From 2af7b42a0667a26f70234079f3d4e3a91e78fd4d Mon Sep 17 00:00:00 2001 From: Chris PeBenito Date: Aug 22 2007 20:21:52 +0000 Subject: trunk: switch daemons from inheriting from all levels to initrc_t sharing to all levels. --- diff --git a/Changelog b/Changelog index d5d9fe2..fa8709a 100644 --- a/Changelog +++ b/Changelog @@ -1,3 +1,5 @@ +- Allow initrc_t file descriptors to be inherited regardless of MLS level. + Accordingly drop MLS permissions from daemons that inherit from any level. - Files and radvd updates from Stefan Schulze Frielinghaus. - Deprecate mls_file_write_down() and mls_file_read_up(), replaced with mls_write_all_levels() and mls_read_all_levels(), for consistency. diff --git a/policy/modules/services/cups.te b/policy/modules/services/cups.te index f90d054..89b05c3 100644 --- a/policy/modules/services/cups.te +++ b/policy/modules/services/cups.te @@ -1,5 +1,5 @@ -policy_module(cups,1.7.1) +policy_module(cups,1.7.2) ######################################## # @@ -165,7 +165,6 @@ domain_read_all_domains_state(cupsd_t) fs_getattr_all_fs(cupsd_t) fs_search_auto_mountpoints(cupsd_t) -mls_fd_use_all_levels(cupsd_t) mls_file_downgrade(cupsd_t) mls_file_write_all_levels(cupsd_t) mls_file_read_all_levels(cupsd_t) diff --git a/policy/modules/services/inetd.te b/policy/modules/services/inetd.te index fc6a7b8..88311e1 100644 --- a/policy/modules/services/inetd.te +++ b/policy/modules/services/inetd.te @@ -1,5 +1,5 @@ -policy_module(inetd,1.4.0) +policy_module(inetd,1.4.1) ######################################## # @@ -132,11 +132,9 @@ logging_send_syslog_msg(inetd_t) miscfiles_read_localization(inetd_t) # xinetd needs MLS override privileges to work -mls_fd_use_all_levels(inetd_t) mls_fd_share_all_levels(inetd_t) mls_socket_read_to_clearance(inetd_t) mls_process_set_level(inetd_t) -mls_socket_read_to_clearance(inetd_t) sysnet_read_config(inetd_t) diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te index e4f2b87..0b75d1c 100644 --- a/policy/modules/system/init.te +++ b/policy/modules/system/init.te @@ -1,5 +1,5 @@ -policy_module(init,1.7.2) +policy_module(init,1.7.3) gen_require(` class passwd rootok; @@ -292,6 +292,7 @@ mls_file_write_all_levels(initrc_t) mls_process_read_up(initrc_t) mls_process_write_down(initrc_t) mls_rangetrans_source(initrc_t) +mls_fd_share_all_levels(initrc_t) selinux_get_enforce_mode(initrc_t) diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te index 9628ffb..a649c07 100644 --- a/policy/modules/system/logging.te +++ b/policy/modules/system/logging.te @@ -1,5 +1,5 @@ -policy_module(logging,1.7.1) +policy_module(logging,1.7.2) ######################################## # @@ -155,7 +155,6 @@ miscfiles_read_localization(auditd_t) mls_file_read_all_levels(auditd_t) mls_file_write_all_levels(auditd_t) # Need to be able to write to /var/run/ directory -mls_fd_use_all_levels(auditd_t) seutil_dontaudit_read_config(auditd_t) diff --git a/policy/modules/system/setrans.te b/policy/modules/system/setrans.te index 4c263a3..3c4a73a 100644 --- a/policy/modules/system/setrans.te +++ b/policy/modules/system/setrans.te @@ -1,5 +1,5 @@ -policy_module(setrans,1.3.1) +policy_module(setrans,1.3.2) ######################################## # @@ -58,7 +58,6 @@ mls_net_receive_all_levels(setrans_t) mls_socket_write_all_levels(setrans_t) mls_process_read_up(setrans_t) mls_socket_read_all_levels(setrans_t) -mls_fd_use_all_levels(setrans_t) selinux_compute_access_vector(setrans_t)