From 7e577a269e620dd68bc8d903970a69a63a6c2131 Mon Sep 17 00:00:00 2001 From: Nathan Straz Date: Thu, 3 Dec 2009 11:47:41 -0500 Subject: Only include lvm and logging parts of system policy There were a lot of bad things to include in the system layer. Exclude anything with "spec" in the name. --- SELinux/Makefile | 15 +++++++++++---- SELinux/qarshd.bad-interfaces | 13 ------------- 2 files changed, 11 insertions(+), 17 deletions(-) (limited to 'SELinux') diff --git a/SELinux/Makefile b/SELinux/Makefile index 8b978d7..1a0c6ee 100644 --- a/SELinux/Makefile +++ b/SELinux/Makefile @@ -10,17 +10,24 @@ qarshd.te: qarshd.te.in qarshd.te.trans # Pull all interfaces listed in policy.xml from the services or apps layer # which have one parameter named domains and whose name contains domtrans -allinterfaces := $(shell gxpp '//layer[@name = "services" or @name = "apps" or @name = "system"]//interface[param/@name="domain" and count(param) = 1 and contains(@name, "domtrans")]/@name' $(selinux_devel)/policy.xml) +interfacecond := param/@name="domain" and count(param)=1 and contains(@name, "domtrans") and not(contains(@name, "_spec")) +allinterfaces := $(shell gxpp '//layer[@name = "services" or @name = "apps"]//interface[$(interfacecond)]/@name' $(selinux_devel)/policy.xml) +allinterfaces += $(shell gxpp '//layer[@name = "system"]//module[@name="lvm" or @name="logging"]/interface[$(interfacecond)]/@name' $(selinux_devel)/policy.xml) badinterfaces := $(shell cat qarshd.bad-interfaces) # Filter out interfaces which break policy building or loading. -interfaces = $(filter-out $(badinterfaces), $(allinterfaces)) +interfaces := $(filter-out $(badinterfaces), $(allinterfaces)) -qarshd.te.trans: $(selinux_devel)/policy.xml qarshd.bad-interfaces - for d in $(interfaces); do \ +qarshd.te.trans: $(selinux_devel)/policy.xml qarshd.bad-interfaces Makefile + @for d in $(interfaces); do \ echo "$$d(qarshd_t)"; \ done > $@ +# Helpful target to see what is not needed in bad-interfaces +notbad := $(filter-out $(filter $(badinterfaces), $(allinterfaces)), $(badinterfaces)) +qarshd.notbad: + @echo $(notbad) | sort + # Add a cleanup step for our generated files clean: clean-qarsh diff --git a/SELinux/qarshd.bad-interfaces b/SELinux/qarshd.bad-interfaces index 3139085..dcbd038 100644 --- a/SELinux/qarshd.bad-interfaces +++ b/SELinux/qarshd.bad-interfaces @@ -7,26 +7,13 @@ bluetooth_domtrans_helper clockspeed_domtrans_cli ddclient_domtrans ifplugd_domtrans -locallogin_domtrans -locallogin_domtrans_sulogin -modutils_domtrans_insmod -mount_domtrans oav_domtrans_update openca_domtrans -pki_ca_script_domtrans -pki_kra_script_domtrans -pki_ocsp_script_domtrans -pki_ra_script_domtrans -pki_tks_script_domtrans -pki_tps_script_domtrans portslave_domtrans qemu_domtrans rgmanager_domtrans samba_domtrans_net sendmail_domtrans -seutil_domtrans_restorecon -seutil_domtrans_setfiles_mac -seutil_init_script_domtrans_runinit thunderbird_domtrans uwimap_domtrans wireshark_domtrans -- cgit