* [PATCH] policy: fix some build errors under refpolicy
@ 2019-09-19 8:10 Ondrej Mosnacek
2019-09-19 8:33 ` Ondrej Mosnacek
2019-09-19 19:22 ` Stephen Smalley
0 siblings, 2 replies; 4+ messages in thread
From: Ondrej Mosnacek @ 2019-09-19 8:10 UTC (permalink / raw)
To: selinux
Replace deprecated macros with new ones. Fedora's policy has both;
refpolicy just the new ones.
Partially addresses issue #57.
Signed-off-by: Ondrej Mosnacek <omosnace@redhat.com>
---
policy/test_atsecure.te | 4 ++--
policy/test_capable_net.te | 2 +-
policy/test_file.te | 4 ++--
policy/test_inherit.te | 4 ++--
policy/test_readlink.te | 2 +-
policy/test_rxdir.te | 2 +-
policy/test_setnice.te | 4 ++--
policy/test_stat.te | 2 +-
policy/test_transition.te | 2 +-
9 files changed, 13 insertions(+), 13 deletions(-)
diff --git a/policy/test_atsecure.te b/policy/test_atsecure.te
index 7255553..486faf6 100644
--- a/policy/test_atsecure.te
+++ b/policy/test_atsecure.te
@@ -32,8 +32,8 @@ corecmd_bin_entry_type(atsecuredomain)
corecmd_shell_entry_type(atsecuredomain)
corecmd_exec_bin(atsecuredomain)
domain_entry_file(test_atsecure_newdomain_t, test_file_t)
-domain_trans(test_atsecure_denied_t, test_file_t, test_atsecure_newdomain_t)
-domain_trans(test_atsecure_allowed_t, test_file_t, test_atsecure_newdomain_t)
+domain_transition_pattern(test_atsecure_denied_t, test_file_t, test_atsecure_newdomain_t)
+domain_transition_pattern(test_atsecure_allowed_t, test_file_t, test_atsecure_newdomain_t)
allow test_atsecure_newdomain_t test_atsecure_denied_t:fd use;
allow test_atsecure_newdomain_t test_atsecure_allowed_t:fd use;
allow_map(atsecuredomain, test_file_t, file)
diff --git a/policy/test_capable_net.te b/policy/test_capable_net.te
index fab6650..80559f6 100644
--- a/policy/test_capable_net.te
+++ b/policy/test_capable_net.te
@@ -53,7 +53,7 @@ sysadm_bin_spec_domtrans_to(capabledomain)
require {
type ifconfig_exec_t;
}
-domain_trans(sysadm_t, ifconfig_exec_t, capabledomain)
+domain_transition_pattern(sysadm_t, ifconfig_exec_t, capabledomain)
domain_entry_file(capabledomain, ifconfig_exec_t)
# Permissions for the good domain
diff --git a/policy/test_file.te b/policy/test_file.te
index 1f1da3a..828c0f4 100644
--- a/policy/test_file.te
+++ b/policy/test_file.te
@@ -67,13 +67,13 @@ corecmd_bin_entry_type(fileopdomain)
sysadm_bin_spec_domtrans_to(fileopdomain)
domain_entry_file(fileop_t, fileop_exec_t)
-domain_auto_trans(test_fileop_t, fileop_exec_t, fileop_t)
+domain_auto_transition_pattern(test_fileop_t, fileop_exec_t, fileop_t)
allow test_fileop_t fileop_t:fd use;
allow fileop_t test_fileop_t:fd use;
allow fileop_t test_fileop_t:fifo_file rw_file_perms;
allow fileop_t test_fileop_t:process sigchld;
-domain_auto_trans(test_nofileop_t, fileop_exec_t, fileop_t)
+domain_auto_transition_pattern(test_nofileop_t, fileop_exec_t, fileop_t)
allow test_nofileop_t fileop_t:fd use;
allow fileop_t test_nofileop_t:fd use;
allow fileop_t test_nofileop_t:fifo_file rw_file_perms;
diff --git a/policy/test_inherit.te b/policy/test_inherit.te
index 28bfd63..8303fc5 100644
--- a/policy/test_inherit.te
+++ b/policy/test_inherit.te
@@ -47,7 +47,7 @@ userdom_sysadm_entry_spec_domtrans_to(inheritdomain)
allow test_inherit_parent_t test_inherit_file_t:file rw_file_perms;
# Grant the necessary permissions for the child domain.
-domain_trans(test_inherit_parent_t, test_file_t, test_inherit_child_t)
+domain_transition_pattern(test_inherit_parent_t, test_file_t, test_inherit_child_t)
allow test_inherit_parent_t test_inherit_child_t:fd use;
allow test_inherit_child_t test_inherit_parent_t:fd use;
allow test_inherit_child_t test_inherit_parent_t:fifo_file rw_file_perms;
@@ -60,7 +60,7 @@ allow test_inherit_nouse_t test_file_t:file { read getattr execute entrypoint };
allow test_inherit_nouse_t test_inherit_file_t:file rw_file_perms;
# Grant the nowrite domain all of the same permissions except for file write.
-domain_trans(test_inherit_parent_t, test_file_t, test_inherit_nowrite_t)
+domain_transition_pattern(test_inherit_parent_t, test_file_t, test_inherit_nowrite_t)
allow test_inherit_parent_t test_inherit_nowrite_t:fd use;
allow test_inherit_nowrite_t test_inherit_parent_t:fd use;
allow test_inherit_nowrite_t test_inherit_parent_t:fifo_file rw_file_perms;
diff --git a/policy/test_readlink.te b/policy/test_readlink.te
index 1126fd5..b0d8cd5 100644
--- a/policy/test_readlink.te
+++ b/policy/test_readlink.te
@@ -34,5 +34,5 @@ allow test_noreadlink_t test_readlink_link_t:lnk_file { getattr };
require {
type ls_exec_t;
}
-domain_trans(sysadm_t, ls_exec_t, test_readlink_domain)
+domain_transition_pattern(sysadm_t, ls_exec_t, test_readlink_domain)
domain_entry_file(test_readlink_domain, ls_exec_t)
diff --git a/policy/test_rxdir.te b/policy/test_rxdir.te
index cbe1897..50d5ad1 100644
--- a/policy/test_rxdir.te
+++ b/policy/test_rxdir.te
@@ -33,4 +33,4 @@ require {
type ls_exec_t;
}
domain_entry_file(test_rxdir_domain, ls_exec_t)
-domain_trans(sysadm_t, ls_exec_t, test_rxdir_domain)
+domain_transition_pattern(sysadm_t, ls_exec_t, test_rxdir_domain)
diff --git a/policy/test_setnice.te b/policy/test_setnice.te
index dac0dc5..d956598 100644
--- a/policy/test_setnice.te
+++ b/policy/test_setnice.te
@@ -38,8 +38,8 @@ libs_exec_lib_files(setnicedomain)
# Allow all of these domains to be entered from sysadm domain
# via a shell script in the test directory or by....
miscfiles_domain_entry_test_files(setnicedomain)
-domain_trans(sysadm_t, test_file_t, setnicedomain)
-domain_trans(test_setnice_change_t, test_file_t, {test_setnice_set_t test_setnice_noset_t})
+domain_transition_pattern(sysadm_t, test_file_t, setnicedomain)
+domain_transition_pattern(test_setnice_change_t, test_file_t, {test_setnice_set_t test_setnice_noset_t})
allow test_setnice_change_t test_setnice_set_t:fd use;
allow test_setnice_set_t test_setnice_change_t:fd use;
allow test_setnice_set_t test_setnice_change_t:fifo_file rw_file_perms;
diff --git a/policy/test_stat.te b/policy/test_stat.te
index 2e068d1..0204e71 100644
--- a/policy/test_stat.te
+++ b/policy/test_stat.te
@@ -29,5 +29,5 @@ typeattribute test_nostat_t testdomain;
require {
type ls_exec_t;
}
-domain_trans(sysadm_t, ls_exec_t, test_stat_domain)
+domain_transition_pattern(sysadm_t, ls_exec_t, test_stat_domain)
domain_entry_file(test_stat_domain, ls_exec_t)
diff --git a/policy/test_transition.te b/policy/test_transition.te
index c487825..1eee2b4 100644
--- a/policy/test_transition.te
+++ b/policy/test_transition.te
@@ -28,7 +28,7 @@ typeattribute test_transition_todomain_t testdomain;
# Allow the fromdomain to transition to the new domain.
corecmd_bin_entry_type(transitiondomain)
-domain_trans(test_transition_fromdomain_t,bin_t,test_transition_todomain_t)
+domain_transition_pattern(test_transition_fromdomain_t,bin_t,test_transition_todomain_t)
allow test_transition_fromdomain_t test_transition_todomain_t:fd use;
allow test_transition_todomain_t test_transition_fromdomain_t:fd use;
--
2.21.0
^ permalink raw reply related [flat|nested] 4+ messages in thread* Re: [PATCH] policy: fix some build errors under refpolicy
2019-09-19 8:10 [PATCH] policy: fix some build errors under refpolicy Ondrej Mosnacek
@ 2019-09-19 8:33 ` Ondrej Mosnacek
2019-09-19 12:11 ` Stephen Smalley
2019-09-19 19:22 ` Stephen Smalley
1 sibling, 1 reply; 4+ messages in thread
From: Ondrej Mosnacek @ 2019-09-19 8:33 UTC (permalink / raw)
To: SElinux list
On Thu, Sep 19, 2019 at 10:11 AM Ondrej Mosnacek <omosnace@redhat.com> wrote:
> Replace deprecated macros with new ones. Fedora's policy has both;
> refpolicy just the new ones.
>
> Partially addresses issue #57.
>
> Signed-off-by: Ondrej Mosnacek <omosnace@redhat.com>
> ---
> policy/test_atsecure.te | 4 ++--
> policy/test_capable_net.te | 2 +-
> policy/test_file.te | 4 ++--
> policy/test_inherit.te | 4 ++--
> policy/test_readlink.te | 2 +-
> policy/test_rxdir.te | 2 +-
> policy/test_setnice.te | 4 ++--
> policy/test_stat.te | 2 +-
> policy/test_transition.te | 2 +-
> 9 files changed, 13 insertions(+), 13 deletions(-)
(Forgot to specify in the subject that this is a testsuite patch -
sorry, testing a new script...)
Tested by running the testuite on Fedora Rawhide along with Stephen's
related patch ("selinux-testsuite: drop use of
userdom_read_inherited_user_tmp_files"):
https://lore.kernel.org/selinux/CAFqZXNt4gtvgLbTj18=DW65SnQieaGA=++nKd0QLhzkQ6fERAg@mail.gmail.com/T/#t
Even with this + Stephen's patch the refpolicy build is still failing
for me on missing 'userdom_search_admin_dir'.
>
> diff --git a/policy/test_atsecure.te b/policy/test_atsecure.te
> index 7255553..486faf6 100644
> --- a/policy/test_atsecure.te
> +++ b/policy/test_atsecure.te
> @@ -32,8 +32,8 @@ corecmd_bin_entry_type(atsecuredomain)
> corecmd_shell_entry_type(atsecuredomain)
> corecmd_exec_bin(atsecuredomain)
> domain_entry_file(test_atsecure_newdomain_t, test_file_t)
> -domain_trans(test_atsecure_denied_t, test_file_t, test_atsecure_newdomain_t)
> -domain_trans(test_atsecure_allowed_t, test_file_t, test_atsecure_newdomain_t)
> +domain_transition_pattern(test_atsecure_denied_t, test_file_t, test_atsecure_newdomain_t)
> +domain_transition_pattern(test_atsecure_allowed_t, test_file_t, test_atsecure_newdomain_t)
> allow test_atsecure_newdomain_t test_atsecure_denied_t:fd use;
> allow test_atsecure_newdomain_t test_atsecure_allowed_t:fd use;
> allow_map(atsecuredomain, test_file_t, file)
> diff --git a/policy/test_capable_net.te b/policy/test_capable_net.te
> index fab6650..80559f6 100644
> --- a/policy/test_capable_net.te
> +++ b/policy/test_capable_net.te
> @@ -53,7 +53,7 @@ sysadm_bin_spec_domtrans_to(capabledomain)
> require {
> type ifconfig_exec_t;
> }
> -domain_trans(sysadm_t, ifconfig_exec_t, capabledomain)
> +domain_transition_pattern(sysadm_t, ifconfig_exec_t, capabledomain)
> domain_entry_file(capabledomain, ifconfig_exec_t)
>
> # Permissions for the good domain
> diff --git a/policy/test_file.te b/policy/test_file.te
> index 1f1da3a..828c0f4 100644
> --- a/policy/test_file.te
> +++ b/policy/test_file.te
> @@ -67,13 +67,13 @@ corecmd_bin_entry_type(fileopdomain)
> sysadm_bin_spec_domtrans_to(fileopdomain)
>
> domain_entry_file(fileop_t, fileop_exec_t)
> -domain_auto_trans(test_fileop_t, fileop_exec_t, fileop_t)
> +domain_auto_transition_pattern(test_fileop_t, fileop_exec_t, fileop_t)
> allow test_fileop_t fileop_t:fd use;
> allow fileop_t test_fileop_t:fd use;
> allow fileop_t test_fileop_t:fifo_file rw_file_perms;
> allow fileop_t test_fileop_t:process sigchld;
>
> -domain_auto_trans(test_nofileop_t, fileop_exec_t, fileop_t)
> +domain_auto_transition_pattern(test_nofileop_t, fileop_exec_t, fileop_t)
> allow test_nofileop_t fileop_t:fd use;
> allow fileop_t test_nofileop_t:fd use;
> allow fileop_t test_nofileop_t:fifo_file rw_file_perms;
> diff --git a/policy/test_inherit.te b/policy/test_inherit.te
> index 28bfd63..8303fc5 100644
> --- a/policy/test_inherit.te
> +++ b/policy/test_inherit.te
> @@ -47,7 +47,7 @@ userdom_sysadm_entry_spec_domtrans_to(inheritdomain)
> allow test_inherit_parent_t test_inherit_file_t:file rw_file_perms;
>
> # Grant the necessary permissions for the child domain.
> -domain_trans(test_inherit_parent_t, test_file_t, test_inherit_child_t)
> +domain_transition_pattern(test_inherit_parent_t, test_file_t, test_inherit_child_t)
> allow test_inherit_parent_t test_inherit_child_t:fd use;
> allow test_inherit_child_t test_inherit_parent_t:fd use;
> allow test_inherit_child_t test_inherit_parent_t:fifo_file rw_file_perms;
> @@ -60,7 +60,7 @@ allow test_inherit_nouse_t test_file_t:file { read getattr execute entrypoint };
> allow test_inherit_nouse_t test_inherit_file_t:file rw_file_perms;
>
> # Grant the nowrite domain all of the same permissions except for file write.
> -domain_trans(test_inherit_parent_t, test_file_t, test_inherit_nowrite_t)
> +domain_transition_pattern(test_inherit_parent_t, test_file_t, test_inherit_nowrite_t)
> allow test_inherit_parent_t test_inherit_nowrite_t:fd use;
> allow test_inherit_nowrite_t test_inherit_parent_t:fd use;
> allow test_inherit_nowrite_t test_inherit_parent_t:fifo_file rw_file_perms;
> diff --git a/policy/test_readlink.te b/policy/test_readlink.te
> index 1126fd5..b0d8cd5 100644
> --- a/policy/test_readlink.te
> +++ b/policy/test_readlink.te
> @@ -34,5 +34,5 @@ allow test_noreadlink_t test_readlink_link_t:lnk_file { getattr };
> require {
> type ls_exec_t;
> }
> -domain_trans(sysadm_t, ls_exec_t, test_readlink_domain)
> +domain_transition_pattern(sysadm_t, ls_exec_t, test_readlink_domain)
> domain_entry_file(test_readlink_domain, ls_exec_t)
> diff --git a/policy/test_rxdir.te b/policy/test_rxdir.te
> index cbe1897..50d5ad1 100644
> --- a/policy/test_rxdir.te
> +++ b/policy/test_rxdir.te
> @@ -33,4 +33,4 @@ require {
> type ls_exec_t;
> }
> domain_entry_file(test_rxdir_domain, ls_exec_t)
> -domain_trans(sysadm_t, ls_exec_t, test_rxdir_domain)
> +domain_transition_pattern(sysadm_t, ls_exec_t, test_rxdir_domain)
> diff --git a/policy/test_setnice.te b/policy/test_setnice.te
> index dac0dc5..d956598 100644
> --- a/policy/test_setnice.te
> +++ b/policy/test_setnice.te
> @@ -38,8 +38,8 @@ libs_exec_lib_files(setnicedomain)
> # Allow all of these domains to be entered from sysadm domain
> # via a shell script in the test directory or by....
> miscfiles_domain_entry_test_files(setnicedomain)
> -domain_trans(sysadm_t, test_file_t, setnicedomain)
> -domain_trans(test_setnice_change_t, test_file_t, {test_setnice_set_t test_setnice_noset_t})
> +domain_transition_pattern(sysadm_t, test_file_t, setnicedomain)
> +domain_transition_pattern(test_setnice_change_t, test_file_t, {test_setnice_set_t test_setnice_noset_t})
> allow test_setnice_change_t test_setnice_set_t:fd use;
> allow test_setnice_set_t test_setnice_change_t:fd use;
> allow test_setnice_set_t test_setnice_change_t:fifo_file rw_file_perms;
> diff --git a/policy/test_stat.te b/policy/test_stat.te
> index 2e068d1..0204e71 100644
> --- a/policy/test_stat.te
> +++ b/policy/test_stat.te
> @@ -29,5 +29,5 @@ typeattribute test_nostat_t testdomain;
> require {
> type ls_exec_t;
> }
> -domain_trans(sysadm_t, ls_exec_t, test_stat_domain)
> +domain_transition_pattern(sysadm_t, ls_exec_t, test_stat_domain)
> domain_entry_file(test_stat_domain, ls_exec_t)
> diff --git a/policy/test_transition.te b/policy/test_transition.te
> index c487825..1eee2b4 100644
> --- a/policy/test_transition.te
> +++ b/policy/test_transition.te
> @@ -28,7 +28,7 @@ typeattribute test_transition_todomain_t testdomain;
>
> # Allow the fromdomain to transition to the new domain.
> corecmd_bin_entry_type(transitiondomain)
> -domain_trans(test_transition_fromdomain_t,bin_t,test_transition_todomain_t)
> +domain_transition_pattern(test_transition_fromdomain_t,bin_t,test_transition_todomain_t)
> allow test_transition_fromdomain_t test_transition_todomain_t:fd use;
> allow test_transition_todomain_t test_transition_fromdomain_t:fd use;
>
> --
> 2.21.0
>
--
Ondrej Mosnacek <omosnace at redhat dot com>
Software Engineer, Security Technologies
Red Hat, Inc.
^ permalink raw reply [flat|nested] 4+ messages in thread* Re: [PATCH] policy: fix some build errors under refpolicy
2019-09-19 8:33 ` Ondrej Mosnacek
@ 2019-09-19 12:11 ` Stephen Smalley
0 siblings, 0 replies; 4+ messages in thread
From: Stephen Smalley @ 2019-09-19 12:11 UTC (permalink / raw)
To: Ondrej Mosnacek, SElinux list
On 9/19/19 4:33 AM, Ondrej Mosnacek wrote:
> On Thu, Sep 19, 2019 at 10:11 AM Ondrej Mosnacek <omosnace@redhat.com> wrote:
>> Replace deprecated macros with new ones. Fedora's policy has both;
>> refpolicy just the new ones.
>>
>> Partially addresses issue #57.
>>
>> Signed-off-by: Ondrej Mosnacek <omosnace@redhat.com>
>> ---
>> policy/test_atsecure.te | 4 ++--
>> policy/test_capable_net.te | 2 +-
>> policy/test_file.te | 4 ++--
>> policy/test_inherit.te | 4 ++--
>> policy/test_readlink.te | 2 +-
>> policy/test_rxdir.te | 2 +-
>> policy/test_setnice.te | 4 ++--
>> policy/test_stat.te | 2 +-
>> policy/test_transition.te | 2 +-
>> 9 files changed, 13 insertions(+), 13 deletions(-)
>
> (Forgot to specify in the subject that this is a testsuite patch -
> sorry, testing a new script...)
>
> Tested by running the testuite on Fedora Rawhide along with Stephen's
> related patch ("selinux-testsuite: drop use of
> userdom_read_inherited_user_tmp_files"):
>
> https://lore.kernel.org/selinux/CAFqZXNt4gtvgLbTj18=DW65SnQieaGA=++nKd0QLhzkQ6fERAg@mail.gmail.com/T/#t
>
> Even with this + Stephen's patch the refpolicy build is still failing
> for me on missing 'userdom_search_admin_dir'.
That also looks like it isn't truly needed AFAICS.
>
>>
>> diff --git a/policy/test_atsecure.te b/policy/test_atsecure.te
>> index 7255553..486faf6 100644
>> --- a/policy/test_atsecure.te
>> +++ b/policy/test_atsecure.te
>> @@ -32,8 +32,8 @@ corecmd_bin_entry_type(atsecuredomain)
>> corecmd_shell_entry_type(atsecuredomain)
>> corecmd_exec_bin(atsecuredomain)
>> domain_entry_file(test_atsecure_newdomain_t, test_file_t)
>> -domain_trans(test_atsecure_denied_t, test_file_t, test_atsecure_newdomain_t)
>> -domain_trans(test_atsecure_allowed_t, test_file_t, test_atsecure_newdomain_t)
>> +domain_transition_pattern(test_atsecure_denied_t, test_file_t, test_atsecure_newdomain_t)
>> +domain_transition_pattern(test_atsecure_allowed_t, test_file_t, test_atsecure_newdomain_t)
>> allow test_atsecure_newdomain_t test_atsecure_denied_t:fd use;
>> allow test_atsecure_newdomain_t test_atsecure_allowed_t:fd use;
>> allow_map(atsecuredomain, test_file_t, file)
>> diff --git a/policy/test_capable_net.te b/policy/test_capable_net.te
>> index fab6650..80559f6 100644
>> --- a/policy/test_capable_net.te
>> +++ b/policy/test_capable_net.te
>> @@ -53,7 +53,7 @@ sysadm_bin_spec_domtrans_to(capabledomain)
>> require {
>> type ifconfig_exec_t;
>> }
>> -domain_trans(sysadm_t, ifconfig_exec_t, capabledomain)
>> +domain_transition_pattern(sysadm_t, ifconfig_exec_t, capabledomain)
>> domain_entry_file(capabledomain, ifconfig_exec_t)
>>
>> # Permissions for the good domain
>> diff --git a/policy/test_file.te b/policy/test_file.te
>> index 1f1da3a..828c0f4 100644
>> --- a/policy/test_file.te
>> +++ b/policy/test_file.te
>> @@ -67,13 +67,13 @@ corecmd_bin_entry_type(fileopdomain)
>> sysadm_bin_spec_domtrans_to(fileopdomain)
>>
>> domain_entry_file(fileop_t, fileop_exec_t)
>> -domain_auto_trans(test_fileop_t, fileop_exec_t, fileop_t)
>> +domain_auto_transition_pattern(test_fileop_t, fileop_exec_t, fileop_t)
>> allow test_fileop_t fileop_t:fd use;
>> allow fileop_t test_fileop_t:fd use;
>> allow fileop_t test_fileop_t:fifo_file rw_file_perms;
>> allow fileop_t test_fileop_t:process sigchld;
>>
>> -domain_auto_trans(test_nofileop_t, fileop_exec_t, fileop_t)
>> +domain_auto_transition_pattern(test_nofileop_t, fileop_exec_t, fileop_t)
>> allow test_nofileop_t fileop_t:fd use;
>> allow fileop_t test_nofileop_t:fd use;
>> allow fileop_t test_nofileop_t:fifo_file rw_file_perms;
>> diff --git a/policy/test_inherit.te b/policy/test_inherit.te
>> index 28bfd63..8303fc5 100644
>> --- a/policy/test_inherit.te
>> +++ b/policy/test_inherit.te
>> @@ -47,7 +47,7 @@ userdom_sysadm_entry_spec_domtrans_to(inheritdomain)
>> allow test_inherit_parent_t test_inherit_file_t:file rw_file_perms;
>>
>> # Grant the necessary permissions for the child domain.
>> -domain_trans(test_inherit_parent_t, test_file_t, test_inherit_child_t)
>> +domain_transition_pattern(test_inherit_parent_t, test_file_t, test_inherit_child_t)
>> allow test_inherit_parent_t test_inherit_child_t:fd use;
>> allow test_inherit_child_t test_inherit_parent_t:fd use;
>> allow test_inherit_child_t test_inherit_parent_t:fifo_file rw_file_perms;
>> @@ -60,7 +60,7 @@ allow test_inherit_nouse_t test_file_t:file { read getattr execute entrypoint };
>> allow test_inherit_nouse_t test_inherit_file_t:file rw_file_perms;
>>
>> # Grant the nowrite domain all of the same permissions except for file write.
>> -domain_trans(test_inherit_parent_t, test_file_t, test_inherit_nowrite_t)
>> +domain_transition_pattern(test_inherit_parent_t, test_file_t, test_inherit_nowrite_t)
>> allow test_inherit_parent_t test_inherit_nowrite_t:fd use;
>> allow test_inherit_nowrite_t test_inherit_parent_t:fd use;
>> allow test_inherit_nowrite_t test_inherit_parent_t:fifo_file rw_file_perms;
>> diff --git a/policy/test_readlink.te b/policy/test_readlink.te
>> index 1126fd5..b0d8cd5 100644
>> --- a/policy/test_readlink.te
>> +++ b/policy/test_readlink.te
>> @@ -34,5 +34,5 @@ allow test_noreadlink_t test_readlink_link_t:lnk_file { getattr };
>> require {
>> type ls_exec_t;
>> }
>> -domain_trans(sysadm_t, ls_exec_t, test_readlink_domain)
>> +domain_transition_pattern(sysadm_t, ls_exec_t, test_readlink_domain)
>> domain_entry_file(test_readlink_domain, ls_exec_t)
>> diff --git a/policy/test_rxdir.te b/policy/test_rxdir.te
>> index cbe1897..50d5ad1 100644
>> --- a/policy/test_rxdir.te
>> +++ b/policy/test_rxdir.te
>> @@ -33,4 +33,4 @@ require {
>> type ls_exec_t;
>> }
>> domain_entry_file(test_rxdir_domain, ls_exec_t)
>> -domain_trans(sysadm_t, ls_exec_t, test_rxdir_domain)
>> +domain_transition_pattern(sysadm_t, ls_exec_t, test_rxdir_domain)
>> diff --git a/policy/test_setnice.te b/policy/test_setnice.te
>> index dac0dc5..d956598 100644
>> --- a/policy/test_setnice.te
>> +++ b/policy/test_setnice.te
>> @@ -38,8 +38,8 @@ libs_exec_lib_files(setnicedomain)
>> # Allow all of these domains to be entered from sysadm domain
>> # via a shell script in the test directory or by....
>> miscfiles_domain_entry_test_files(setnicedomain)
>> -domain_trans(sysadm_t, test_file_t, setnicedomain)
>> -domain_trans(test_setnice_change_t, test_file_t, {test_setnice_set_t test_setnice_noset_t})
>> +domain_transition_pattern(sysadm_t, test_file_t, setnicedomain)
>> +domain_transition_pattern(test_setnice_change_t, test_file_t, {test_setnice_set_t test_setnice_noset_t})
>> allow test_setnice_change_t test_setnice_set_t:fd use;
>> allow test_setnice_set_t test_setnice_change_t:fd use;
>> allow test_setnice_set_t test_setnice_change_t:fifo_file rw_file_perms;
>> diff --git a/policy/test_stat.te b/policy/test_stat.te
>> index 2e068d1..0204e71 100644
>> --- a/policy/test_stat.te
>> +++ b/policy/test_stat.te
>> @@ -29,5 +29,5 @@ typeattribute test_nostat_t testdomain;
>> require {
>> type ls_exec_t;
>> }
>> -domain_trans(sysadm_t, ls_exec_t, test_stat_domain)
>> +domain_transition_pattern(sysadm_t, ls_exec_t, test_stat_domain)
>> domain_entry_file(test_stat_domain, ls_exec_t)
>> diff --git a/policy/test_transition.te b/policy/test_transition.te
>> index c487825..1eee2b4 100644
>> --- a/policy/test_transition.te
>> +++ b/policy/test_transition.te
>> @@ -28,7 +28,7 @@ typeattribute test_transition_todomain_t testdomain;
>>
>> # Allow the fromdomain to transition to the new domain.
>> corecmd_bin_entry_type(transitiondomain)
>> -domain_trans(test_transition_fromdomain_t,bin_t,test_transition_todomain_t)
>> +domain_transition_pattern(test_transition_fromdomain_t,bin_t,test_transition_todomain_t)
>> allow test_transition_fromdomain_t test_transition_todomain_t:fd use;
>> allow test_transition_todomain_t test_transition_fromdomain_t:fd use;
>>
>> --
>> 2.21.0
>>
>
>
> --
> Ondrej Mosnacek <omosnace at redhat dot com>
> Software Engineer, Security Technologies
> Red Hat, Inc.
>
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: [PATCH] policy: fix some build errors under refpolicy
2019-09-19 8:10 [PATCH] policy: fix some build errors under refpolicy Ondrej Mosnacek
2019-09-19 8:33 ` Ondrej Mosnacek
@ 2019-09-19 19:22 ` Stephen Smalley
1 sibling, 0 replies; 4+ messages in thread
From: Stephen Smalley @ 2019-09-19 19:22 UTC (permalink / raw)
To: Ondrej Mosnacek, selinux
On 9/19/19 4:10 AM, Ondrej Mosnacek wrote:
> Replace deprecated macros with new ones. Fedora's policy has both;
> refpolicy just the new ones.
>
> Partially addresses issue #57.
Thanks, applied.
>
> Signed-off-by: Ondrej Mosnacek <omosnace@redhat.com>
> ---
> policy/test_atsecure.te | 4 ++--
> policy/test_capable_net.te | 2 +-
> policy/test_file.te | 4 ++--
> policy/test_inherit.te | 4 ++--
> policy/test_readlink.te | 2 +-
> policy/test_rxdir.te | 2 +-
> policy/test_setnice.te | 4 ++--
> policy/test_stat.te | 2 +-
> policy/test_transition.te | 2 +-
> 9 files changed, 13 insertions(+), 13 deletions(-)
>
> diff --git a/policy/test_atsecure.te b/policy/test_atsecure.te
> index 7255553..486faf6 100644
> --- a/policy/test_atsecure.te
> +++ b/policy/test_atsecure.te
> @@ -32,8 +32,8 @@ corecmd_bin_entry_type(atsecuredomain)
> corecmd_shell_entry_type(atsecuredomain)
> corecmd_exec_bin(atsecuredomain)
> domain_entry_file(test_atsecure_newdomain_t, test_file_t)
> -domain_trans(test_atsecure_denied_t, test_file_t, test_atsecure_newdomain_t)
> -domain_trans(test_atsecure_allowed_t, test_file_t, test_atsecure_newdomain_t)
> +domain_transition_pattern(test_atsecure_denied_t, test_file_t, test_atsecure_newdomain_t)
> +domain_transition_pattern(test_atsecure_allowed_t, test_file_t, test_atsecure_newdomain_t)
> allow test_atsecure_newdomain_t test_atsecure_denied_t:fd use;
> allow test_atsecure_newdomain_t test_atsecure_allowed_t:fd use;
> allow_map(atsecuredomain, test_file_t, file)
> diff --git a/policy/test_capable_net.te b/policy/test_capable_net.te
> index fab6650..80559f6 100644
> --- a/policy/test_capable_net.te
> +++ b/policy/test_capable_net.te
> @@ -53,7 +53,7 @@ sysadm_bin_spec_domtrans_to(capabledomain)
> require {
> type ifconfig_exec_t;
> }
> -domain_trans(sysadm_t, ifconfig_exec_t, capabledomain)
> +domain_transition_pattern(sysadm_t, ifconfig_exec_t, capabledomain)
> domain_entry_file(capabledomain, ifconfig_exec_t)
>
> # Permissions for the good domain
> diff --git a/policy/test_file.te b/policy/test_file.te
> index 1f1da3a..828c0f4 100644
> --- a/policy/test_file.te
> +++ b/policy/test_file.te
> @@ -67,13 +67,13 @@ corecmd_bin_entry_type(fileopdomain)
> sysadm_bin_spec_domtrans_to(fileopdomain)
>
> domain_entry_file(fileop_t, fileop_exec_t)
> -domain_auto_trans(test_fileop_t, fileop_exec_t, fileop_t)
> +domain_auto_transition_pattern(test_fileop_t, fileop_exec_t, fileop_t)
> allow test_fileop_t fileop_t:fd use;
> allow fileop_t test_fileop_t:fd use;
> allow fileop_t test_fileop_t:fifo_file rw_file_perms;
> allow fileop_t test_fileop_t:process sigchld;
>
> -domain_auto_trans(test_nofileop_t, fileop_exec_t, fileop_t)
> +domain_auto_transition_pattern(test_nofileop_t, fileop_exec_t, fileop_t)
> allow test_nofileop_t fileop_t:fd use;
> allow fileop_t test_nofileop_t:fd use;
> allow fileop_t test_nofileop_t:fifo_file rw_file_perms;
> diff --git a/policy/test_inherit.te b/policy/test_inherit.te
> index 28bfd63..8303fc5 100644
> --- a/policy/test_inherit.te
> +++ b/policy/test_inherit.te
> @@ -47,7 +47,7 @@ userdom_sysadm_entry_spec_domtrans_to(inheritdomain)
> allow test_inherit_parent_t test_inherit_file_t:file rw_file_perms;
>
> # Grant the necessary permissions for the child domain.
> -domain_trans(test_inherit_parent_t, test_file_t, test_inherit_child_t)
> +domain_transition_pattern(test_inherit_parent_t, test_file_t, test_inherit_child_t)
> allow test_inherit_parent_t test_inherit_child_t:fd use;
> allow test_inherit_child_t test_inherit_parent_t:fd use;
> allow test_inherit_child_t test_inherit_parent_t:fifo_file rw_file_perms;
> @@ -60,7 +60,7 @@ allow test_inherit_nouse_t test_file_t:file { read getattr execute entrypoint };
> allow test_inherit_nouse_t test_inherit_file_t:file rw_file_perms;
>
> # Grant the nowrite domain all of the same permissions except for file write.
> -domain_trans(test_inherit_parent_t, test_file_t, test_inherit_nowrite_t)
> +domain_transition_pattern(test_inherit_parent_t, test_file_t, test_inherit_nowrite_t)
> allow test_inherit_parent_t test_inherit_nowrite_t:fd use;
> allow test_inherit_nowrite_t test_inherit_parent_t:fd use;
> allow test_inherit_nowrite_t test_inherit_parent_t:fifo_file rw_file_perms;
> diff --git a/policy/test_readlink.te b/policy/test_readlink.te
> index 1126fd5..b0d8cd5 100644
> --- a/policy/test_readlink.te
> +++ b/policy/test_readlink.te
> @@ -34,5 +34,5 @@ allow test_noreadlink_t test_readlink_link_t:lnk_file { getattr };
> require {
> type ls_exec_t;
> }
> -domain_trans(sysadm_t, ls_exec_t, test_readlink_domain)
> +domain_transition_pattern(sysadm_t, ls_exec_t, test_readlink_domain)
> domain_entry_file(test_readlink_domain, ls_exec_t)
> diff --git a/policy/test_rxdir.te b/policy/test_rxdir.te
> index cbe1897..50d5ad1 100644
> --- a/policy/test_rxdir.te
> +++ b/policy/test_rxdir.te
> @@ -33,4 +33,4 @@ require {
> type ls_exec_t;
> }
> domain_entry_file(test_rxdir_domain, ls_exec_t)
> -domain_trans(sysadm_t, ls_exec_t, test_rxdir_domain)
> +domain_transition_pattern(sysadm_t, ls_exec_t, test_rxdir_domain)
> diff --git a/policy/test_setnice.te b/policy/test_setnice.te
> index dac0dc5..d956598 100644
> --- a/policy/test_setnice.te
> +++ b/policy/test_setnice.te
> @@ -38,8 +38,8 @@ libs_exec_lib_files(setnicedomain)
> # Allow all of these domains to be entered from sysadm domain
> # via a shell script in the test directory or by....
> miscfiles_domain_entry_test_files(setnicedomain)
> -domain_trans(sysadm_t, test_file_t, setnicedomain)
> -domain_trans(test_setnice_change_t, test_file_t, {test_setnice_set_t test_setnice_noset_t})
> +domain_transition_pattern(sysadm_t, test_file_t, setnicedomain)
> +domain_transition_pattern(test_setnice_change_t, test_file_t, {test_setnice_set_t test_setnice_noset_t})
> allow test_setnice_change_t test_setnice_set_t:fd use;
> allow test_setnice_set_t test_setnice_change_t:fd use;
> allow test_setnice_set_t test_setnice_change_t:fifo_file rw_file_perms;
> diff --git a/policy/test_stat.te b/policy/test_stat.te
> index 2e068d1..0204e71 100644
> --- a/policy/test_stat.te
> +++ b/policy/test_stat.te
> @@ -29,5 +29,5 @@ typeattribute test_nostat_t testdomain;
> require {
> type ls_exec_t;
> }
> -domain_trans(sysadm_t, ls_exec_t, test_stat_domain)
> +domain_transition_pattern(sysadm_t, ls_exec_t, test_stat_domain)
> domain_entry_file(test_stat_domain, ls_exec_t)
> diff --git a/policy/test_transition.te b/policy/test_transition.te
> index c487825..1eee2b4 100644
> --- a/policy/test_transition.te
> +++ b/policy/test_transition.te
> @@ -28,7 +28,7 @@ typeattribute test_transition_todomain_t testdomain;
>
> # Allow the fromdomain to transition to the new domain.
> corecmd_bin_entry_type(transitiondomain)
> -domain_trans(test_transition_fromdomain_t,bin_t,test_transition_todomain_t)
> +domain_transition_pattern(test_transition_fromdomain_t,bin_t,test_transition_todomain_t)
> allow test_transition_fromdomain_t test_transition_todomain_t:fd use;
> allow test_transition_todomain_t test_transition_fromdomain_t:fd use;
>
>
^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2019-09-19 19:27 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2019-09-19 8:10 [PATCH] policy: fix some build errors under refpolicy Ondrej Mosnacek
2019-09-19 8:33 ` Ondrej Mosnacek
2019-09-19 12:11 ` Stephen Smalley
2019-09-19 19:22 ` Stephen Smalley
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).