging_log_filetrans(fsadm_t, fsadm_log_t, file)
# Enable swapping to files
-allow fsadm_t swapfile_t:file { rw_file_perms swapon };
+allow fsadm_t swapfile_t:file swapon; # this is no file perm!
+manage_files_pattern(fsadm_t, swapfile_t, swapfile_t)
kernel_read_system_state(fsadm_t)
kernel_read_kernel_sysctls(fsadm_t)
@@ -110,7 +109,6 @@
term_use_console(fsadm_t)
corecmd_exec_bin(fsadm_t)
-#RedHat bug #201164
corecmd_exec_shell(fsadm_t)
# cjp: these are probably not needed:
@@ -170,7 +168,7 @@
optional_policy(`
# for smartctl cron jobs
- cron_system_entry(fsadm_t,fsadm_exec_t)
+ cron_system_entry(fsadm_t, fsadm_exec_t)
')
optional_policy(`
--
Dominick Grift <domg472@xxxxxxxxx>
Attachment:
signature.asc
Description: This is a digitally signed message part
