1 |
commit: 4ab83a2a3657e6838b704166dea7b318b8046ce8 |
2 |
Author: cgzones <cgzones <AT> googlemail <DOT> com> |
3 |
AuthorDate: Wed Mar 8 20:35:28 2017 +0000 |
4 |
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org> |
5 |
CommitDate: Thu Mar 30 13:58:39 2017 +0000 |
6 |
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=4ab83a2a |
7 |
|
8 |
mandb: update |
9 |
|
10 |
fix mandb when running as root |
11 |
move file label from cronjob to binary file |
12 |
|
13 |
policy/modules/contrib/mandb.fc | 3 +-- |
14 |
policy/modules/contrib/mandb.if | 10 +++------- |
15 |
policy/modules/contrib/mandb.te | 26 +++++++++++--------------- |
16 |
3 files changed, 15 insertions(+), 24 deletions(-) |
17 |
|
18 |
diff --git a/policy/modules/contrib/mandb.fc b/policy/modules/contrib/mandb.fc |
19 |
index 9f2825e9..d92a58fd 100644 |
20 |
--- a/policy/modules/contrib/mandb.fc |
21 |
+++ b/policy/modules/contrib/mandb.fc |
22 |
@@ -1,4 +1,3 @@ |
23 |
-/etc/cron\.(daily|weekly)/man-db.* -- gen_context(system_u:object_r:mandb_exec_t,s0) |
24 |
+/usr/bin/mandb -- gen_context(system_u:object_r:mandb_exec_t,s0) |
25 |
|
26 |
-# Systemd unit file |
27 |
/usr/lib/systemd/system/[^/]*man-db.* -- gen_context(system_u:object_r:mandb_unit_t,s0) |
28 |
|
29 |
diff --git a/policy/modules/contrib/mandb.if b/policy/modules/contrib/mandb.if |
30 |
index 327f3f72..2b5d5385 100644 |
31 |
--- a/policy/modules/contrib/mandb.if |
32 |
+++ b/policy/modules/contrib/mandb.if |
33 |
@@ -42,7 +42,7 @@ interface(`mandb_run',` |
34 |
attribute_role mandb_roles; |
35 |
') |
36 |
|
37 |
- lightsquid_domtrans($1) |
38 |
+ mandb_domtrans($1) |
39 |
roleattribute $2 mandb_roles; |
40 |
') |
41 |
|
42 |
@@ -122,14 +122,10 @@ interface(`mandb_manage_cache_content',` |
43 |
# |
44 |
interface(`mandb_admin',` |
45 |
gen_require(` |
46 |
- type mandb_t, mandb_cache_t; |
47 |
+ type mandb_t; |
48 |
') |
49 |
|
50 |
- allow $1 mandb_t:process { ptrace signal_perms }; |
51 |
- ps_process_pattern($1, mandb_t) |
52 |
+ admin_process_pattern($1, mandb_t) |
53 |
|
54 |
mandb_run($1, $2) |
55 |
- |
56 |
- # pending |
57 |
- # miscfiles_manage_man_cache_content(mandb_t) |
58 |
') |
59 |
|
60 |
diff --git a/policy/modules/contrib/mandb.te b/policy/modules/contrib/mandb.te |
61 |
index 142e7e07..0358aaff 100644 |
62 |
--- a/policy/modules/contrib/mandb.te |
63 |
+++ b/policy/modules/contrib/mandb.te |
64 |
@@ -21,7 +21,11 @@ init_unit_file(mandb_unit_t) |
65 |
# Local policy |
66 |
# |
67 |
|
68 |
-allow mandb_t self:capability { setgid setuid }; |
69 |
+# dac_override : write /var/cache/man/* |
70 |
+# fowner : chmod /var/cache/man/* |
71 |
+# chown : lchown32 /var/cache/man/* |
72 |
+# fsetid : chmod /var/cache/man/* |
73 |
+allow mandb_t self:capability { chown dac_override fowner fsetid setgid setuid }; |
74 |
allow mandb_t self:process { setsched signal }; |
75 |
allow mandb_t self:fifo_file rw_fifo_file_perms; |
76 |
allow mandb_t self:unix_stream_socket create_stream_socket_perms; |
77 |
@@ -32,28 +36,20 @@ kernel_read_system_state(mandb_t) |
78 |
corecmd_exec_bin(mandb_t) |
79 |
corecmd_exec_shell(mandb_t) |
80 |
|
81 |
-dev_search_sysfs(mandb_t) |
82 |
- |
83 |
domain_use_interactive_fds(mandb_t) |
84 |
|
85 |
+files_dontaudit_search_home(mandb_t) |
86 |
files_read_etc_files(mandb_t) |
87 |
+# search /var/run/nscd/socket |
88 |
+files_search_pids(mandb_t) |
89 |
+ |
90 |
+fs_getattr_xattr_fs(mandb_t) |
91 |
|
92 |
miscfiles_manage_man_cache(mandb_t) |
93 |
miscfiles_read_man_pages(mandb_t) |
94 |
miscfiles_read_localization(mandb_t) |
95 |
|
96 |
-ifdef(`distro_debian',` |
97 |
- optional_policy(` |
98 |
- apt_exec(mandb_t) |
99 |
- apt_read_db(mandb_t) |
100 |
- ') |
101 |
- |
102 |
- optional_policy(` |
103 |
- dpkg_exec(mandb_t) |
104 |
- dpkg_read_db(mandb_t) |
105 |
- userdom_dontaudit_search_user_home_dirs(mandb_t) |
106 |
- ') |
107 |
-') |
108 |
+userdom_use_inherited_user_terminals(mandb_t) |
109 |
|
110 |
optional_policy(` |
111 |
cron_system_entry(mandb_t, mandb_exec_t) |