* [refpolicy] [PATCH 12/13] Fix interfaces that use an undeclared identifier
@ 2018-04-11 18:57 James Carter
0 siblings, 0 replies; only message in thread
From: James Carter @ 2018-04-11 18:57 UTC (permalink / raw)
To: refpolicy
All the interfaces below were always being removed because of unmet requires.
ccs.if:ccs_admin()
Use cluster_conf_t instead of ccs_conf_t.
Called in roles/sysadm.te.
cfengine.if:cfengine_dontaudit_write_log_files()
Use cfengine_log_t instead of cfengine_var_log_t.
Called in contrib/sendmail.te.
cobbler.if:cobbler_admin()
Use cobbler_content_t instead of httpd_cobbler_content_t,
httpd_cobbler_content_ra_t, and httpd_cobbler_content_rw_t.
Called in roles/sysadm.te.
cron.if:cron_manage_system_spool()
Use system_cron_spool_t instead of cron_system_spool_t.
Called in system/init.te.
rpm.if:rpm_admin()
Use rpm_var_cache_t instead of rpm_cache_t.
Called in roles/sysadm.te
sssd.if:sssd_admin()
Use sssd_var_log_t instead of sssd_log_t.
Called in roles/sysadm.te
Signed-off-by: James Carter <jwcart2@tycho.nsa.gov>
---
ccs.if | 4 ++--
cfengine.if | 4 ++--
cobbler.if | 6 +++---
cron.if | 4 ++--
rpm.if | 4 ++--
sssd.if | 4 ++--
6 files changed, 13 insertions(+), 13 deletions(-)
diff --git a/ccs.if b/ccs.if
index 92f67fa..767fb71 100644
--- a/ccs.if
+++ b/ccs.if
@@ -99,7 +99,7 @@ interface(`ccs_admin',`
gen_require(`
type ccs_t, ccs_initrc_exec_t, cluster_conf_t;
type ccs_var_lib_t, ccs_var_log_t;
- type ccs_var_run_t, ccs_tmp_t, ccs_conf_t;
+ type ccs_var_run_t, ccs_tmp_t;
')
allow $1 ccs_t:process { ptrace signal_perms };
@@ -108,7 +108,7 @@ interface(`ccs_admin',`
init_startstop_service($1, $2, ccs_t, ccs_initrc_exec_t)
files_search_etc($1)
- admin_pattern($1, ccs_conf_t)
+ admin_pattern($1, cluster_conf_t)
files_search_var_lib($1)
admin_pattern($1, ccs_var_lib_t)
diff --git a/cfengine.if b/cfengine.if
index fdef5f3..ff0b003 100644
--- a/cfengine.if
+++ b/cfengine.if
@@ -65,10 +65,10 @@ interface(`cfengine_read_lib_files',`
#
interface(`cfengine_dontaudit_write_log_files',`
gen_require(`
- type cfengine_var_log_t;
+ type cfengine_log_t;
')
- dontaudit $1 cfengine_var_log_t:file write_file_perms;
+ dontaudit $1 cfengine_log_t:file write_file_perms;
')
########################################
diff --git a/cobbler.if b/cobbler.if
index 40f8999..6c6b575 100644
--- a/cobbler.if
+++ b/cobbler.if
@@ -154,8 +154,8 @@ interface(`cobbler_manage_lib_files',`
interface(`cobbler_admin',`
gen_require(`
type cobblerd_t, cobbler_var_lib_t, cobbler_var_log_t;
- type cobbler_etc_t, cobblerd_initrc_exec_t, httpd_cobbler_content_t;
- type httpd_cobbler_content_ra_t, httpd_cobbler_content_rw_t, cobbler_tmp_t;
+ type cobbler_etc_t, cobblerd_initrc_exec_t, cobbler_content_t;
+ type cobbler_tmp_t;
')
allow $1 cobblerd_t:process { ptrace signal_perms };
@@ -176,5 +176,5 @@ interface(`cobbler_admin',`
admin_pattern($1, cobbler_var_log_t)
apache_search_sys_content($1)
- admin_pattern($1, { httpd_cobbler_content_t httpd_cobbler_content_ra_t httpd_cobbler_content_rw_t })
+ admin_pattern($1, cobbler_content_t)
')
diff --git a/cron.if b/cron.if
index 23bd141..d40848a 100644
--- a/cron.if
+++ b/cron.if
@@ -699,11 +699,11 @@ interface(`cron_use_system_job_fds',`
#
interface(`cron_manage_system_spool',`
gen_require(`
- type cron_system_spool_t;
+ type system_cron_spool_t;
')
files_search_spool($1)
- manage_files_pattern($1, cron_system_spool_t, cron_system_spool_t)
+ manage_files_pattern($1, system_cron_spool_t, system_cron_spool_t)
')
########################################
diff --git a/rpm.if b/rpm.if
index 016cdb2..d316410 100644
--- a/rpm.if
+++ b/rpm.if
@@ -613,7 +613,7 @@ interface(`rpm_pid_filetrans_rpm_pid',`
interface(`rpm_admin',`
gen_require(`
type rpm_t, rpm_script_t, rpm_initrc_exec_t;
- type rpm_cache_t, rpm_var_lib_t, rpm_lock_t;
+ type rpm_var_cache_t, rpm_var_lib_t, rpm_lock_t;
type rpm_log_t, rpm_tmpfs_t, rpm_tmp_t, rpm_var_run_t;
type rpm_script_tmp_t, rpm_script_tmpfs_t, rpm_file_t;
')
@@ -626,7 +626,7 @@ interface(`rpm_admin',`
admin_pattern($1, rpm_file_t)
files_list_var($1)
- admin_pattern($1, rpm_cache_t)
+ admin_pattern($1, rpm_var_cache_t)
files_list_tmp($1)
admin_pattern($1, { rpm_tmp_t rpm_script_tmp_t })
diff --git a/sssd.if b/sssd.if
index e1b4cb0..bdb7f88 100644
--- a/sssd.if
+++ b/sssd.if
@@ -336,7 +336,7 @@ interface(`sssd_admin',`
gen_require(`
type sssd_t, sssd_public_t, sssd_initrc_exec_t;
type sssd_var_lib_t, sssd_var_run_t, sssd_conf_t;
- type sssd_log_t;
+ type sssd_var_log_t;
')
allow $1 sssd_t:process { ptrace signal_perms };
@@ -354,5 +354,5 @@ interface(`sssd_admin',`
admin_pattern($1, sssd_var_run_t)
logging_search_logs($1)
- admin_pattern($1, sssd_log_t)
+ admin_pattern($1, sssd_var_log_t)
')
--
2.13.6
^ permalink raw reply related [flat|nested] only message in thread
only message in thread, other threads:[~2018-04-11 18:57 UTC | newest]
Thread overview: (only message) (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2018-04-11 18:57 [refpolicy] [PATCH 12/13] Fix interfaces that use an undeclared identifier James Carter
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.