Get Gentoo!
gentoo.org sites
gentoo.org Wiki Bugs Forums Packages
Planet Archives Sources
Infra Status

Gentoo Archives: gentoo-commits

From: Sven Vermeulen <swift@g.o>
To: gentoo-commits@l.g.o
Subject: [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
Date: Mon, 30 Sep 2013 19:04:02
Message-Id: 1380567778.3f2fdd88b576d2fe658d89a2d972dc928147c73e.swift@gentoo
1 commit: 3f2fdd88b576d2fe658d89a2d972dc928147c73e
2 Author: Dominick Grift <dominick.grift <AT> gmail <DOT> com>
3 AuthorDate: Fri Sep 27 07:47:37 2013 +0000
4 Commit: Sven Vermeulen <swift <AT> gentoo <DOT> org>
5 CommitDate: Mon Sep 30 19:02:58 2013 +0000
6 URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=3f2fdd88
7
8 locate: extra rules needed by debian /etc/cron.daily/locate script
9
10 Signed-off-by: Dominick Grift <dominick.grift <AT> gmail.com>
11
12 ---
13 policy/modules/contrib/slocate.fc | 2 ++
14 policy/modules/contrib/slocate.te | 13 +++++++++++--
15 2 files changed, 13 insertions(+), 2 deletions(-)
16
17 diff --git a/policy/modules/contrib/slocate.fc b/policy/modules/contrib/slocate.fc
18 index 19dbf4f..5844628 100644
19 --- a/policy/modules/contrib/slocate.fc
20 +++ b/policy/modules/contrib/slocate.fc
21 @@ -3,3 +3,5 @@
22 /usr/bin/updatedb.* -- gen_context(system_u:object_r:locate_exec_t,s0)
23
24 /var/lib/[sm]locate(/.*)? gen_context(system_u:object_r:locate_var_lib_t,s0)
25 +
26 +/var/run/mlocate\.daily\.lock -- gen_context(system_u:object_r:locate_var_run_t,s0)
27
28 diff --git a/policy/modules/contrib/slocate.te b/policy/modules/contrib/slocate.te
29 index b362a61..7292dc0 100644
30 --- a/policy/modules/contrib/slocate.te
31 +++ b/policy/modules/contrib/slocate.te
32 @@ -1,4 +1,4 @@
33 -policy_module(slocate, 1.12.1)
34 +policy_module(slocate, 1.12.2)
35
36 #################################
37 #
38 @@ -12,24 +12,33 @@ init_system_domain(locate_t, locate_exec_t)
39 type locate_var_lib_t;
40 files_type(locate_var_lib_t)
41
42 +type locate_var_run_t;
43 +files_pid_file(locate_var_run_t)
44 +
45 ########################################
46 #
47 # Local policy
48 #
49
50 allow locate_t self:capability { chown dac_read_search dac_override fowner fsetid };
51 -allow locate_t self:process { execmem execheap execstack signal };
52 +allow locate_t self:process { execmem execheap execstack signal setsched };
53 allow locate_t self:fifo_file rw_fifo_file_perms;
54 allow locate_t self:unix_stream_socket create_socket_perms;
55
56 manage_dirs_pattern(locate_t, locate_var_lib_t, locate_var_lib_t)
57 manage_files_pattern(locate_t, locate_var_lib_t, locate_var_lib_t)
58
59 +allow locate_t locate_var_run_t:file manage_file_perms;
60 +files_pid_filetrans(locate_t, locate_var_run_t, file, "mlocate.daily.lock")
61 +
62 +can_exec(locate_t, locate_exec_t)
63 +
64 kernel_read_system_state(locate_t)
65 kernel_dontaudit_search_network_state(locate_t)
66 kernel_dontaudit_search_sysctl(locate_t)
67
68 corecmd_exec_bin(locate_t)
69 +corecmd_exec_shell(locate_t)
70
71 dev_getattr_all_blk_files(locate_t)
72 dev_getattr_all_chr_files(locate_t)
Report Message
Find on MARC Find on Google Groups