diff --git a/Changelog b/Changelog index 6a50983..951b549 100644 --- a/Changelog +++ b/Changelog @@ -1,3 +1,5 @@ +- Deprecate mls_file_write_down() and mls_file_read_up(), replaced with + mls_write_all_levels() and mls_read_all_levels(), for consistency. - Add make kernel and init ranged interfaces pass the range transition MLS constraints. Also remove calls to mls_rangetrans_target() in modules that use the kernel and init interfaces, since its redundant. diff --git a/policy/modules/admin/bootloader.te b/policy/modules/admin/bootloader.te index 11d26ed..a467412 100644 --- a/policy/modules/admin/bootloader.te +++ b/policy/modules/admin/bootloader.te @@ -90,8 +90,8 @@ fs_read_tmpfs_symlinks(bootloader_t) #Needed for ia64 fs_manage_dos_files(bootloader_t) -mls_file_read_up(bootloader_t) -mls_file_write_down(bootloader_t) +mls_file_read_all_levels(bootloader_t) +mls_file_write_all_levels(bootloader_t) term_getattr_all_user_ttys(bootloader_t) diff --git a/policy/modules/admin/consoletype.te b/policy/modules/admin/consoletype.te index bc5172d..94271c9 100644 --- a/policy/modules/admin/consoletype.te +++ b/policy/modules/admin/consoletype.te @@ -10,8 +10,8 @@ type consoletype_t; type consoletype_exec_t; application_executable_file(consoletype_exec_t) init_domain(consoletype_t,consoletype_exec_t) -mls_file_read_up(consoletype_t) -mls_file_write_down(consoletype_t) +mls_file_read_all_levels(consoletype_t) +mls_file_write_all_levels(consoletype_t) role system_r types consoletype_t; ifdef(`targeted_policy',`',` diff --git a/policy/modules/admin/dmidecode.te b/policy/modules/admin/dmidecode.te index ffbca64..8db3734 100644 --- a/policy/modules/admin/dmidecode.te +++ b/policy/modules/admin/dmidecode.te @@ -21,7 +21,7 @@ allow dmidecode_t self:capability sys_rawio; # Allow dmidecode to read /dev/mem dev_read_raw_memory(dmidecode_t) -mls_file_read_up(dmidecode_t) +mls_file_read_all_levels(dmidecode_t) term_list_ptys(dmidecode_t) diff --git a/policy/modules/admin/dpkg.te b/policy/modules/admin/dpkg.te index 9ffc409..df270e9 100644 --- a/policy/modules/admin/dpkg.te +++ b/policy/modules/admin/dpkg.te @@ -126,8 +126,8 @@ fs_manage_nfs_symlinks(dpkg_t) fs_getattr_all_fs(dpkg_t) fs_search_auto_mountpoints(dpkg_t) -mls_file_read_up(dpkg_t) -mls_file_write_down(dpkg_t) +mls_file_read_all_levels(dpkg_t) +mls_file_write_all_levels(dpkg_t) mls_file_upgrade(dpkg_t) selinux_get_fs_mount(dpkg_t) @@ -268,8 +268,8 @@ fs_mount_xattr_fs(dpkg_script_t) fs_unmount_xattr_fs(dpkg_script_t) fs_search_auto_mountpoints(dpkg_script_t) -mls_file_read_up(dpkg_script_t) -mls_file_write_down(dpkg_script_t) +mls_file_read_all_levels(dpkg_script_t) +mls_file_write_all_levels(dpkg_script_t) selinux_get_fs_mount(dpkg_script_t) selinux_validate_context(dpkg_script_t) diff --git a/policy/modules/admin/kudzu.te b/policy/modules/admin/kudzu.te index 4c8d5c7..fb51cb3 100644 --- a/policy/modules/admin/kudzu.te +++ b/policy/modules/admin/kudzu.te @@ -62,8 +62,8 @@ fs_search_auto_mountpoints(kudzu_t) fs_search_ramfs(kudzu_t) fs_write_ramfs_sockets(kudzu_t) -mls_file_read_up(kudzu_t) -mls_file_write_down(kudzu_t) +mls_file_read_all_levels(kudzu_t) +mls_file_write_all_levels(kudzu_t) modutils_read_module_deps(kudzu_t) modutils_read_module_config(kudzu_t) diff --git a/policy/modules/admin/logrotate.te b/policy/modules/admin/logrotate.te index 3258b60..25e4744 100644 --- a/policy/modules/admin/logrotate.te +++ b/policy/modules/admin/logrotate.te @@ -72,8 +72,8 @@ dev_read_urand(logrotate_t) fs_search_auto_mountpoints(logrotate_t) fs_getattr_xattr_fs(logrotate_t) -mls_file_read_up(logrotate_t) -mls_file_write_down(logrotate_t) +mls_file_read_all_levels(logrotate_t) +mls_file_write_all_levels(logrotate_t) mls_file_upgrade(logrotate_t) selinux_get_fs_mount(logrotate_t) diff --git a/policy/modules/admin/quota.te b/policy/modules/admin/quota.te index 2aab40a..c52b0d2 100644 --- a/policy/modules/admin/quota.te +++ b/policy/modules/admin/quota.te @@ -50,7 +50,7 @@ fs_getattr_xattr_fs(quota_t) fs_remount_xattr_fs(quota_t) fs_search_auto_mountpoints(quota_t) -mls_file_read_up(quota_t) +mls_file_read_all_levels(quota_t) storage_raw_read_fixed_disk(quota_t) diff --git a/policy/modules/admin/readahead.te b/policy/modules/admin/readahead.te index 13efda9..849d2d5 100644 --- a/policy/modules/admin/readahead.te +++ b/policy/modules/admin/readahead.te @@ -54,7 +54,7 @@ fs_dontaudit_read_ramfs_pipes(readahead_t) fs_dontaudit_read_ramfs_files(readahead_t) fs_read_tmpfs_symlinks(readahead_t) -mls_file_read_up(readahead_t) +mls_file_read_all_levels(readahead_t) term_dontaudit_use_console(readahead_t) diff --git a/policy/modules/admin/rpm.te b/policy/modules/admin/rpm.te index da6d7bd..762f519 100644 --- a/policy/modules/admin/rpm.te +++ b/policy/modules/admin/rpm.te @@ -115,8 +115,8 @@ fs_manage_nfs_symlinks(rpm_t) fs_getattr_all_fs(rpm_t) fs_search_auto_mountpoints(rpm_t) -mls_file_read_up(rpm_t) -mls_file_write_down(rpm_t) +mls_file_read_all_levels(rpm_t) +mls_file_write_all_levels(rpm_t) mls_file_upgrade(rpm_t) mls_file_downgrade(rpm_t) @@ -276,8 +276,8 @@ fs_search_auto_mountpoints(rpm_script_t) mcs_killall(rpm_script_t) mcs_ptrace_all(rpm_script_t) -mls_file_read_up(rpm_script_t) -mls_file_write_down(rpm_script_t) +mls_file_read_all_levels(rpm_script_t) +mls_file_write_all_levels(rpm_script_t) selinux_get_fs_mount(rpm_script_t) selinux_validate_context(rpm_script_t) diff --git a/policy/modules/admin/su.if b/policy/modules/admin/su.if index 9659f2c..6c337fa 100644 --- a/policy/modules/admin/su.if +++ b/policy/modules/admin/su.if @@ -221,7 +221,7 @@ template(`su_per_role_template',` # Write to utmp. init_rw_utmp($1_su_t) - mls_file_write_down($1_su_t) + mls_file_write_all_levels($1_su_t) libs_use_ld_so($1_su_t) libs_use_shared_libs($1_su_t) diff --git a/policy/modules/admin/tmpreaper.te b/policy/modules/admin/tmpreaper.te index 5057e7a..0d49a6a 100644 --- a/policy/modules/admin/tmpreaper.te +++ b/policy/modules/admin/tmpreaper.te @@ -29,8 +29,8 @@ files_purge_tmp(tmpreaper_t) # why does it need setattr? files_setattr_all_tmp_dirs(tmpreaper_t) -mls_file_read_up(tmpreaper_t) -mls_file_write_down(tmpreaper_t) +mls_file_read_all_levels(tmpreaper_t) +mls_file_write_all_levels(tmpreaper_t) libs_use_ld_so(tmpreaper_t) libs_use_shared_libs(tmpreaper_t) diff --git a/policy/modules/admin/usermanage.te b/policy/modules/admin/usermanage.te index d03e317..a393442 100644 --- a/policy/modules/admin/usermanage.te +++ b/policy/modules/admin/usermanage.te @@ -281,7 +281,7 @@ dev_read_urand(passwd_t) fs_getattr_xattr_fs(passwd_t) fs_search_auto_mountpoints(passwd_t) -mls_file_write_down(passwd_t) +mls_file_write_all_levels(passwd_t) mls_file_downgrade(passwd_t) selinux_get_fs_mount(passwd_t) diff --git a/policy/modules/kernel/mls.if b/policy/modules/kernel/mls.if index e6250e2..0b30904 100644 --- a/policy/modules/kernel/mls.if +++ b/policy/modules/kernel/mls.if @@ -53,7 +53,7 @@ interface(`mls_file_read_to_clearance',` ## # interface(`mls_file_read_up',` -# refpolicywarn(`$0($*) has been deprecated, please use mls_file_read_all_levels() instead.') + refpolicywarn(`$0($*) has been deprecated, please use mls_file_read_all_levels() instead.') mls_file_read_all_levels($1) ') @@ -119,7 +119,7 @@ interface(`mls_file_write_to_clearance',` ## # interface(`mls_file_write_down',` -# refpolicywarn(`$0($*) has been deprecated, please use mls_file_write_all_levels() instead.') + refpolicywarn(`$0($*) has been deprecated, please use mls_file_write_all_levels() instead.') mls_file_write_all_levels($1) ') diff --git a/policy/modules/services/cups.te b/policy/modules/services/cups.te index bf89435..f90d054 100644 --- a/policy/modules/services/cups.te +++ b/policy/modules/services/cups.te @@ -167,8 +167,8 @@ fs_search_auto_mountpoints(cupsd_t) mls_fd_use_all_levels(cupsd_t) mls_file_downgrade(cupsd_t) -mls_file_write_down(cupsd_t) -mls_file_read_up(cupsd_t) +mls_file_write_all_levels(cupsd_t) +mls_file_read_all_levels(cupsd_t) mls_socket_write_all_levels(cupsd_t) term_use_unallocated_ttys(cupsd_t) diff --git a/policy/modules/services/hal.te b/policy/modules/services/hal.te index ba6bab3..1f1ddf1 100644 --- a/policy/modules/services/hal.te +++ b/policy/modules/services/hal.te @@ -138,7 +138,7 @@ fs_list_inotifyfs(hald_t) fs_list_auto_mountpoints(hald_t) files_getattr_all_mountpoints(hald_t) -mls_file_read_up(hald_t) +mls_file_read_all_levels(hald_t) selinux_get_fs_mount(hald_t) selinux_validate_context(hald_t) diff --git a/policy/modules/services/networkmanager.te b/policy/modules/services/networkmanager.te index 0d53b20..3d7fb68 100644 --- a/policy/modules/services/networkmanager.te +++ b/policy/modules/services/networkmanager.te @@ -66,7 +66,7 @@ dev_read_urand(NetworkManager_t) fs_getattr_all_fs(NetworkManager_t) fs_search_auto_mountpoints(NetworkManager_t) -mls_file_read_up(NetworkManager_t) +mls_file_read_all_levels(NetworkManager_t) selinux_dontaudit_search_fs(NetworkManager_t) diff --git a/policy/modules/services/smartmon.te b/policy/modules/services/smartmon.te index 60255f6..c702de5 100644 --- a/policy/modules/services/smartmon.te +++ b/policy/modules/services/smartmon.te @@ -60,7 +60,7 @@ files_read_etc_files(fsdaemon_t) fs_getattr_all_fs(fsdaemon_t) fs_search_auto_mountpoints(fsdaemon_t) -mls_file_read_up(fsdaemon_t) +mls_file_read_all_levels(fsdaemon_t) storage_raw_read_fixed_disk(fsdaemon_t) storage_raw_write_fixed_disk(fsdaemon_t) diff --git a/policy/modules/system/authlogin.if b/policy/modules/system/authlogin.if index 753ffed..cc2c243 100644 --- a/policy/modules/system/authlogin.if +++ b/policy/modules/system/authlogin.if @@ -197,8 +197,8 @@ interface(`auth_login_pgm_domain',` selinux_compute_relabel_context($1) selinux_compute_user_contexts($1) - mls_file_read_up($1) - mls_file_write_down($1) + mls_file_read_all_levels($1) + mls_file_write_all_levels($1) mls_file_upgrade($1) mls_file_downgrade($1) mls_process_set_level($1) diff --git a/policy/modules/system/authlogin.te b/policy/modules/system/authlogin.te index 3c6b300..f7a2c8a 100644 --- a/policy/modules/system/authlogin.te +++ b/policy/modules/system/authlogin.te @@ -169,8 +169,8 @@ dev_getattr_xserver_misc_dev(pam_console_t) dev_setattr_xserver_misc_dev(pam_console_t) dev_read_urand(pam_console_t) -mls_file_read_up(pam_console_t) -mls_file_write_down(pam_console_t) +mls_file_read_all_levels(pam_console_t) +mls_file_write_all_levels(pam_console_t) storage_getattr_fixed_disk_dev(pam_console_t) storage_setattr_fixed_disk_dev(pam_console_t) diff --git a/policy/modules/system/fstools.te b/policy/modules/system/fstools.te index 50d2f18..4d7854e 100644 --- a/policy/modules/system/fstools.te +++ b/policy/modules/system/fstools.te @@ -96,8 +96,8 @@ fs_search_tmpfs(fsadm_t) fs_getattr_tmpfs_dirs(fsadm_t) fs_read_tmpfs_symlinks(fsadm_t) -mls_file_read_up(fsadm_t) -mls_file_write_down(fsadm_t) +mls_file_read_all_levels(fsadm_t) +mls_file_write_all_levels(fsadm_t) storage_raw_read_fixed_disk(fsadm_t) storage_raw_write_fixed_disk(fsadm_t) diff --git a/policy/modules/system/getty.te b/policy/modules/system/getty.te index dd5b7e8..edfbabb 100644 --- a/policy/modules/system/getty.te +++ b/policy/modules/system/getty.te @@ -66,8 +66,8 @@ fs_getattr_xattr_fs(getty_t) mcs_process_set_categories(getty_t) -mls_file_read_up(getty_t) -mls_file_write_down(getty_t) +mls_file_read_all_levels(getty_t) +mls_file_write_all_levels(getty_t) # Chown, chmod, read and write ttys. term_use_all_user_ttys(getty_t) diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te index 92ef6ba..e4f2b87 100644 --- a/policy/modules/system/init.te +++ b/policy/modules/system/init.te @@ -140,8 +140,8 @@ fs_write_ramfs_sockets(init_t) mcs_process_set_categories(init_t) mcs_killall(init_t) -mls_file_read_up(init_t) -mls_file_write_down(init_t) +mls_file_read_all_levels(init_t) +mls_file_write_all_levels(init_t) mls_process_write_down(init_t) mls_fd_use_all_levels(init_t) @@ -287,8 +287,8 @@ mcs_ptrace_all(initrc_t) mcs_killall(initrc_t) mcs_process_set_categories(initrc_t) -mls_file_read_up(initrc_t) -mls_file_write_down(initrc_t) +mls_file_read_all_levels(initrc_t) +mls_file_write_all_levels(initrc_t) mls_process_read_up(initrc_t) mls_process_write_down(initrc_t) mls_rangetrans_source(initrc_t) diff --git a/policy/modules/system/iptables.te b/policy/modules/system/iptables.te index 6a6cd80..c5decd8 100644 --- a/policy/modules/system/iptables.te +++ b/policy/modules/system/iptables.te @@ -49,7 +49,7 @@ dev_read_sysfs(iptables_t) fs_getattr_xattr_fs(iptables_t) fs_search_auto_mountpoints(iptables_t) -mls_file_read_up(iptables_t) +mls_file_read_all_levels(iptables_t) term_dontaudit_use_console(iptables_t) diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te index a4803b8..9628ffb 100644 --- a/policy/modules/system/logging.te +++ b/policy/modules/system/logging.te @@ -80,7 +80,7 @@ kernel_read_proc_symlinks(auditctl_t) domain_read_all_domains_state(auditctl_t) domain_use_interactive_fds(auditctl_t) -mls_file_read_up(auditctl_t) +mls_file_read_all_levels(auditctl_t) term_use_all_terms(auditctl_t) @@ -153,8 +153,8 @@ libs_use_shared_libs(auditd_t) miscfiles_read_localization(auditd_t) -mls_file_read_up(auditd_t) -mls_file_write_down(auditd_t) # Need to be able to write to /var/run/ directory +mls_file_read_all_levels(auditd_t) +mls_file_write_all_levels(auditd_t) # Need to be able to write to /var/run/ directory mls_fd_use_all_levels(auditd_t) seutil_dontaudit_read_config(auditd_t) @@ -222,7 +222,7 @@ logging_send_syslog_msg(klogd_t) miscfiles_read_localization(klogd_t) -mls_file_read_up(klogd_t) +mls_file_read_all_levels(klogd_t) userdom_dontaudit_search_sysadm_home_dirs(klogd_t) diff --git a/policy/modules/system/modutils.te b/policy/modules/system/modutils.te index e12a155..87e4b48 100644 --- a/policy/modules/system/modutils.te +++ b/policy/modules/system/modutils.te @@ -21,7 +21,7 @@ files_type(modules_dep_t) type insmod_t; type insmod_exec_t; application_domain(insmod_t,insmod_exec_t) -mls_file_write_down(insmod_t) +mls_file_write_all_levels(insmod_t) role system_r types insmod_t; type depmod_t; diff --git a/policy/modules/system/mount.te b/policy/modules/system/mount.te index 4cc9b97..f1f63e3 100644 --- a/policy/modules/system/mount.te +++ b/policy/modules/system/mount.te @@ -110,8 +110,8 @@ logging_send_syslog_msg(mount_t) miscfiles_read_localization(mount_t) -mls_file_read_up(mount_t) -mls_file_write_down(mount_t) +mls_file_read_all_levels(mount_t) +mls_file_write_all_levels(mount_t) sysnet_use_portmap(mount_t) diff --git a/policy/modules/system/selinuxutil.te b/policy/modules/system/selinuxutil.te index 0906086..28f757d 100644 --- a/policy/modules/system/selinuxutil.te +++ b/policy/modules/system/selinuxutil.te @@ -178,7 +178,7 @@ files_read_etc_runtime_files(load_policy_t) fs_getattr_xattr_fs(load_policy_t) -mls_file_read_up(load_policy_t) +mls_file_read_all_levels(load_policy_t) selinux_get_fs_mount(load_policy_t) selinux_load_policy(load_policy_t) @@ -243,8 +243,8 @@ dev_read_urand(newrole_t) fs_getattr_xattr_fs(newrole_t) fs_search_auto_mountpoints(newrole_t) -mls_file_read_up(newrole_t) -mls_file_write_down(newrole_t) +mls_file_read_all_levels(newrole_t) +mls_file_write_all_levels(newrole_t) mls_file_upgrade(newrole_t) mls_file_downgrade(newrole_t) mls_process_set_level(newrole_t) @@ -472,8 +472,8 @@ files_read_etc_runtime_files(semanage_t) files_read_usr_files(semanage_t) files_list_pids(semanage_t) -mls_file_write_down(semanage_t) -mls_file_read_up(semanage_t) +mls_file_write_all_levels(semanage_t) +mls_file_read_all_levels(semanage_t) selinux_validate_context(semanage_t) selinux_get_enforce_mode(semanage_t) @@ -551,8 +551,8 @@ fs_list_all(setfiles_t) fs_search_auto_mountpoints(setfiles_t) fs_relabelfrom_noxattr_fs(setfiles_t) -mls_file_read_up(setfiles_t) -mls_file_write_down(setfiles_t) +mls_file_read_all_levels(setfiles_t) +mls_file_write_all_levels(setfiles_t) mls_file_upgrade(setfiles_t) mls_file_downgrade(setfiles_t) diff --git a/policy/modules/system/setrans.te b/policy/modules/system/setrans.te index d070f7d..4c263a3 100644 --- a/policy/modules/system/setrans.te +++ b/policy/modules/system/setrans.te @@ -52,8 +52,8 @@ domain_getsession_all_domains(setrans_t) files_read_etc_runtime_files(setrans_t) -mls_file_read_up(setrans_t) -mls_file_write_down(setrans_t) +mls_file_read_all_levels(setrans_t) +mls_file_write_all_levels(setrans_t) mls_net_receive_all_levels(setrans_t) mls_socket_write_all_levels(setrans_t) mls_process_read_up(setrans_t) diff --git a/policy/modules/system/udev.te b/policy/modules/system/udev.te index a4ed0a2..028789b 100644 --- a/policy/modules/system/udev.te +++ b/policy/modules/system/udev.te @@ -105,8 +105,8 @@ fs_list_inotifyfs(udev_t) mcs_ptrace_all(udev_t) -mls_file_read_up(udev_t) -mls_file_write_down(udev_t) +mls_file_read_all_levels(udev_t) +mls_file_write_all_levels(udev_t) mls_file_upgrade(udev_t) mls_file_downgrade(udev_t) mls_process_write_down(udev_t) diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if index 6db2c1f..2248ca7 100644 --- a/policy/modules/system/userdomain.if +++ b/policy/modules/system/userdomain.if @@ -1282,7 +1282,7 @@ template(`userdom_security_admin_template',` fs_manage_dos_files($1) mls_process_read_up($1) - mls_file_read_up($1) + mls_file_read_all_levels($1) mls_file_upgrade($1) mls_file_downgrade($1) diff --git a/policy/modules/system/userdomain.te b/policy/modules/system/userdomain.te index 6a1f647..a7fbb1b 100644 --- a/policy/modules/system/userdomain.te +++ b/policy/modules/system/userdomain.te @@ -198,8 +198,8 @@ ifdef(`strict_policy',` corecmd_exec_shell(secadm_t) domain_obj_id_change_exemption(secadm_t) mls_process_read_up(secadm_t) - mls_file_read_up(secadm_t) - mls_file_write_down(secadm_t) + mls_file_read_all_levels(secadm_t) + mls_file_write_all_levels(secadm_t) mls_file_upgrade(secadm_t) mls_file_downgrade(secadm_t) auth_relabel_all_files_except_shadow(secadm_t)