[389-devel] Please Review: (594745) Get rid of dirsrv_lib_t label (ds patch)

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 




>From 8137a2e8a917d0ddf0cc3d4826e88f0acfcdcff5 Mon Sep 17 00:00:00 2001
From: Nathan Kinder <nkinder@xxxxxxxxxx>
Date: Thu, 29 Jul 2010 15:16:44 -0700
Subject: [PATCH] Bug 594745 - Get rid of dirsrv_lib_t label

The dirsrv_lib_t label used to label the dirsrv libraries is causing
AVCs to occur from prelink.  It turns out that the dirsrv_lib_t
label is not really necessary.  We can just allow our libraries to
use the default label of lib_t.
---
 selinux/dirsrv.fc.in |    2 --
 selinux/dirsrv.if    |   22 ----------------------
 selinux/dirsrv.te    |    9 ---------
 3 files changed, 0 insertions(+), 33 deletions(-)

diff --git a/selinux/dirsrv.fc.in b/selinux/dirsrv.fc.in
index f61a871..1cfce88 100644
--- a/selinux/dirsrv.fc.in
+++ b/selinux/dirsrv.fc.in
@@ -8,8 +8,6 @@
 @sbindir@/ldap-agent-bin		--	gen_context(system_u:object_r:dirsrv_snmp_exec_t,s0)
 @sbindir@/start-dirsrv			--	gen_context(system_u:object_r:initrc_exec_t,s0)
 @sbindir@/restart-dirsrv		--	gen_context(system_u:object_r:initrc_exec_t,s0)
-@serverdir@					gen_context(system_u:object_r:dirsrv_lib_t,s0)
-@serverdir@(/.*)				gen_context(system_u:object_r:dirsrv_lib_t,s0)
 @localstatedir@/run/@package_name@		gen_context(system_u:object_r:dirsrv_var_run_t,s0)
 @localstatedir@/run/@package_name@(/.*)		gen_context(system_u:object_r:dirsrv_var_run_t,s0)
 @localstatedir@/run/ldap-agent.pid		gen_context(system_u:object_r:dirsrv_snmp_var_run_t,s0)
diff --git a/selinux/dirsrv.if b/selinux/dirsrv.if
index ed88fb2..6478799 100644
--- a/selinux/dirsrv.if
+++ b/selinux/dirsrv.if
@@ -174,28 +174,6 @@ interface(`dirsrv_manage_config',`
 
 ########################################
 ## <summary>
-##      Read and exec dirsrv lib files.
-## </summary>
-## <param name="domain">
-##      <summary>
-##      Domain allowed access.
-##      </summary>
-## </param>
-#
-interface(`dirsrv_exec_lib',`
-	gen_require(`
-		type dirsrv_lib_t;
-	')
-
-	allow $1 dirsrv_lib_t:dir search_dir_perms;
-	allow $1 dirsrv_lib_t:file exec_file_perms;
-	allow $1 dirsrv_lib_t:link_file exec_file_perms;
-	# Not all platforms include ioctl in exec_file_perms
-	allow $1 dirsrv_lib_t:file ioctl;
-')
-
-########################################
-## <summary>
 ##      Read dirsrv share files.
 ## </summary>
 ## <param name="domain">
diff --git a/selinux/dirsrv.te b/selinux/dirsrv.te
index e24ca93..d9c810d 100644
--- a/selinux/dirsrv.te
+++ b/selinux/dirsrv.te
@@ -25,10 +25,6 @@ type dirsrv_snmp_exec_t;
 domain_type(dirsrv_snmp_t)
 init_daemon_domain(dirsrv_snmp_t, dirsrv_snmp_exec_t)
 
-# dynamic libraries
-type dirsrv_lib_t;
-files_type(dirsrv_lib_t)
-
 # var/lib files
 type dirsrv_var_lib_t;
 files_type(dirsrv_var_lib_t)
@@ -93,11 +89,6 @@ allow dirsrv_t self:sem all_sem_perms;
 manage_files_pattern(dirsrv_t, dirsrv_tmpfs_t, dirsrv_tmpfs_t)
 fs_tmpfs_filetrans(dirsrv_t, dirsrv_tmpfs_t, file)
 
-# dynamic libraries
-allow dirsrv_t dirsrv_lib_t:file exec_file_perms;
-allow dirsrv_t dirsrv_lib_t:lnk_file read_lnk_file_perms;
-allow dirsrv_t dirsrv_lib_t:dir search_dir_perms;
-
 # var/lib files for dirsrv
 manage_files_pattern(dirsrv_t, dirsrv_var_lib_t, dirsrv_var_lib_t)
 manage_dirs_pattern(dirsrv_t, dirsrv_var_lib_t, dirsrv_var_lib_t)
-- 
1.6.2.5

--
389-devel mailing list
389-devel@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/389-devel

[Index of Archives]     [Fedora Directory Announce]     [Fedora Users]     [Older Fedora Users Mail]     [Fedora Advisory Board]     [Fedora Security]     [Fedora Devel Java]     [Fedora Desktop]     [ATA RAID]     [Fedora Marketing]     [Fedora Mentors]     [Fedora Package Review]     [Fedora Art]     [Fedora Music]     [Fedora Packaging]     [CentOS]     [Fedora SELinux]     [Big List of Linux Books]     [KDE Users]     [Fedora Art]     [Fedora Docs]

  Powered by Linux