SELinux-Refpolicy Archive on lore.kernel.org
 help / Atom feed
* [PATCH] Move 'locallogin_*' interface uses into 'optioal_policy'
@ 2018-11-17  4:37 David Sugar
  2018-11-17 23:55 ` Chris PeBenito
  0 siblings, 1 reply; 2+ messages in thread
From: David Sugar @ 2018-11-17  4:37 UTC (permalink / raw)
  To: selinux-refpolicy

Allow the locallogin module to be turned off.  This required any
interface use to be moved into an optional_policy block.

Signed-off-by: Dave Sugar <dsugar@tresys.com>
---
 policy/modules/admin/dmidecode.te         |  7 +++++--
 policy/modules/admin/firstboot.te         |  6 ++++--
 policy/modules/admin/mcelog.te            |  6 ++++--
 policy/modules/admin/tzdata.te            |  6 ++++--
 policy/modules/admin/vpn.te               |  6 ++++--
 policy/modules/apps/java.te               |  6 ++++--
 policy/modules/apps/loadkeys.te           |  6 ++++--
 policy/modules/apps/wm.te                 |  6 ++++--
 policy/modules/services/bluetooth.te      |  5 ++++-
 policy/modules/services/chronyd.te        |  5 +++--
 policy/modules/services/oddjob.te         |  6 ++++--
 policy/modules/services/pcscd.te          |  6 ++++--
 policy/modules/services/pyzor.te          |  6 ++++--
 policy/modules/services/ricci.te          | 12 ++++++++----
 policy/modules/services/samba.te          |  6 ++++--
 policy/modules/services/setroubleshoot.te |  6 ++++--
 policy/modules/services/sysstat.te        |  6 ++++--
 policy/modules/services/xserver.te        |  6 ++++--
 policy/modules/system/getty.te            |  6 ++++--
 policy/modules/system/ipsec.te            | 12 ++++++++----
 policy/modules/system/setrans.te          |  6 ++++--
 policy/modules/system/systemd.te          |  6 ++++--
 policy/modules/system/xen.te              |  6 ++++--
 23 files changed, 100 insertions(+), 49 deletions(-)

diff --git a/policy/modules/admin/dmidecode.te b/policy/modules/admin/dmidecode.te
index bda30744..e5a481fa 100644
--- a/policy/modules/admin/dmidecode.te
+++ b/policy/modules/admin/dmidecode.te
@@ -29,6 +29,9 @@ files_list_usr(dmidecode_t)
 
 mls_file_read_all_levels(dmidecode_t)
 
-locallogin_use_fds(dmidecode_t)
-
 userdom_use_inherited_user_terminals(dmidecode_t)
+
+optional_policy(`
+	locallogin_use_fds(dmidecode_t)
+')
+
diff --git a/policy/modules/admin/firstboot.te b/policy/modules/admin/firstboot.te
index 2ac82a13..140933f4 100644
--- a/policy/modules/admin/firstboot.te
+++ b/policy/modules/admin/firstboot.te
@@ -69,8 +69,6 @@ init_rw_utmp(firstboot_t)
 libs_exec_ld_so(firstboot_t)
 libs_exec_lib_files(firstboot_t)
 
-locallogin_use_fds(firstboot_t)
-
 logging_send_syslog_msg(firstboot_t)
 
 miscfiles_read_localization(firstboot_t)
@@ -96,6 +94,10 @@ optional_policy(`
 	')
 ')
 
+optional_policy(`
+	locallogin_use_fds(firstboot_t)
+')
+
 optional_policy(`
 	modutils_domtrans(firstboot_t)
 	modutils_read_module_config(firstboot_t)
diff --git a/policy/modules/admin/mcelog.te b/policy/modules/admin/mcelog.te
index 1c342132..1728052e 100644
--- a/policy/modules/admin/mcelog.te
+++ b/policy/modules/admin/mcelog.te
@@ -93,8 +93,6 @@ files_read_etc_files(mcelog_t)
 
 mls_file_read_all_levels(mcelog_t)
 
-locallogin_use_fds(mcelog_t)
-
 miscfiles_read_localization(mcelog_t)
 
 tunable_policy(`mcelog_client',`
@@ -122,3 +120,7 @@ tunable_policy(`mcelog_syslog',`
 optional_policy(`
 	cron_system_entry(mcelog_t, mcelog_exec_t)
 ')
+
+optional_policy(`
+	locallogin_use_fds(mcelog_t)
+')
diff --git a/policy/modules/admin/tzdata.te b/policy/modules/admin/tzdata.te
index cbfb2299..35cd0fcc 100644
--- a/policy/modules/admin/tzdata.te
+++ b/policy/modules/admin/tzdata.te
@@ -25,14 +25,16 @@ fs_getattr_xattr_fs(tzdata_t)
 
 term_dontaudit_list_ptys(tzdata_t)
 
-locallogin_dontaudit_use_fds(tzdata_t)
-
 miscfiles_read_localization(tzdata_t)
 miscfiles_manage_localization(tzdata_t)
 miscfiles_etc_filetrans_localization(tzdata_t)
 
 userdom_use_user_terminals(tzdata_t)
 
+optional_policy(`
+	locallogin_dontaudit_use_fds(tzdata_t)
+')
+
 optional_policy(`
 	postfix_search_spool(tzdata_t)
 ')
diff --git a/policy/modules/admin/vpn.te b/policy/modules/admin/vpn.te
index 65de9063..99a9310b 100644
--- a/policy/modules/admin/vpn.te
+++ b/policy/modules/admin/vpn.te
@@ -98,8 +98,6 @@ init_dontaudit_use_fds(vpnc_t)
 libs_exec_ld_so(vpnc_t)
 libs_exec_lib_files(vpnc_t)
 
-locallogin_use_fds(vpnc_t)
-
 logging_send_syslog_msg(vpnc_t)
 logging_dontaudit_search_logs(vpnc_t)
 
@@ -122,6 +120,10 @@ optional_policy(`
 	')
 ')
 
+optional_policy(`
+	locallogin_use_fds(vpnc_t)
+')
+
 optional_policy(`
 	networkmanager_attach_tun_iface(vpnc_t)
 ')
diff --git a/policy/modules/apps/java.te b/policy/modules/apps/java.te
index 6502efeb..5cb8588d 100644
--- a/policy/modules/apps/java.te
+++ b/policy/modules/apps/java.te
@@ -139,11 +139,13 @@ corecmd_search_bin(java_t)
 
 dev_read_sysfs(java_t)
 
-locallogin_use_fds(java_t)
-
 userdom_read_user_tmp_files(java_t)
 userdom_use_user_terminals(java_t)
 
+optional_policy(`
+	locallogin_use_fds(java_t)
+')
+
 optional_policy(`
 	xserver_user_x_domain_template(java, java_t, java_tmpfs_t)
 ')
diff --git a/policy/modules/apps/loadkeys.te b/policy/modules/apps/loadkeys.te
index 1976e2cb..71725fde 100644
--- a/policy/modules/apps/loadkeys.te
+++ b/policy/modules/apps/loadkeys.te
@@ -41,8 +41,6 @@ term_use_unallocated_ttys(loadkeys_t)
 
 init_read_script_tmp_files(loadkeys_t)
 
-locallogin_use_fds(loadkeys_t)
-
 miscfiles_read_localization(loadkeys_t)
 
 userdom_use_user_ttys(loadkeys_t)
@@ -52,6 +50,10 @@ optional_policy(`
 	keyboardd_read_pipes(loadkeys_t)
 ')
 
+optional_policy(`
+	locallogin_use_fds(loadkeys_t)
+')
+
 optional_policy(`
 	nscd_dontaudit_search_pid(loadkeys_t)
 ')
diff --git a/policy/modules/apps/wm.te b/policy/modules/apps/wm.te
index df481cc7..99bf1299 100644
--- a/policy/modules/apps/wm.te
+++ b/policy/modules/apps/wm.te
@@ -65,8 +65,6 @@ kernel_read_fs_sysctls(wm_domain)
 kernel_read_proc_symlinks(wm_domain)
 kernel_read_sysctl(wm_domain)
 
-locallogin_dontaudit_use_fds(wm_domain)
-
 miscfiles_read_fonts(wm_domain)
 miscfiles_read_generic_certs(wm_domain)
 miscfiles_read_localization(wm_domain)
@@ -120,6 +118,10 @@ optional_policy(`
 	games_dbus_chat(wm_domain)
 ')
 
+optional_policy(`
+	locallogin_dontaudit_use_fds(wm_domain)
+')
+
 optional_policy(`
 	# gnome-shell
 	mount_exec(wm_domain)
diff --git a/policy/modules/services/bluetooth.te b/policy/modules/services/bluetooth.te
index 45e5a361..1498e243 100644
--- a/policy/modules/services/bluetooth.te
+++ b/policy/modules/services/bluetooth.te
@@ -210,7 +210,6 @@ term_dontaudit_use_all_ttys(bluetooth_helper_t)
 
 auth_use_nsswitch(bluetooth_helper_t)
 
-locallogin_dontaudit_use_fds(bluetooth_helper_t)
 
 logging_send_syslog_msg(bluetooth_helper_t)
 
@@ -223,6 +222,10 @@ optional_policy(`
 	dbus_connect_system_bus(bluetooth_helper_t)
 ')
 
+optional_policy(`
+	locallogin_dontaudit_use_fds(bluetooth_helper_t)
+')
+
 optional_policy(`
 	xserver_user_x_domain_template(bluetooth_helper, bluetooth_helper_t, bluetooth_helper_tmpfs_t)
 ')
diff --git a/policy/modules/services/chronyd.te b/policy/modules/services/chronyd.te
index 77716407..54985b68 100644
--- a/policy/modules/services/chronyd.te
+++ b/policy/modules/services/chronyd.te
@@ -136,8 +136,6 @@ corenet_udp_sendrecv_chronyd_port(chronyc_t)
 files_read_etc_files(chronyc_t)
 files_read_usr_files(chronyc_t)
 
-locallogin_use_fds(chronyc_t)
-
 logging_send_syslog_msg(chronyc_t)
 
 sysnet_read_config(chronyc_t)
@@ -150,3 +148,6 @@ userdom_use_user_ttys(chronyc_t)
 chronyd_dgram_send(chronyc_t)
 chronyd_read_config(chronyc_t)
 
+optional_policy(`
+	locallogin_use_fds(chronyc_t)
+')
diff --git a/policy/modules/services/oddjob.te b/policy/modules/services/oddjob.te
index 39e2dcf5..e656bea6 100644
--- a/policy/modules/services/oddjob.te
+++ b/policy/modules/services/oddjob.te
@@ -58,13 +58,15 @@ auth_use_nsswitch(oddjob_t)
 
 miscfiles_read_localization(oddjob_t)
 
-locallogin_dontaudit_use_fds(oddjob_t)
-
 optional_policy(`
 	dbus_system_bus_client(oddjob_t)
 	dbus_connect_system_bus(oddjob_t)
 ')
 
+optional_policy(`
+	locallogin_dontaudit_use_fds(oddjob_t)
+')
+
 optional_policy(`
 	unconfined_domtrans(oddjob_t)
 ')
diff --git a/policy/modules/services/pcscd.te b/policy/modules/services/pcscd.te
index 247fe5c8..bca54f9d 100644
--- a/policy/modules/services/pcscd.te
+++ b/policy/modules/services/pcscd.te
@@ -59,8 +59,6 @@ files_read_etc_runtime_files(pcscd_t)
 term_use_unallocated_ttys(pcscd_t)
 term_dontaudit_getattr_pty_dirs(pcscd_t)
 
-locallogin_use_fds(pcscd_t)
-
 logging_send_syslog_msg(pcscd_t)
 
 miscfiles_read_localization(pcscd_t)
@@ -79,6 +77,10 @@ optional_policy(`
 	')
 ')
 
+optional_policy(`
+	locallogin_use_fds(pcscd_t)
+')
+
 optional_policy(`
 	openct_stream_connect(pcscd_t)
 	openct_read_pid_files(pcscd_t)
diff --git a/policy/modules/services/pyzor.te b/policy/modules/services/pyzor.te
index 3119df00..cdea0bfd 100644
--- a/policy/modules/services/pyzor.te
+++ b/policy/modules/services/pyzor.te
@@ -151,10 +151,12 @@ auth_use_nsswitch(pyzord_t)
 
 logging_send_syslog_msg(pyzord_t)
 
-locallogin_dontaudit_use_fds(pyzord_t)
-
 miscfiles_read_localization(pyzord_t)
 
 userdom_dontaudit_search_user_home_dirs(pyzord_t)
 
 mta_manage_spool(pyzord_t)
+
+optional_policy(`
+	locallogin_dontaudit_use_fds(pyzord_t)
+')
diff --git a/policy/modules/services/ricci.te b/policy/modules/services/ricci.te
index d808ab66..048ae41e 100644
--- a/policy/modules/services/ricci.te
+++ b/policy/modules/services/ricci.te
@@ -145,8 +145,6 @@ auth_append_login_records(ricci_t)
 
 init_stream_connect_script(ricci_t)
 
-locallogin_dontaudit_use_fds(ricci_t)
-
 logging_send_syslog_msg(ricci_t)
 
 miscfiles_read_localization(ricci_t)
@@ -173,6 +171,10 @@ optional_policy(`
 	oddjob_system_entry(ricci_t, ricci_exec_t)
 ')
 
+optional_policy(`
+	locallogin_dontaudit_use_fds(ricci_t)
+')
+
 optional_policy(`
 	rpm_use_script_fds(ricci_t)
 ')
@@ -332,8 +334,6 @@ auth_use_nsswitch(ricci_modclusterd_t)
 
 init_stream_connect_script(ricci_modclusterd_t)
 
-locallogin_dontaudit_use_fds(ricci_modclusterd_t)
-
 logging_send_syslog_msg(ricci_modclusterd_t)
 
 miscfiles_read_localization(ricci_modclusterd_t)
@@ -351,6 +351,10 @@ optional_policy(`
 	ccs_read_config(ricci_modclusterd_t)
 ')
 
+optional_policy(`
+	locallogin_dontaudit_use_fds(ricci_modclusterd_t)
+')
+
 optional_policy(`
 	rgmanager_stream_connect(ricci_modclusterd_t)
 ')
diff --git a/policy/modules/services/samba.te b/policy/modules/services/samba.te
index 6d8c0cbe..eb497b8d 100644
--- a/policy/modules/services/samba.te
+++ b/policy/modules/services/samba.te
@@ -720,8 +720,6 @@ miscfiles_read_localization(smbmount_t)
 
 mount_use_fds(smbmount_t)
 
-locallogin_use_fds(smbmount_t)
-
 logging_search_logs(smbmount_t)
 
 userdom_use_user_terminals(smbmount_t)
@@ -731,6 +729,10 @@ optional_policy(`
 	cups_read_rw_config(smbmount_t)
 ')
 
+optional_policy(`
+	locallogin_use_fds(smbmount_t)
+')
+
 ########################################
 #
 # Swat Local policy
diff --git a/policy/modules/services/setroubleshoot.te b/policy/modules/services/setroubleshoot.te
index 3ee1e0d5..56dc8c2c 100644
--- a/policy/modules/services/setroubleshoot.te
+++ b/policy/modules/services/setroubleshoot.te
@@ -110,8 +110,6 @@ init_dontaudit_write_utmp(setroubleshootd_t)
 
 libs_exec_ld_so(setroubleshootd_t)
 
-locallogin_dontaudit_use_fds(setroubleshootd_t)
-
 logging_send_audit_msgs(setroubleshootd_t)
 logging_send_syslog_msg(setroubleshootd_t)
 logging_stream_connect_dispatcher(setroubleshootd_t)
@@ -132,6 +130,10 @@ optional_policy(`
 	')
 ')
 
+optional_policy(`
+	locallogin_dontaudit_use_fds(setroubleshootd_t)
+')
+
 optional_policy(`
 	locate_read_lib_files(setroubleshootd_t)
 ')
diff --git a/policy/modules/services/sysstat.te b/policy/modules/services/sysstat.te
index ffa56160..2ef803d0 100644
--- a/policy/modules/services/sysstat.te
+++ b/policy/modules/services/sysstat.te
@@ -58,8 +58,6 @@ auth_use_nsswitch(sysstat_t)
 
 init_use_fds(sysstat_t)
 
-locallogin_use_fds(sysstat_t)
-
 logging_send_syslog_msg(sysstat_t)
 
 miscfiles_read_localization(sysstat_t)
@@ -70,3 +68,7 @@ optional_policy(`
 	cron_system_entry(sysstat_t, sysstat_exec_t)
 	cron_rw_tmp_files(sysstat_t)
 ')
+
+optional_policy(`
+	locallogin_use_fds(sysstat_t)
+')
diff --git a/policy/modules/services/xserver.te b/policy/modules/services/xserver.te
index 7d4c0c1b..06022f2c 100644
--- a/policy/modules/services/xserver.te
+++ b/policy/modules/services/xserver.te
@@ -785,8 +785,6 @@ term_use_unallocated_ttys(xserver_t)
 
 getty_use_fds(xserver_t)
 
-locallogin_use_fds(xserver_t)
-
 logging_send_syslog_msg(xserver_t)
 logging_send_audit_msgs(xserver_t)
 
@@ -841,6 +839,10 @@ optional_policy(`
 	auth_search_pam_console_data(xserver_t)
 ')
 
+optional_policy(`
+	locallogin_use_fds(xserver_t)
+')
+
 optional_policy(`
 	rhgb_getpgid(xserver_t)
 	rhgb_signal(xserver_t)
diff --git a/policy/modules/system/getty.te b/policy/modules/system/getty.te
index 6d3c4284..88b408a9 100644
--- a/policy/modules/system/getty.te
+++ b/policy/modules/system/getty.te
@@ -85,8 +85,6 @@ auth_rw_login_records(getty_t)
 
 init_rw_utmp(getty_t)
 
-locallogin_domtrans(getty_t)
-
 logging_send_syslog_msg(getty_t)
 
 miscfiles_read_localization(getty_t)
@@ -114,6 +112,10 @@ optional_policy(`
 	mta_send_mail(getty_t)
 ')
 
+optional_policy(`
+	locallogin_domtrans(getty_t)
+')
+
 optional_policy(`
 	nscd_use(getty_t)
 ')
diff --git a/policy/modules/system/ipsec.te b/policy/modules/system/ipsec.te
index 7dc80136..2855174d 100644
--- a/policy/modules/system/ipsec.te
+++ b/policy/modules/system/ipsec.te
@@ -411,8 +411,6 @@ auth_use_nsswitch(racoon_t)
 
 ipsec_setcontext_default_spd(racoon_t)
 
-locallogin_use_fds(racoon_t)
-
 logging_send_syslog_msg(racoon_t)
 logging_send_audit_msgs(racoon_t)
 
@@ -425,6 +423,10 @@ tunable_policy(`racoon_read_shadow',`
 	auth_tunable_read_shadow(racoon_t)
 ')
 
+optional_policy(`
+	locallogin_use_fds(racoon_t)
+')
+
 ########################################
 #
 # Setkey local policy
@@ -451,14 +453,16 @@ init_read_script_tmp_files(setkey_t)
 # allow setkey to set the context for ipsec SAs and policy.
 corenet_setcontext_all_spds(setkey_t)
 
-locallogin_use_fds(setkey_t)
-
 miscfiles_read_localization(setkey_t)
 
 seutil_read_config(setkey_t)
 
 userdom_use_user_terminals(setkey_t)
 
+optional_policy(`
+	locallogin_use_fds(setkey_t)
+')
+
 ########################################
 #
 # ipsec_supervisor policy
diff --git a/policy/modules/system/setrans.te b/policy/modules/system/setrans.te
index 24c3577e..3182f83e 100644
--- a/policy/modules/system/setrans.te
+++ b/policy/modules/system/setrans.te
@@ -81,14 +81,16 @@ term_dontaudit_use_unallocated_ttys(setrans_t)
 
 init_dontaudit_use_script_ptys(setrans_t)
 
-locallogin_dontaudit_use_fds(setrans_t)
-
 logging_send_syslog_msg(setrans_t)
 
 miscfiles_read_localization(setrans_t)
 
 seutil_libselinux_linked(setrans_t)
 
+optional_policy(`
+	locallogin_dontaudit_use_fds(setrans_t)
+')
+
 optional_policy(`
 	rpm_use_script_fds(setrans_t)
 ')
diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
index e9b74257..251094b9 100644
--- a/policy/modules/system/systemd.te
+++ b/policy/modules/system/systemd.te
@@ -464,8 +464,6 @@ init_stop_all_units(systemd_logind_t)
 init_start_system(systemd_logind_t)
 init_stop_system(systemd_logind_t)
 
-locallogin_read_state(systemd_logind_t)
-
 seutil_libselinux_linked(systemd_logind_t)
 seutil_read_default_contexts(systemd_logind_t)
 seutil_read_file_contexts(systemd_logind_t)
@@ -514,6 +512,10 @@ optional_policy(`
 	devicekit_dbus_chat_power(systemd_logind_t)
 ')
 
+optional_policy(`
+	locallogin_read_state(systemd_logind_t)
+')
+
 optional_policy(`
 	modemmanager_dbus_chat(systemd_logind_t)
 ')
diff --git a/policy/modules/system/xen.te b/policy/modules/system/xen.te
index 04dd1ea7..67552cca 100644
--- a/policy/modules/system/xen.te
+++ b/policy/modules/system/xen.te
@@ -297,8 +297,6 @@ term_getattr_pty_fs(xend_t)
 
 init_stream_connect_script(xend_t)
 
-locallogin_dontaudit_use_fds(xend_t)
-
 logging_send_syslog_msg(xend_t)
 
 miscfiles_read_localization(xend_t)
@@ -340,6 +338,10 @@ optional_policy(`
 	consoletype_exec(xend_t)
 ')
 
+optional_policy(`
+	locallogin_dontaudit_use_fds(xend_t)
+')
+
 optional_policy(`
 	lvm_domtrans(xend_t)
 ')
-- 
2.19.1


^ permalink raw reply	[flat|nested] 2+ messages in thread

* Re: [PATCH] Move 'locallogin_*' interface uses into 'optioal_policy'
  2018-11-17  4:37 [PATCH] Move 'locallogin_*' interface uses into 'optioal_policy' David Sugar
@ 2018-11-17 23:55 ` Chris PeBenito
  0 siblings, 0 replies; 2+ messages in thread
From: Chris PeBenito @ 2018-11-17 23:55 UTC (permalink / raw)
  To: David Sugar, selinux-refpolicy

On 11/16/18 11:37 PM, David Sugar wrote:
> Allow the locallogin module to be turned off.  This required any
> interface use to be moved into an optional_policy block.

Why?  Even embedded systems have serial consoles.


> Signed-off-by: Dave Sugar <dsugar@tresys.com>
> ---
>   policy/modules/admin/dmidecode.te         |  7 +++++--
>   policy/modules/admin/firstboot.te         |  6 ++++--
>   policy/modules/admin/mcelog.te            |  6 ++++--
>   policy/modules/admin/tzdata.te            |  6 ++++--
>   policy/modules/admin/vpn.te               |  6 ++++--
>   policy/modules/apps/java.te               |  6 ++++--
>   policy/modules/apps/loadkeys.te           |  6 ++++--
>   policy/modules/apps/wm.te                 |  6 ++++--
>   policy/modules/services/bluetooth.te      |  5 ++++-
>   policy/modules/services/chronyd.te        |  5 +++--
>   policy/modules/services/oddjob.te         |  6 ++++--
>   policy/modules/services/pcscd.te          |  6 ++++--
>   policy/modules/services/pyzor.te          |  6 ++++--
>   policy/modules/services/ricci.te          | 12 ++++++++----
>   policy/modules/services/samba.te          |  6 ++++--
>   policy/modules/services/setroubleshoot.te |  6 ++++--
>   policy/modules/services/sysstat.te        |  6 ++++--
>   policy/modules/services/xserver.te        |  6 ++++--
>   policy/modules/system/getty.te            |  6 ++++--
>   policy/modules/system/ipsec.te            | 12 ++++++++----
>   policy/modules/system/setrans.te          |  6 ++++--
>   policy/modules/system/systemd.te          |  6 ++++--
>   policy/modules/system/xen.te              |  6 ++++--
>   23 files changed, 100 insertions(+), 49 deletions(-)
> 
> diff --git a/policy/modules/admin/dmidecode.te b/policy/modules/admin/dmidecode.te
> index bda30744..e5a481fa 100644
> --- a/policy/modules/admin/dmidecode.te
> +++ b/policy/modules/admin/dmidecode.te
> @@ -29,6 +29,9 @@ files_list_usr(dmidecode_t)
>   
>   mls_file_read_all_levels(dmidecode_t)
>   
> -locallogin_use_fds(dmidecode_t)
> -
>   userdom_use_inherited_user_terminals(dmidecode_t)
> +
> +optional_policy(`
> +	locallogin_use_fds(dmidecode_t)
> +')
> +
> diff --git a/policy/modules/admin/firstboot.te b/policy/modules/admin/firstboot.te
> index 2ac82a13..140933f4 100644
> --- a/policy/modules/admin/firstboot.te
> +++ b/policy/modules/admin/firstboot.te
> @@ -69,8 +69,6 @@ init_rw_utmp(firstboot_t)
>   libs_exec_ld_so(firstboot_t)
>   libs_exec_lib_files(firstboot_t)
>   
> -locallogin_use_fds(firstboot_t)
> -
>   logging_send_syslog_msg(firstboot_t)
>   
>   miscfiles_read_localization(firstboot_t)
> @@ -96,6 +94,10 @@ optional_policy(`
>   	')
>   ')
>   
> +optional_policy(`
> +	locallogin_use_fds(firstboot_t)
> +')
> +
>   optional_policy(`
>   	modutils_domtrans(firstboot_t)
>   	modutils_read_module_config(firstboot_t)
> diff --git a/policy/modules/admin/mcelog.te b/policy/modules/admin/mcelog.te
> index 1c342132..1728052e 100644
> --- a/policy/modules/admin/mcelog.te
> +++ b/policy/modules/admin/mcelog.te
> @@ -93,8 +93,6 @@ files_read_etc_files(mcelog_t)
>   
>   mls_file_read_all_levels(mcelog_t)
>   
> -locallogin_use_fds(mcelog_t)
> -
>   miscfiles_read_localization(mcelog_t)
>   
>   tunable_policy(`mcelog_client',`
> @@ -122,3 +120,7 @@ tunable_policy(`mcelog_syslog',`
>   optional_policy(`
>   	cron_system_entry(mcelog_t, mcelog_exec_t)
>   ')
> +
> +optional_policy(`
> +	locallogin_use_fds(mcelog_t)
> +')
> diff --git a/policy/modules/admin/tzdata.te b/policy/modules/admin/tzdata.te
> index cbfb2299..35cd0fcc 100644
> --- a/policy/modules/admin/tzdata.te
> +++ b/policy/modules/admin/tzdata.te
> @@ -25,14 +25,16 @@ fs_getattr_xattr_fs(tzdata_t)
>   
>   term_dontaudit_list_ptys(tzdata_t)
>   
> -locallogin_dontaudit_use_fds(tzdata_t)
> -
>   miscfiles_read_localization(tzdata_t)
>   miscfiles_manage_localization(tzdata_t)
>   miscfiles_etc_filetrans_localization(tzdata_t)
>   
>   userdom_use_user_terminals(tzdata_t)
>   
> +optional_policy(`
> +	locallogin_dontaudit_use_fds(tzdata_t)
> +')
> +
>   optional_policy(`
>   	postfix_search_spool(tzdata_t)
>   ')
> diff --git a/policy/modules/admin/vpn.te b/policy/modules/admin/vpn.te
> index 65de9063..99a9310b 100644
> --- a/policy/modules/admin/vpn.te
> +++ b/policy/modules/admin/vpn.te
> @@ -98,8 +98,6 @@ init_dontaudit_use_fds(vpnc_t)
>   libs_exec_ld_so(vpnc_t)
>   libs_exec_lib_files(vpnc_t)
>   
> -locallogin_use_fds(vpnc_t)
> -
>   logging_send_syslog_msg(vpnc_t)
>   logging_dontaudit_search_logs(vpnc_t)
>   
> @@ -122,6 +120,10 @@ optional_policy(`
>   	')
>   ')
>   
> +optional_policy(`
> +	locallogin_use_fds(vpnc_t)
> +')
> +
>   optional_policy(`
>   	networkmanager_attach_tun_iface(vpnc_t)
>   ')
> diff --git a/policy/modules/apps/java.te b/policy/modules/apps/java.te
> index 6502efeb..5cb8588d 100644
> --- a/policy/modules/apps/java.te
> +++ b/policy/modules/apps/java.te
> @@ -139,11 +139,13 @@ corecmd_search_bin(java_t)
>   
>   dev_read_sysfs(java_t)
>   
> -locallogin_use_fds(java_t)
> -
>   userdom_read_user_tmp_files(java_t)
>   userdom_use_user_terminals(java_t)
>   
> +optional_policy(`
> +	locallogin_use_fds(java_t)
> +')
> +
>   optional_policy(`
>   	xserver_user_x_domain_template(java, java_t, java_tmpfs_t)
>   ')
> diff --git a/policy/modules/apps/loadkeys.te b/policy/modules/apps/loadkeys.te
> index 1976e2cb..71725fde 100644
> --- a/policy/modules/apps/loadkeys.te
> +++ b/policy/modules/apps/loadkeys.te
> @@ -41,8 +41,6 @@ term_use_unallocated_ttys(loadkeys_t)
>   
>   init_read_script_tmp_files(loadkeys_t)
>   
> -locallogin_use_fds(loadkeys_t)
> -
>   miscfiles_read_localization(loadkeys_t)
>   
>   userdom_use_user_ttys(loadkeys_t)
> @@ -52,6 +50,10 @@ optional_policy(`
>   	keyboardd_read_pipes(loadkeys_t)
>   ')
>   
> +optional_policy(`
> +	locallogin_use_fds(loadkeys_t)
> +')
> +
>   optional_policy(`
>   	nscd_dontaudit_search_pid(loadkeys_t)
>   ')
> diff --git a/policy/modules/apps/wm.te b/policy/modules/apps/wm.te
> index df481cc7..99bf1299 100644
> --- a/policy/modules/apps/wm.te
> +++ b/policy/modules/apps/wm.te
> @@ -65,8 +65,6 @@ kernel_read_fs_sysctls(wm_domain)
>   kernel_read_proc_symlinks(wm_domain)
>   kernel_read_sysctl(wm_domain)
>   
> -locallogin_dontaudit_use_fds(wm_domain)
> -
>   miscfiles_read_fonts(wm_domain)
>   miscfiles_read_generic_certs(wm_domain)
>   miscfiles_read_localization(wm_domain)
> @@ -120,6 +118,10 @@ optional_policy(`
>   	games_dbus_chat(wm_domain)
>   ')
>   
> +optional_policy(`
> +	locallogin_dontaudit_use_fds(wm_domain)
> +')
> +
>   optional_policy(`
>   	# gnome-shell
>   	mount_exec(wm_domain)
> diff --git a/policy/modules/services/bluetooth.te b/policy/modules/services/bluetooth.te
> index 45e5a361..1498e243 100644
> --- a/policy/modules/services/bluetooth.te
> +++ b/policy/modules/services/bluetooth.te
> @@ -210,7 +210,6 @@ term_dontaudit_use_all_ttys(bluetooth_helper_t)
>   
>   auth_use_nsswitch(bluetooth_helper_t)
>   
> -locallogin_dontaudit_use_fds(bluetooth_helper_t)
>   
>   logging_send_syslog_msg(bluetooth_helper_t)
>   
> @@ -223,6 +222,10 @@ optional_policy(`
>   	dbus_connect_system_bus(bluetooth_helper_t)
>   ')
>   
> +optional_policy(`
> +	locallogin_dontaudit_use_fds(bluetooth_helper_t)
> +')
> +
>   optional_policy(`
>   	xserver_user_x_domain_template(bluetooth_helper, bluetooth_helper_t, bluetooth_helper_tmpfs_t)
>   ')
> diff --git a/policy/modules/services/chronyd.te b/policy/modules/services/chronyd.te
> index 77716407..54985b68 100644
> --- a/policy/modules/services/chronyd.te
> +++ b/policy/modules/services/chronyd.te
> @@ -136,8 +136,6 @@ corenet_udp_sendrecv_chronyd_port(chronyc_t)
>   files_read_etc_files(chronyc_t)
>   files_read_usr_files(chronyc_t)
>   
> -locallogin_use_fds(chronyc_t)
> -
>   logging_send_syslog_msg(chronyc_t)
>   
>   sysnet_read_config(chronyc_t)
> @@ -150,3 +148,6 @@ userdom_use_user_ttys(chronyc_t)
>   chronyd_dgram_send(chronyc_t)
>   chronyd_read_config(chronyc_t)
>   
> +optional_policy(`
> +	locallogin_use_fds(chronyc_t)
> +')
> diff --git a/policy/modules/services/oddjob.te b/policy/modules/services/oddjob.te
> index 39e2dcf5..e656bea6 100644
> --- a/policy/modules/services/oddjob.te
> +++ b/policy/modules/services/oddjob.te
> @@ -58,13 +58,15 @@ auth_use_nsswitch(oddjob_t)
>   
>   miscfiles_read_localization(oddjob_t)
>   
> -locallogin_dontaudit_use_fds(oddjob_t)
> -
>   optional_policy(`
>   	dbus_system_bus_client(oddjob_t)
>   	dbus_connect_system_bus(oddjob_t)
>   ')
>   
> +optional_policy(`
> +	locallogin_dontaudit_use_fds(oddjob_t)
> +')
> +
>   optional_policy(`
>   	unconfined_domtrans(oddjob_t)
>   ')
> diff --git a/policy/modules/services/pcscd.te b/policy/modules/services/pcscd.te
> index 247fe5c8..bca54f9d 100644
> --- a/policy/modules/services/pcscd.te
> +++ b/policy/modules/services/pcscd.te
> @@ -59,8 +59,6 @@ files_read_etc_runtime_files(pcscd_t)
>   term_use_unallocated_ttys(pcscd_t)
>   term_dontaudit_getattr_pty_dirs(pcscd_t)
>   
> -locallogin_use_fds(pcscd_t)
> -
>   logging_send_syslog_msg(pcscd_t)
>   
>   miscfiles_read_localization(pcscd_t)
> @@ -79,6 +77,10 @@ optional_policy(`
>   	')
>   ')
>   
> +optional_policy(`
> +	locallogin_use_fds(pcscd_t)
> +')
> +
>   optional_policy(`
>   	openct_stream_connect(pcscd_t)
>   	openct_read_pid_files(pcscd_t)
> diff --git a/policy/modules/services/pyzor.te b/policy/modules/services/pyzor.te
> index 3119df00..cdea0bfd 100644
> --- a/policy/modules/services/pyzor.te
> +++ b/policy/modules/services/pyzor.te
> @@ -151,10 +151,12 @@ auth_use_nsswitch(pyzord_t)
>   
>   logging_send_syslog_msg(pyzord_t)
>   
> -locallogin_dontaudit_use_fds(pyzord_t)
> -
>   miscfiles_read_localization(pyzord_t)
>   
>   userdom_dontaudit_search_user_home_dirs(pyzord_t)
>   
>   mta_manage_spool(pyzord_t)
> +
> +optional_policy(`
> +	locallogin_dontaudit_use_fds(pyzord_t)
> +')
> diff --git a/policy/modules/services/ricci.te b/policy/modules/services/ricci.te
> index d808ab66..048ae41e 100644
> --- a/policy/modules/services/ricci.te
> +++ b/policy/modules/services/ricci.te
> @@ -145,8 +145,6 @@ auth_append_login_records(ricci_t)
>   
>   init_stream_connect_script(ricci_t)
>   
> -locallogin_dontaudit_use_fds(ricci_t)
> -
>   logging_send_syslog_msg(ricci_t)
>   
>   miscfiles_read_localization(ricci_t)
> @@ -173,6 +171,10 @@ optional_policy(`
>   	oddjob_system_entry(ricci_t, ricci_exec_t)
>   ')
>   
> +optional_policy(`
> +	locallogin_dontaudit_use_fds(ricci_t)
> +')
> +
>   optional_policy(`
>   	rpm_use_script_fds(ricci_t)
>   ')
> @@ -332,8 +334,6 @@ auth_use_nsswitch(ricci_modclusterd_t)
>   
>   init_stream_connect_script(ricci_modclusterd_t)
>   
> -locallogin_dontaudit_use_fds(ricci_modclusterd_t)
> -
>   logging_send_syslog_msg(ricci_modclusterd_t)
>   
>   miscfiles_read_localization(ricci_modclusterd_t)
> @@ -351,6 +351,10 @@ optional_policy(`
>   	ccs_read_config(ricci_modclusterd_t)
>   ')
>   
> +optional_policy(`
> +	locallogin_dontaudit_use_fds(ricci_modclusterd_t)
> +')
> +
>   optional_policy(`
>   	rgmanager_stream_connect(ricci_modclusterd_t)
>   ')
> diff --git a/policy/modules/services/samba.te b/policy/modules/services/samba.te
> index 6d8c0cbe..eb497b8d 100644
> --- a/policy/modules/services/samba.te
> +++ b/policy/modules/services/samba.te
> @@ -720,8 +720,6 @@ miscfiles_read_localization(smbmount_t)
>   
>   mount_use_fds(smbmount_t)
>   
> -locallogin_use_fds(smbmount_t)
> -
>   logging_search_logs(smbmount_t)
>   
>   userdom_use_user_terminals(smbmount_t)
> @@ -731,6 +729,10 @@ optional_policy(`
>   	cups_read_rw_config(smbmount_t)
>   ')
>   
> +optional_policy(`
> +	locallogin_use_fds(smbmount_t)
> +')
> +
>   ########################################
>   #
>   # Swat Local policy
> diff --git a/policy/modules/services/setroubleshoot.te b/policy/modules/services/setroubleshoot.te
> index 3ee1e0d5..56dc8c2c 100644
> --- a/policy/modules/services/setroubleshoot.te
> +++ b/policy/modules/services/setroubleshoot.te
> @@ -110,8 +110,6 @@ init_dontaudit_write_utmp(setroubleshootd_t)
>   
>   libs_exec_ld_so(setroubleshootd_t)
>   
> -locallogin_dontaudit_use_fds(setroubleshootd_t)
> -
>   logging_send_audit_msgs(setroubleshootd_t)
>   logging_send_syslog_msg(setroubleshootd_t)
>   logging_stream_connect_dispatcher(setroubleshootd_t)
> @@ -132,6 +130,10 @@ optional_policy(`
>   	')
>   ')
>   
> +optional_policy(`
> +	locallogin_dontaudit_use_fds(setroubleshootd_t)
> +')
> +
>   optional_policy(`
>   	locate_read_lib_files(setroubleshootd_t)
>   ')
> diff --git a/policy/modules/services/sysstat.te b/policy/modules/services/sysstat.te
> index ffa56160..2ef803d0 100644
> --- a/policy/modules/services/sysstat.te
> +++ b/policy/modules/services/sysstat.te
> @@ -58,8 +58,6 @@ auth_use_nsswitch(sysstat_t)
>   
>   init_use_fds(sysstat_t)
>   
> -locallogin_use_fds(sysstat_t)
> -
>   logging_send_syslog_msg(sysstat_t)
>   
>   miscfiles_read_localization(sysstat_t)
> @@ -70,3 +68,7 @@ optional_policy(`
>   	cron_system_entry(sysstat_t, sysstat_exec_t)
>   	cron_rw_tmp_files(sysstat_t)
>   ')
> +
> +optional_policy(`
> +	locallogin_use_fds(sysstat_t)
> +')
> diff --git a/policy/modules/services/xserver.te b/policy/modules/services/xserver.te
> index 7d4c0c1b..06022f2c 100644
> --- a/policy/modules/services/xserver.te
> +++ b/policy/modules/services/xserver.te
> @@ -785,8 +785,6 @@ term_use_unallocated_ttys(xserver_t)
>   
>   getty_use_fds(xserver_t)
>   
> -locallogin_use_fds(xserver_t)
> -
>   logging_send_syslog_msg(xserver_t)
>   logging_send_audit_msgs(xserver_t)
>   
> @@ -841,6 +839,10 @@ optional_policy(`
>   	auth_search_pam_console_data(xserver_t)
>   ')
>   
> +optional_policy(`
> +	locallogin_use_fds(xserver_t)
> +')
> +
>   optional_policy(`
>   	rhgb_getpgid(xserver_t)
>   	rhgb_signal(xserver_t)
> diff --git a/policy/modules/system/getty.te b/policy/modules/system/getty.te
> index 6d3c4284..88b408a9 100644
> --- a/policy/modules/system/getty.te
> +++ b/policy/modules/system/getty.te
> @@ -85,8 +85,6 @@ auth_rw_login_records(getty_t)
>   
>   init_rw_utmp(getty_t)
>   
> -locallogin_domtrans(getty_t)
> -
>   logging_send_syslog_msg(getty_t)
>   
>   miscfiles_read_localization(getty_t)
> @@ -114,6 +112,10 @@ optional_policy(`
>   	mta_send_mail(getty_t)
>   ')
>   
> +optional_policy(`
> +	locallogin_domtrans(getty_t)
> +')
> +
>   optional_policy(`
>   	nscd_use(getty_t)
>   ')
> diff --git a/policy/modules/system/ipsec.te b/policy/modules/system/ipsec.te
> index 7dc80136..2855174d 100644
> --- a/policy/modules/system/ipsec.te
> +++ b/policy/modules/system/ipsec.te
> @@ -411,8 +411,6 @@ auth_use_nsswitch(racoon_t)
>   
>   ipsec_setcontext_default_spd(racoon_t)
>   
> -locallogin_use_fds(racoon_t)
> -
>   logging_send_syslog_msg(racoon_t)
>   logging_send_audit_msgs(racoon_t)
>   
> @@ -425,6 +423,10 @@ tunable_policy(`racoon_read_shadow',`
>   	auth_tunable_read_shadow(racoon_t)
>   ')
>   
> +optional_policy(`
> +	locallogin_use_fds(racoon_t)
> +')
> +
>   ########################################
>   #
>   # Setkey local policy
> @@ -451,14 +453,16 @@ init_read_script_tmp_files(setkey_t)
>   # allow setkey to set the context for ipsec SAs and policy.
>   corenet_setcontext_all_spds(setkey_t)
>   
> -locallogin_use_fds(setkey_t)
> -
>   miscfiles_read_localization(setkey_t)
>   
>   seutil_read_config(setkey_t)
>   
>   userdom_use_user_terminals(setkey_t)
>   
> +optional_policy(`
> +	locallogin_use_fds(setkey_t)
> +')
> +
>   ########################################
>   #
>   # ipsec_supervisor policy
> diff --git a/policy/modules/system/setrans.te b/policy/modules/system/setrans.te
> index 24c3577e..3182f83e 100644
> --- a/policy/modules/system/setrans.te
> +++ b/policy/modules/system/setrans.te
> @@ -81,14 +81,16 @@ term_dontaudit_use_unallocated_ttys(setrans_t)
>   
>   init_dontaudit_use_script_ptys(setrans_t)
>   
> -locallogin_dontaudit_use_fds(setrans_t)
> -
>   logging_send_syslog_msg(setrans_t)
>   
>   miscfiles_read_localization(setrans_t)
>   
>   seutil_libselinux_linked(setrans_t)
>   
> +optional_policy(`
> +	locallogin_dontaudit_use_fds(setrans_t)
> +')
> +
>   optional_policy(`
>   	rpm_use_script_fds(setrans_t)
>   ')
> diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
> index e9b74257..251094b9 100644
> --- a/policy/modules/system/systemd.te
> +++ b/policy/modules/system/systemd.te
> @@ -464,8 +464,6 @@ init_stop_all_units(systemd_logind_t)
>   init_start_system(systemd_logind_t)
>   init_stop_system(systemd_logind_t)
>   
> -locallogin_read_state(systemd_logind_t)
> -
>   seutil_libselinux_linked(systemd_logind_t)
>   seutil_read_default_contexts(systemd_logind_t)
>   seutil_read_file_contexts(systemd_logind_t)
> @@ -514,6 +512,10 @@ optional_policy(`
>   	devicekit_dbus_chat_power(systemd_logind_t)
>   ')
>   
> +optional_policy(`
> +	locallogin_read_state(systemd_logind_t)
> +')
> +
>   optional_policy(`
>   	modemmanager_dbus_chat(systemd_logind_t)
>   ')
> diff --git a/policy/modules/system/xen.te b/policy/modules/system/xen.te
> index 04dd1ea7..67552cca 100644
> --- a/policy/modules/system/xen.te
> +++ b/policy/modules/system/xen.te
> @@ -297,8 +297,6 @@ term_getattr_pty_fs(xend_t)
>   
>   init_stream_connect_script(xend_t)
>   
> -locallogin_dontaudit_use_fds(xend_t)
> -
>   logging_send_syslog_msg(xend_t)
>   
>   miscfiles_read_localization(xend_t)
> @@ -340,6 +338,10 @@ optional_policy(`
>   	consoletype_exec(xend_t)
>   ')
>   
> +optional_policy(`
> +	locallogin_dontaudit_use_fds(xend_t)
> +')
> +
>   optional_policy(`
>   	lvm_domtrans(xend_t)
>   ')
> 


-- 
Chris PeBenito

^ permalink raw reply	[flat|nested] 2+ messages in thread

end of thread, back to index

Thread overview: 2+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2018-11-17  4:37 [PATCH] Move 'locallogin_*' interface uses into 'optioal_policy' David Sugar
2018-11-17 23:55 ` Chris PeBenito

SELinux-Refpolicy Archive on lore.kernel.org

Archives are clonable:
	git clone --mirror https://lore.kernel.org/selinux-refpolicy/0 selinux-refpolicy/git/0.git

	# If you have public-inbox 1.1+ installed, you may
	# initialize and index your mirror using the following commands:
	public-inbox-init -V2 selinux-refpolicy selinux-refpolicy/ https://lore.kernel.org/selinux-refpolicy \
		selinux-refpolicy@vger.kernel.org selinux-refpolicy@archiver.kernel.org
	public-inbox-index selinux-refpolicy


Newsgroup available over NNTP:
	nntp://nntp.lore.kernel.org/org.kernel.vger.selinux-refpolicy


AGPL code for this site: git clone https://public-inbox.org/ public-inbox