1 |
commit: 3f2fdd88b576d2fe658d89a2d972dc928147c73e |
2 |
Author: Dominick Grift <dominick.grift <AT> gmail <DOT> com> |
3 |
AuthorDate: Fri Sep 27 07:47:37 2013 +0000 |
4 |
Commit: Sven Vermeulen <swift <AT> gentoo <DOT> org> |
5 |
CommitDate: Mon Sep 30 19:02:58 2013 +0000 |
6 |
URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=3f2fdd88 |
7 |
|
8 |
locate: extra rules needed by debian /etc/cron.daily/locate script |
9 |
|
10 |
Signed-off-by: Dominick Grift <dominick.grift <AT> gmail.com> |
11 |
|
12 |
--- |
13 |
policy/modules/contrib/slocate.fc | 2 ++ |
14 |
policy/modules/contrib/slocate.te | 13 +++++++++++-- |
15 |
2 files changed, 13 insertions(+), 2 deletions(-) |
16 |
|
17 |
diff --git a/policy/modules/contrib/slocate.fc b/policy/modules/contrib/slocate.fc |
18 |
index 19dbf4f..5844628 100644 |
19 |
--- a/policy/modules/contrib/slocate.fc |
20 |
+++ b/policy/modules/contrib/slocate.fc |
21 |
@@ -3,3 +3,5 @@ |
22 |
/usr/bin/updatedb.* -- gen_context(system_u:object_r:locate_exec_t,s0) |
23 |
|
24 |
/var/lib/[sm]locate(/.*)? gen_context(system_u:object_r:locate_var_lib_t,s0) |
25 |
+ |
26 |
+/var/run/mlocate\.daily\.lock -- gen_context(system_u:object_r:locate_var_run_t,s0) |
27 |
|
28 |
diff --git a/policy/modules/contrib/slocate.te b/policy/modules/contrib/slocate.te |
29 |
index b362a61..7292dc0 100644 |
30 |
--- a/policy/modules/contrib/slocate.te |
31 |
+++ b/policy/modules/contrib/slocate.te |
32 |
@@ -1,4 +1,4 @@ |
33 |
-policy_module(slocate, 1.12.1) |
34 |
+policy_module(slocate, 1.12.2) |
35 |
|
36 |
################################# |
37 |
# |
38 |
@@ -12,24 +12,33 @@ init_system_domain(locate_t, locate_exec_t) |
39 |
type locate_var_lib_t; |
40 |
files_type(locate_var_lib_t) |
41 |
|
42 |
+type locate_var_run_t; |
43 |
+files_pid_file(locate_var_run_t) |
44 |
+ |
45 |
######################################## |
46 |
# |
47 |
# Local policy |
48 |
# |
49 |
|
50 |
allow locate_t self:capability { chown dac_read_search dac_override fowner fsetid }; |
51 |
-allow locate_t self:process { execmem execheap execstack signal }; |
52 |
+allow locate_t self:process { execmem execheap execstack signal setsched }; |
53 |
allow locate_t self:fifo_file rw_fifo_file_perms; |
54 |
allow locate_t self:unix_stream_socket create_socket_perms; |
55 |
|
56 |
manage_dirs_pattern(locate_t, locate_var_lib_t, locate_var_lib_t) |
57 |
manage_files_pattern(locate_t, locate_var_lib_t, locate_var_lib_t) |
58 |
|
59 |
+allow locate_t locate_var_run_t:file manage_file_perms; |
60 |
+files_pid_filetrans(locate_t, locate_var_run_t, file, "mlocate.daily.lock") |
61 |
+ |
62 |
+can_exec(locate_t, locate_exec_t) |
63 |
+ |
64 |
kernel_read_system_state(locate_t) |
65 |
kernel_dontaudit_search_network_state(locate_t) |
66 |
kernel_dontaudit_search_sysctl(locate_t) |
67 |
|
68 |
corecmd_exec_bin(locate_t) |
69 |
+corecmd_exec_shell(locate_t) |
70 |
|
71 |
dev_getattr_all_blk_files(locate_t) |
72 |
dev_getattr_all_chr_files(locate_t) |