1 |
commit: bf96509f09ff0319b82a07f8f8a858293e82ed8c |
2 |
Author: Chris PeBenito <pebenito <AT> ieee <DOT> org> |
3 |
AuthorDate: Wed May 24 23:36:04 2017 +0000 |
4 |
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org> |
5 |
CommitDate: Thu May 25 16:32:29 2017 +0000 |
6 |
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=bf96509f |
7 |
|
8 |
corenet/sysadm: Move lines. |
9 |
|
10 |
policy/modules/kernel/corenetwork.if.in | 138 ++++++++++++++++---------------- |
11 |
policy/modules/roles/sysadm.te | 6 +- |
12 |
2 files changed, 72 insertions(+), 72 deletions(-) |
13 |
|
14 |
diff --git a/policy/modules/kernel/corenetwork.if.in b/policy/modules/kernel/corenetwork.if.in |
15 |
index 46fc4f11..4d618d94 100644 |
16 |
--- a/policy/modules/kernel/corenetwork.if.in |
17 |
+++ b/policy/modules/kernel/corenetwork.if.in |
18 |
@@ -213,6 +213,60 @@ interface(`corenet_spd_type',` |
19 |
|
20 |
######################################## |
21 |
## <summary> |
22 |
+## Define type to be an infiniband pkey type |
23 |
+## </summary> |
24 |
+## <desc> |
25 |
+## <p> |
26 |
+## Define type to be an infiniband pkey type |
27 |
+## </p> |
28 |
+## <p> |
29 |
+## This is for supporting third party modules and its |
30 |
+## use is not allowed in upstream reference policy. |
31 |
+## </p> |
32 |
+## </desc> |
33 |
+## <param name="domain"> |
34 |
+## <summary> |
35 |
+## Type to be used for infiniband pkeys. |
36 |
+## </summary> |
37 |
+## </param> |
38 |
+# |
39 |
+interface(`corenet_ib_pkey',` |
40 |
+ gen_require(` |
41 |
+ attribute ibpkey_type; |
42 |
+ ') |
43 |
+ |
44 |
+ typeattribute $1 ibpkey_type; |
45 |
+') |
46 |
+ |
47 |
+######################################## |
48 |
+## <summary> |
49 |
+## Define type to be an infiniband endport |
50 |
+## </summary> |
51 |
+## <desc> |
52 |
+## <p> |
53 |
+## Define type to be an infiniband endport |
54 |
+## </p> |
55 |
+## <p> |
56 |
+## This is for supporting third party modules and its |
57 |
+## use is not allowed in upstream reference policy. |
58 |
+## </p> |
59 |
+## </desc> |
60 |
+## <param name="domain"> |
61 |
+## <summary> |
62 |
+## Type to be used for infiniband endports. |
63 |
+## </summary> |
64 |
+## </param> |
65 |
+# |
66 |
+interface(`corenet_ib_endport',` |
67 |
+ gen_require(` |
68 |
+ attribute ibendport_type; |
69 |
+ ') |
70 |
+ |
71 |
+ typeattribute $1 ibendport_type; |
72 |
+') |
73 |
+ |
74 |
+######################################## |
75 |
+## <summary> |
76 |
## Send and receive TCP network traffic on generic interfaces. |
77 |
## </summary> |
78 |
## <desc> |
79 |
@@ -3138,51 +3192,6 @@ interface(`corenet_relabelto_all_packets',` |
80 |
|
81 |
######################################## |
82 |
## <summary> |
83 |
-## Unconfined access to network objects. |
84 |
-## </summary> |
85 |
-## <param name="domain"> |
86 |
-## <summary> |
87 |
-## The domain allowed access. |
88 |
-## </summary> |
89 |
-## </param> |
90 |
-# |
91 |
-interface(`corenet_unconfined',` |
92 |
- gen_require(` |
93 |
- attribute corenet_unconfined_type; |
94 |
- ') |
95 |
- |
96 |
- typeattribute $1 corenet_unconfined_type; |
97 |
-') |
98 |
- |
99 |
-######################################## |
100 |
-## <summary> |
101 |
-## Define type to be an infiniband pkey type |
102 |
-## </summary> |
103 |
-## <desc> |
104 |
-## <p> |
105 |
-## Define type to be an infiniband pkey type |
106 |
-## </p> |
107 |
-## <p> |
108 |
-## This is for supporting third party modules and its |
109 |
-## use is not allowed in upstream reference policy. |
110 |
-## </p> |
111 |
-## </desc> |
112 |
-## <param name="domain"> |
113 |
-## <summary> |
114 |
-## Type to be used for infiniband pkeys. |
115 |
-## </summary> |
116 |
-## </param> |
117 |
-# |
118 |
-interface(`corenet_ib_pkey',` |
119 |
- gen_require(` |
120 |
- attribute ibpkey_type; |
121 |
- ') |
122 |
- |
123 |
- typeattribute $1 ibpkey_type; |
124 |
-') |
125 |
- |
126 |
-######################################## |
127 |
-## <summary> |
128 |
## Access unlabeled infiniband pkeys. |
129 |
## </summary> |
130 |
## <param name="domain"> |
131 |
@@ -3215,34 +3224,25 @@ interface(`corenet_ib_access_all_pkeys',` |
132 |
|
133 |
######################################## |
134 |
## <summary> |
135 |
-## Define type to be an infiniband endport |
136 |
+## Manage subnets on all labeled Infiniband endports |
137 |
## </summary> |
138 |
-## <desc> |
139 |
-## <p> |
140 |
-## Define type to be an infiniband endport |
141 |
-## </p> |
142 |
-## <p> |
143 |
-## This is for supporting third party modules and its |
144 |
-## use is not allowed in upstream reference policy. |
145 |
-## </p> |
146 |
-## </desc> |
147 |
## <param name="domain"> |
148 |
## <summary> |
149 |
-## Type to be used for infiniband endports. |
150 |
+## Domain allowed access. |
151 |
## </summary> |
152 |
## </param> |
153 |
# |
154 |
-interface(`corenet_ib_endport',` |
155 |
+interface(`corenet_ib_manage_subnet_all_endports',` |
156 |
gen_require(` |
157 |
attribute ibendport_type; |
158 |
') |
159 |
|
160 |
- typeattribute $1 ibendport_type; |
161 |
+ allow $1 ibendport_type:infiniband_endport manage_subnet; |
162 |
') |
163 |
|
164 |
######################################## |
165 |
## <summary> |
166 |
-## Manage subnets on all labeled Infiniband endports |
167 |
+## Manage subnet on all unlabeled Infiniband endports |
168 |
## </summary> |
169 |
## <param name="domain"> |
170 |
## <summary> |
171 |
@@ -3250,24 +3250,24 @@ interface(`corenet_ib_endport',` |
172 |
## </summary> |
173 |
## </param> |
174 |
# |
175 |
-interface(`corenet_ib_manage_subnet_all_endports',` |
176 |
- gen_require(` |
177 |
- attribute ibendport_type; |
178 |
- ') |
179 |
- |
180 |
- allow $1 ibendport_type:infiniband_endport manage_subnet; |
181 |
+interface(`corenet_ib_manage_subnet_unlabeled_endports',` |
182 |
+ kernel_ib_manage_subnet_unlabeled_endports($1) |
183 |
') |
184 |
|
185 |
######################################## |
186 |
## <summary> |
187 |
-## Manage subnet on all unlabeled Infiniband endports |
188 |
+## Unconfined access to network objects. |
189 |
## </summary> |
190 |
## <param name="domain"> |
191 |
## <summary> |
192 |
-## Domain allowed access. |
193 |
+## The domain allowed access. |
194 |
## </summary> |
195 |
## </param> |
196 |
# |
197 |
-interface(`corenet_ib_manage_subnet_unlabeled_endports',` |
198 |
- kernel_ib_manage_subnet_unlabeled_endports($1) |
199 |
+interface(`corenet_unconfined',` |
200 |
+ gen_require(` |
201 |
+ attribute corenet_unconfined_type; |
202 |
+ ') |
203 |
+ |
204 |
+ typeattribute $1 corenet_unconfined_type; |
205 |
') |
206 |
|
207 |
diff --git a/policy/modules/roles/sysadm.te b/policy/modules/roles/sysadm.te |
208 |
index aa687f78..508d2a9f 100644 |
209 |
--- a/policy/modules/roles/sysadm.te |
210 |
+++ b/policy/modules/roles/sysadm.te |
211 |
@@ -27,6 +27,9 @@ ifndef(`enable_mls',` |
212 |
|
213 |
corecmd_exec_shell(sysadm_t) |
214 |
|
215 |
+corenet_ib_access_unlabeled_pkeys(sysadm_t) |
216 |
+corenet_ib_manage_subnet_unlabeled_endports(sysadm_t) |
217 |
+ |
218 |
dev_read_kmsg(sysadm_t) |
219 |
|
220 |
mls_process_read_all_levels(sysadm_t) |
221 |
@@ -46,9 +49,6 @@ selinux_read_policy(sysadm_t) |
222 |
userdom_manage_user_home_dirs(sysadm_t) |
223 |
userdom_home_filetrans_user_home_dir(sysadm_t) |
224 |
|
225 |
-corenet_ib_access_unlabeled_pkeys(sysadm_t) |
226 |
-corenet_ib_manage_subnet_unlabeled_endports(sysadm_t) |
227 |
- |
228 |
ifdef(`direct_sysadm_daemon',` |
229 |
optional_policy(` |
230 |
init_run_daemon(sysadm_t, sysadm_r) |