diff options
| author | Nathan Kinder <nkinder@redhat.com> | 2010-07-29 15:16:44 -0700 |
|---|---|---|
| committer | Nathan Kinder <nkinder@redhat.com> | 2010-08-03 10:36:22 -0700 |
| commit | 271943190d35c65c9333875701492efe42287f41 (patch) | |
| tree | 47f1ff9d85d76b53f1affe30483c2919d9e99768 | |
| parent | 34c4ab700d99e455ba3523e7d7a02e4eae401d3d (diff) | |
| download | ds-271943190d35c65c9333875701492efe42287f41.tar.gz ds-271943190d35c65c9333875701492efe42287f41.tar.xz ds-271943190d35c65c9333875701492efe42287f41.zip | |
Bug 594745 - Get rid of dirsrv_lib_t label
The dirsrv_lib_t label used to label the dirsrv libraries is causing
AVCs to occur from prelink. It turns out that the dirsrv_lib_t
label is not really necessary. We can just allow our libraries to
use the default label of lib_t.
| -rw-r--r-- | selinux/dirsrv.fc.in | 2 | ||||
| -rw-r--r-- | selinux/dirsrv.if | 22 | ||||
| -rw-r--r-- | selinux/dirsrv.te | 9 |
3 files changed, 0 insertions, 33 deletions
diff --git a/selinux/dirsrv.fc.in b/selinux/dirsrv.fc.in index f61a8710..1cfce884 100644 --- a/selinux/dirsrv.fc.in +++ b/selinux/dirsrv.fc.in @@ -8,8 +8,6 @@ @sbindir@/ldap-agent-bin -- gen_context(system_u:object_r:dirsrv_snmp_exec_t,s0) @sbindir@/start-dirsrv -- gen_context(system_u:object_r:initrc_exec_t,s0) @sbindir@/restart-dirsrv -- gen_context(system_u:object_r:initrc_exec_t,s0) -@serverdir@ gen_context(system_u:object_r:dirsrv_lib_t,s0) -@serverdir@(/.*) gen_context(system_u:object_r:dirsrv_lib_t,s0) @localstatedir@/run/@package_name@ gen_context(system_u:object_r:dirsrv_var_run_t,s0) @localstatedir@/run/@package_name@(/.*) gen_context(system_u:object_r:dirsrv_var_run_t,s0) @localstatedir@/run/ldap-agent.pid gen_context(system_u:object_r:dirsrv_snmp_var_run_t,s0) diff --git a/selinux/dirsrv.if b/selinux/dirsrv.if index ed88fb22..64787994 100644 --- a/selinux/dirsrv.if +++ b/selinux/dirsrv.if @@ -174,28 +174,6 @@ interface(`dirsrv_manage_config',` ######################################## ## <summary> -## Read and exec dirsrv lib files. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`dirsrv_exec_lib',` - gen_require(` - type dirsrv_lib_t; - ') - - allow $1 dirsrv_lib_t:dir search_dir_perms; - allow $1 dirsrv_lib_t:file exec_file_perms; - allow $1 dirsrv_lib_t:link_file exec_file_perms; - # Not all platforms include ioctl in exec_file_perms - allow $1 dirsrv_lib_t:file ioctl; -') - -######################################## -## <summary> ## Read dirsrv share files. ## </summary> ## <param name="domain"> diff --git a/selinux/dirsrv.te b/selinux/dirsrv.te index e24ca933..d9c810dc 100644 --- a/selinux/dirsrv.te +++ b/selinux/dirsrv.te @@ -25,10 +25,6 @@ type dirsrv_snmp_exec_t; domain_type(dirsrv_snmp_t) init_daemon_domain(dirsrv_snmp_t, dirsrv_snmp_exec_t) -# dynamic libraries -type dirsrv_lib_t; -files_type(dirsrv_lib_t) - # var/lib files type dirsrv_var_lib_t; files_type(dirsrv_var_lib_t) @@ -93,11 +89,6 @@ allow dirsrv_t self:sem all_sem_perms; manage_files_pattern(dirsrv_t, dirsrv_tmpfs_t, dirsrv_tmpfs_t) fs_tmpfs_filetrans(dirsrv_t, dirsrv_tmpfs_t, file) -# dynamic libraries -allow dirsrv_t dirsrv_lib_t:file exec_file_perms; -allow dirsrv_t dirsrv_lib_t:lnk_file read_lnk_file_perms; -allow dirsrv_t dirsrv_lib_t:dir search_dir_perms; - # var/lib files for dirsrv manage_files_pattern(dirsrv_t, dirsrv_var_lib_t, dirsrv_var_lib_t) manage_dirs_pattern(dirsrv_t, dirsrv_var_lib_t, dirsrv_var_lib_t) |