RH changes to the inetd module, most of these are related to the MLS/MCS
override which is already present in the module...
Index: refpolicy/policy/modules/services/inetd.if
===================================================================
--- refpolicy.orig/policy/modules/services/inetd.if 2008-08-03 16:47:00.000000000 +0200
+++ refpolicy/policy/modules/services/inetd.if 2008-08-03 21:25:12.000000000 +0200
@@ -115,6 +115,10 @@
allow $1 inetd_t:tcp_socket rw_stream_socket_perms;
allow $1 inetd_t:udp_socket rw_socket_perms;
+
+ optional_policy(`
+ stunnel_service_domain($1,$2)
+ ')
')
########################################
Index: refpolicy/policy/modules/services/inetd.te
===================================================================
--- refpolicy.orig/policy/modules/services/inetd.te 2008-08-03 16:47:00.000000000 +0200
+++ refpolicy/policy/modules/services/inetd.te 2008-08-03 21:25:12.000000000 +0200
@@ -30,6 +30,10 @@
type inetd_child_var_run_t;
files_pid_file(inetd_child_var_run_t)
+ifdef(`enable_mcs',`
+ init_ranged_daemon_domain(inetd_t,inetd_exec_t,s0 - mcs_systemhigh)
+')
+
########################################
#
# Local policy
@@ -84,6 +88,7 @@
corenet_udp_bind_ftp_port(inetd_t)
corenet_tcp_bind_inetd_child_port(inetd_t)
corenet_udp_bind_inetd_child_port(inetd_t)
+corenet_tcp_bind_ircd_port(inetd_t)
corenet_udp_bind_ktalkd_port(inetd_t)
corenet_tcp_bind_printer_port(inetd_t)
corenet_udp_bind_rlogind_port(inetd_t)
@@ -137,6 +142,7 @@
miscfiles_read_localization(inetd_t)
# xinetd needs MLS override privileges to work
+mls_fd_use_all_levels(inetd_t)
mls_fd_share_all_levels(inetd_t)
mls_socket_read_to_clearance(inetd_t)
mls_socket_write_to_clearance(inetd_t)
@@ -165,6 +171,7 @@
')
optional_policy(`
+ unconfined_domain(inetd_t)
unconfined_domtrans(inetd_t)
')
@@ -181,6 +188,9 @@
# for identd
allow inetd_child_t self:netlink_tcpdiag_socket r_netlink_socket_perms;
allow inetd_child_t self:capability { setuid setgid };
+allow inetd_child_t self:dir search;
+allow inetd_child_t self:{ lnk_file file } { getattr read };
+
files_search_home(inetd_child_t)
manage_dirs_pattern(inetd_child_t, inetd_child_tmp_t, inetd_child_tmp_t)
@@ -227,3 +237,7 @@
optional_policy(`
unconfined_domain(inetd_child_t)
')
+
+optional_policy(`
+ inetd_service_domain(inetd_child_t,bin_t)
+')
--
David Härdeman
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxx with
the words "unsubscribe selinux" without quotes as the message.
