>From 8137a2e8a917d0ddf0cc3d4826e88f0acfcdcff5 Mon Sep 17 00:00:00 2001 From: Nathan Kinder <nkin...@redhat.com> Date: Thu, 29 Jul 2010 15:16:44 -0700 Subject: [PATCH] Bug 594745 - Get rid of dirsrv_lib_t label
The dirsrv_lib_t label used to label the dirsrv libraries is causing AVCs to occur from prelink. It turns out that the dirsrv_lib_t label is not really necessary. We can just allow our libraries to use the default label of lib_t. --- selinux/dirsrv.fc.in | 2 -- selinux/dirsrv.if | 22 ---------------------- selinux/dirsrv.te | 9 --------- 3 files changed, 0 insertions(+), 33 deletions(-) diff --git a/selinux/dirsrv.fc.in b/selinux/dirsrv.fc.in index f61a871..1cfce88 100644 --- a/selinux/dirsrv.fc.in +++ b/selinux/dirsrv.fc.in @@ -8,8 +8,6 @@ @sbindir@/ldap-agent-bin -- gen_context(system_u:object_r:dirsrv_snmp_exec_t,s0) @sbindir@/start-dirsrv -- gen_context(system_u:object_r:initrc_exec_t,s0) @sbindir@/restart-dirsrv -- gen_context(system_u:object_r:initrc_exec_t,s0) -...@serverdir@ gen_context(system_u:object_r:dirsrv_lib_t,s0) -...@serverdir@(/.*) gen_context(system_u:object_r:dirsrv_lib_t,s0) @localstatedir@/run/@package_name@ gen_context(system_u:object_r:dirsrv_var_run_t,s0) @localstatedir@/run/@package_name@(/.*) gen_context(system_u:object_r:dirsrv_var_run_t,s0) @localstatedir@/run/ldap-agent.pid gen_context(system_u:object_r:dirsrv_snmp_var_run_t,s0) diff --git a/selinux/dirsrv.if b/selinux/dirsrv.if index ed88fb2..6478799 100644 --- a/selinux/dirsrv.if +++ b/selinux/dirsrv.if @@ -174,28 +174,6 @@ interface(`dirsrv_manage_config',` ######################################## ## <summary> -## Read and exec dirsrv lib files. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`dirsrv_exec_lib',` - gen_require(` - type dirsrv_lib_t; - ') - - allow $1 dirsrv_lib_t:dir search_dir_perms; - allow $1 dirsrv_lib_t:file exec_file_perms; - allow $1 dirsrv_lib_t:link_file exec_file_perms; - # Not all platforms include ioctl in exec_file_perms - allow $1 dirsrv_lib_t:file ioctl; -') - -######################################## -## <summary> ## Read dirsrv share files. ## </summary> ## <param name="domain"> diff --git a/selinux/dirsrv.te b/selinux/dirsrv.te index e24ca93..d9c810d 100644 --- a/selinux/dirsrv.te +++ b/selinux/dirsrv.te @@ -25,10 +25,6 @@ type dirsrv_snmp_exec_t; domain_type(dirsrv_snmp_t) init_daemon_domain(dirsrv_snmp_t, dirsrv_snmp_exec_t) -# dynamic libraries -type dirsrv_lib_t; -files_type(dirsrv_lib_t) - # var/lib files type dirsrv_var_lib_t; files_type(dirsrv_var_lib_t) @@ -93,11 +89,6 @@ allow dirsrv_t self:sem all_sem_perms; manage_files_pattern(dirsrv_t, dirsrv_tmpfs_t, dirsrv_tmpfs_t) fs_tmpfs_filetrans(dirsrv_t, dirsrv_tmpfs_t, file) -# dynamic libraries -allow dirsrv_t dirsrv_lib_t:file exec_file_perms; -allow dirsrv_t dirsrv_lib_t:lnk_file read_lnk_file_perms; -allow dirsrv_t dirsrv_lib_t:dir search_dir_perms; - # var/lib files for dirsrv manage_files_pattern(dirsrv_t, dirsrv_var_lib_t, dirsrv_var_lib_t) manage_dirs_pattern(dirsrv_t, dirsrv_var_lib_t, dirsrv_var_lib_t) -- 1.6.2.5
-- 389-devel mailing list 389-de...@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/389-devel
