avc denied messages from setfiles

[Russell Coker]

On Tue, 4 May 2004 06:28, Richard Hally <rhallyx at mindspring.com> wrote:
> Below are some avc denied messages produced from running "fixfiles
> restore" in enforcing mode with updated policy-1.11.2-21.

The attached policy should fix that.  It will be in rawhide in a couple of 
days.

-- 
http://www.coker.com.au/selinux/   My NSA Security Enhanced Linux packages
http://www.coker.com.au/bonnie++/  Bonnie++ hard drive benchmark
http://www.coker.com.au/postal/    Postal SMTP/POP benchmark
http://www.coker.com.au/~russell/  My home page
-------------- next part --------------
#DESC Setfiles - SELinux filesystem labeling utilities
#
# Authors:  Russell Coker <russell at coker.com.au>
# X-Debian-Packages: policycoreutils
#

#################################
#
# Rules for the setfiles_t domain.
#
# setfiles_exec_t is the type of the setfiles executable.
#
# needs auth_write attribute because it has relabelfrom/relabelto
# access to shadow_t
type setfiles_t, domain, privlog, privowner, auth_write;
type setfiles_exec_t, file_type, sysadmfile, exec_type;

role system_r types setfiles_t;
role sysadm_r types setfiles_t;

allow setfiles_t initrc_devpts_t:chr_file { read write ioctl };
allow setfiles_t { ttyfile ptyfile tty_device_t admin_tty_type }:chr_file { read write ioctl };

domain_auto_trans(sysadm_t, setfiles_exec_t, setfiles_t)
allow setfiles_t { userdomain privfd initrc_t init_t }:fd use;

uses_shlib(setfiles_t)
allow setfiles_t self:capability { dac_override dac_read_search };

# for upgrading glibc and other shared objects - without this the upgrade
# scripts will put things in a state such that setfiles can not be run!
allow setfiles_t lib_t:file { read execute };

# Get security policy decisions.
can_getsecurity(setfiles_t)

r_dir_file(setfiles_t, { policy_src_t policy_config_t })

allow setfiles_t file_type:dir r_dir_perms;
allow setfiles_t { file_type unlabeled_t }:dir_file_class_set { getattr relabelfrom };
allow setfiles_t file_type:{ dir file lnk_file sock_file fifo_file } relabelto;
allow setfiles_t unlabeled_t:dir read;
allow setfiles_t device_type:{ chr_file blk_file } relabelto;
allow setfiles_t device_t:{ chr_file blk_file } { getattr relabelfrom read };
allow setfiles_t { ttyfile ptyfile }:chr_file getattr;

allow setfiles_t fs_t:filesystem getattr;
allow setfiles_t fs_type:dir r_dir_perms;

allow setfiles_t etc_runtime_t:file read;
allow setfiles_t etc_t:file read;
allow setfiles_t proc_t:file { getattr read };
dontaudit setfiles_t proc_t:lnk_file { getattr read };

# for config files in a home directory
allow setfiles_t home_type:file r_file_perms;
dontaudit setfiles_t sysadm_tty_device_t:chr_file { relabelfrom };