1 |
commit: 0b43c7867705de4ae377de61aefe59fe43e4486d |
2 |
Author: Jason Zaman <perfinion <AT> gentoo <DOT> org> |
3 |
AuthorDate: Mon Oct 12 00:58:21 2020 +0000 |
4 |
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org> |
5 |
CommitDate: Mon Oct 12 01:57:46 2020 +0000 |
6 |
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=0b43c786 |
7 |
|
8 |
Fix selint issues |
9 |
|
10 |
Signed-off-by: Jason Zaman <perfinion <AT> gentoo.org> |
11 |
|
12 |
policy/modules/admin/portage.fc | 3 --- |
13 |
policy/modules/admin/puppet.te | 2 +- |
14 |
policy/modules/admin/shorewall.fc | 11 ----------- |
15 |
policy/modules/apps/java.fc | 5 ----- |
16 |
policy/modules/apps/mozilla.fc | 1 - |
17 |
policy/modules/contrib/ceph.if | 2 +- |
18 |
policy/modules/contrib/ceph.te | 2 +- |
19 |
policy/modules/contrib/dirsrv.if | 4 ++-- |
20 |
policy/modules/contrib/dirsrv.te | 4 ++-- |
21 |
policy/modules/contrib/dropbox.fc | 4 ---- |
22 |
policy/modules/contrib/dropbox.if | 1 + |
23 |
policy/modules/contrib/gorg.te | 4 ++-- |
24 |
policy/modules/contrib/links.if | 6 +++--- |
25 |
policy/modules/contrib/logsentry.te | 4 ++-- |
26 |
policy/modules/contrib/mutt.if | 4 ++-- |
27 |
policy/modules/contrib/nginx.if | 2 +- |
28 |
policy/modules/contrib/pan.te | 2 +- |
29 |
policy/modules/contrib/resolvconf.fc | 2 -- |
30 |
policy/modules/contrib/skype.if | 8 ++++---- |
31 |
policy/modules/contrib/uwsgi.if | 4 ++-- |
32 |
policy/modules/contrib/vde.if | 5 ++--- |
33 |
policy/modules/kernel/corecommands.fc | 18 ++++++++++++++++++ |
34 |
policy/modules/kernel/corenetwork.if.in | 18 ++++++------------ |
35 |
policy/modules/kernel/devices.if | 2 +- |
36 |
policy/modules/kernel/files.fc | 5 +++++ |
37 |
policy/modules/services/mysql.fc | 5 ----- |
38 |
policy/modules/services/networkmanager.if | 2 +- |
39 |
policy/modules/services/postgresql.if | 2 +- |
40 |
policy/modules/services/snmp.if | 4 ++-- |
41 |
policy/modules/system/init.te | 2 +- |
42 |
policy/modules/system/libraries.fc | 6 +++++- |
43 |
policy/modules/system/logging.if | 2 +- |
44 |
policy/modules/system/modutils.te | 2 +- |
45 |
33 files changed, 69 insertions(+), 79 deletions(-) |
46 |
|
47 |
diff --git a/policy/modules/admin/portage.fc b/policy/modules/admin/portage.fc |
48 |
index 6a7e4582..5757deaa 100644 |
49 |
--- a/policy/modules/admin/portage.fc |
50 |
+++ b/policy/modules/admin/portage.fc |
51 |
@@ -2,7 +2,6 @@ |
52 |
/etc/make\.globals -- gen_context(system_u:object_r:portage_conf_t,s0) |
53 |
/etc/make\.profile -l gen_context(system_u:object_r:portage_conf_t,s0) |
54 |
/etc/portage(/.*)? gen_context(system_u:object_r:portage_conf_t,s0) |
55 |
-/etc/portage/bin(/.*)? -- gen_context(system_u:object_r:bin_t,s0) |
56 |
/etc/portage/gpg(/.*)? gen_context(system_u:object_r:portage_gpg_t,s0) |
57 |
|
58 |
/usr/bin/emerge -- gen_context(system_u:object_r:portage_exec_t,s0) |
59 |
@@ -11,11 +10,9 @@ |
60 |
/usr/bin/layman -- gen_context(system_u:object_r:portage_fetch_exec_t,s0) |
61 |
/usr/bin/sandbox -- gen_context(system_u:object_r:portage_exec_t,s0) |
62 |
|
63 |
-/usr/lib/portage/bin/ebuild -- gen_context(system_u:object_r:bin_t,s0) |
64 |
/usr/lib/portage/bin/emerge -- gen_context(system_u:object_r:portage_exec_t,s0) |
65 |
/usr/lib/portage/bin/emerge-webrsync -- gen_context(system_u:object_r:portage_fetch_exec_t,s0) |
66 |
/usr/lib/portage/bin/quickpkg -- gen_context(system_u:object_r:portage_exec_t,s0) |
67 |
-/usr/lib/portage/bin/ebuild\.sh -- gen_context(system_u:object_r:bin_t,s0) |
68 |
/usr/lib/portage/bin/regenworld -- gen_context(system_u:object_r:portage_exec_t,s0) |
69 |
/usr/lib/portage/bin/sandbox -- gen_context(system_u:object_r:portage_exec_t,s0) |
70 |
|
71 |
|
72 |
diff --git a/policy/modules/admin/puppet.te b/policy/modules/admin/puppet.te |
73 |
index fdb2640b..e0e7127e 100644 |
74 |
--- a/policy/modules/admin/puppet.te |
75 |
+++ b/policy/modules/admin/puppet.te |
76 |
@@ -376,7 +376,7 @@ ifdef(`distro_gentoo',` |
77 |
# So, we duplicate the content of files_relabel_all_files except for |
78 |
# the policy configuration stuff and hope users do that through Portage |
79 |
|
80 |
- gen_require(` |
81 |
+ gen_require(` #selint-disable:S-001 |
82 |
attribute file_type; |
83 |
attribute security_file_type; |
84 |
type policy_config_t; |
85 |
|
86 |
diff --git a/policy/modules/admin/shorewall.fc b/policy/modules/admin/shorewall.fc |
87 |
index aae46ecb..b18aab7e 100644 |
88 |
--- a/policy/modules/admin/shorewall.fc |
89 |
+++ b/policy/modules/admin/shorewall.fc |
90 |
@@ -16,14 +16,3 @@ |
91 |
/var/lock/subsys/shorewall -- gen_context(system_u:object_r:shorewall_lock_t,s0) |
92 |
|
93 |
/var/log/shorewall.* gen_context(system_u:object_r:shorewall_log_t,s0) |
94 |
- |
95 |
-ifdef(`distro_gentoo',` |
96 |
-/usr/share/shorewall/compiler\.pl -- gen_context(system_u:object_r:bin_t,s0) |
97 |
-/usr/share/shorewall/configpath -- gen_context(system_u:object_r:bin_t,s0) |
98 |
-/usr/share/shorewall/getparams -- gen_context(system_u:object_r:bin_t,s0) |
99 |
-/usr/share/shorewall/wait4ifup -- gen_context(system_u:object_r:bin_t,s0) |
100 |
-/usr/share/shorewall-perl(/.*)? gen_context(system_u:object_r:bin_t,s0) |
101 |
-/usr/share/shorewall-shell(/.*)? gen_context(system_u:object_r:bin_t,s0) |
102 |
-/usr/share/shorewall-lite(/.*)? gen_context(system_u:object_r:bin_t,s0) |
103 |
-/usr/share/shorewall6-lite(/.*)? gen_context(system_u:object_r:bin_t,s0) |
104 |
-') |
105 |
|
106 |
diff --git a/policy/modules/apps/java.fc b/policy/modules/apps/java.fc |
107 |
index d0476be2..8b34cace 100644 |
108 |
--- a/policy/modules/apps/java.fc |
109 |
+++ b/policy/modules/apps/java.fc |
110 |
@@ -31,8 +31,3 @@ HOME_DIR/\.java(/.*)? gen_context(system_u:object_r:java_home_t,s0) |
111 |
/usr/local/matlab.*/bin.*/MATLAB.* -- gen_context(system_u:object_r:java_exec_t,s0) |
112 |
|
113 |
/usr/matlab.*/bin.*/MATLAB.* -- gen_context(system_u:object_r:java_exec_t,s0) |
114 |
- |
115 |
-ifdef(`distro_gentoo',` |
116 |
-# Running maven (mvn) command needs read access to this, yet the file is marked as bin_t otherwise |
117 |
-/usr/share/maven-bin-[^/]*/bin/m2\.conf -- gen_context(system_u:object_r:usr_t,s0) |
118 |
-') |
119 |
|
120 |
diff --git a/policy/modules/apps/mozilla.fc b/policy/modules/apps/mozilla.fc |
121 |
index 3a16e166..87bdab59 100644 |
122 |
--- a/policy/modules/apps/mozilla.fc |
123 |
+++ b/policy/modules/apps/mozilla.fc |
124 |
@@ -43,7 +43,6 @@ HOME_DIR/zimbrauserdata(/.*)? gen_context(system_u:object_r:mozilla_plugin_home_ |
125 |
/usr/lib/xulrunner[^/]*/plugin-container -- gen_context(system_u:object_r:mozilla_plugin_exec_t,s0) |
126 |
/usr/lib/[^/]*firefox[^/]*/plugin-container -- gen_context(system_u:object_r:mozilla_plugin_exec_t,s0) |
127 |
|
128 |
-/opt/firefox/libxul\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) |
129 |
/opt/firefox/firefox -- gen_context(system_u:object_r:mozilla_exec_t,s0) |
130 |
/opt/firefox/run-mozilla\.sh -- gen_context(system_u:object_r:mozilla_exec_t,s0) |
131 |
/opt/firefox/firefox-bin -- gen_context(system_u:object_r:mozilla_exec_t,s0) |
132 |
|
133 |
diff --git a/policy/modules/contrib/ceph.if b/policy/modules/contrib/ceph.if |
134 |
index b1e3208b..010c6b11 100644 |
135 |
--- a/policy/modules/contrib/ceph.if |
136 |
+++ b/policy/modules/contrib/ceph.if |
137 |
@@ -39,7 +39,7 @@ template(`ceph_domain_template',` |
138 |
# Rules which cannot be made part of the domain |
139 |
|
140 |
allow ceph_$1_t ceph_$1_runtime_t:file manage_file_perms; |
141 |
- allow ceph_$1_t ceph_$1_runtime_t:sock_file manage_file_perms; |
142 |
+ allow ceph_$1_t ceph_$1_runtime_t:sock_file manage_sock_file_perms; |
143 |
allow ceph_$1_t ceph_$1_data_t:dir manage_dir_perms; |
144 |
allow ceph_$1_t ceph_$1_data_t:file manage_file_perms; |
145 |
|
146 |
|
147 |
diff --git a/policy/modules/contrib/ceph.te b/policy/modules/contrib/ceph.te |
148 |
index 99a0b193..b1994a53 100644 |
149 |
--- a/policy/modules/contrib/ceph.te |
150 |
+++ b/policy/modules/contrib/ceph.te |
151 |
@@ -40,7 +40,7 @@ ceph_domain_template(osd) |
152 |
ceph_domain_template(mds) |
153 |
ceph_domain_template(mon) |
154 |
|
155 |
-allow cephdomain self:fifo_file rw_file_perms; |
156 |
+allow cephdomain self:fifo_file rw_fifo_file_perms; |
157 |
|
158 |
read_files_pattern(cephdomain, ceph_conf_t, { ceph_conf_t ceph_key_t }) |
159 |
allow cephdomain ceph_log_t:dir manage_dir_perms; |
160 |
|
161 |
diff --git a/policy/modules/contrib/dirsrv.if b/policy/modules/contrib/dirsrv.if |
162 |
index 332bf2f5..ac56f143 100644 |
163 |
--- a/policy/modules/contrib/dirsrv.if |
164 |
+++ b/policy/modules/contrib/dirsrv.if |
165 |
@@ -20,7 +20,7 @@ interface(`dirsrv_domtrans',` |
166 |
domain_auto_transition_pattern($1, dirsrv_exec_t, dirsrv_t) |
167 |
|
168 |
allow dirsrv_t $1:fd use; |
169 |
- allow dirsrv_t $1:fifo_file rw_file_perms; |
170 |
+ allow dirsrv_t $1:fifo_file rw_fifo_file_perms; |
171 |
allow dirsrv_t $1:process sigchld; |
172 |
') |
173 |
|
174 |
@@ -116,7 +116,7 @@ interface(`dirsrv_manage_var_run',` |
175 |
') |
176 |
allow $1 dirsrv_runtime_t:dir manage_dir_perms; |
177 |
allow $1 dirsrv_runtime_t:file manage_file_perms; |
178 |
- allow $1 dirsrv_runtime_t:sock_file manage_file_perms; |
179 |
+ allow $1 dirsrv_runtime_t:sock_file manage_sock_file_perms; |
180 |
') |
181 |
|
182 |
###################################### |
183 |
|
184 |
diff --git a/policy/modules/contrib/dirsrv.te b/policy/modules/contrib/dirsrv.te |
185 |
index 36e2203b..80a24f24 100644 |
186 |
--- a/policy/modules/contrib/dirsrv.te |
187 |
+++ b/policy/modules/contrib/dirsrv.te |
188 |
@@ -57,7 +57,7 @@ files_tmpfs_file(dirsrv_tmpfs_t) |
189 |
|
190 |
# shared files |
191 |
type dirsrv_share_t; |
192 |
-files_type(dirsrv_share_t); |
193 |
+files_type(dirsrv_share_t) |
194 |
|
195 |
######################################## |
196 |
# |
197 |
@@ -188,7 +188,7 @@ files_runtime_filetrans(dirsrv_snmp_t, dirsrv_snmp_runtime_t, { file sock_file } |
198 |
search_dirs_pattern(dirsrv_snmp_t, dirsrv_runtime_t, dirsrv_runtime_t) |
199 |
|
200 |
# log file |
201 |
-manage_files_pattern(dirsrv_snmp_t, dirsrv_var_log_t, dirsrv_snmp_var_log_t); |
202 |
+manage_files_pattern(dirsrv_snmp_t, dirsrv_var_log_t, dirsrv_snmp_var_log_t) |
203 |
filetrans_pattern(dirsrv_snmp_t, dirsrv_var_log_t, dirsrv_snmp_var_log_t, file) |
204 |
|
205 |
# Init script handling |
206 |
|
207 |
diff --git a/policy/modules/contrib/dropbox.fc b/policy/modules/contrib/dropbox.fc |
208 |
index bcd85a60..1a9fdff7 100644 |
209 |
--- a/policy/modules/contrib/dropbox.fc |
210 |
+++ b/policy/modules/contrib/dropbox.fc |
211 |
@@ -7,8 +7,4 @@ HOME_DIR/\.dropbox-master(/.*)? gen_context(system_u:object_r:dropbo |
212 |
HOME_DIR/\.dropbox-dist(/.*)?/dropboxd? -- gen_context(system_u:object_r:dropbox_exec_t,s0) |
213 |
|
214 |
/opt/bin/dropbox -l gen_context(system_u:object_r:dropbox_exec_t,s0) |
215 |
-/opt/dropbox/.*py?\.?.*egg(/.*)? gen_context(system_u:object_r:lib_t,s0) |
216 |
-/opt/dropbox/lib.*\.so\.[0-9]+ -- gen_context(system_u:object_r:lib_t,s0) |
217 |
/opt/dropbox/dropboxd? -- gen_context(system_u:object_r:dropbox_exec_t,s0) |
218 |
-/opt/dropbox/library\.zip -l gen_context(system_u:object_r:lib_t,s0) |
219 |
- |
220 |
|
221 |
diff --git a/policy/modules/contrib/dropbox.if b/policy/modules/contrib/dropbox.if |
222 |
index 51e9f88c..a010d912 100644 |
223 |
--- a/policy/modules/contrib/dropbox.if |
224 |
+++ b/policy/modules/contrib/dropbox.if |
225 |
@@ -18,6 +18,7 @@ |
226 |
interface(`dropbox_role',` |
227 |
gen_require(` |
228 |
type dropbox_t; |
229 |
+ type dropbox_content_t; |
230 |
type dropbox_exec_t; |
231 |
type dropbox_home_t; |
232 |
type dropbox_tmp_t; |
233 |
|
234 |
diff --git a/policy/modules/contrib/gorg.te b/policy/modules/contrib/gorg.te |
235 |
index b0c8ae33..59befaaa 100644 |
236 |
--- a/policy/modules/contrib/gorg.te |
237 |
+++ b/policy/modules/contrib/gorg.te |
238 |
@@ -5,10 +5,10 @@ type gorg_exec_t; |
239 |
application_domain(gorg_t, gorg_exec_t) |
240 |
|
241 |
type gorg_cache_t; |
242 |
-files_type(gorg_cache_t); |
243 |
+files_type(gorg_cache_t) |
244 |
|
245 |
type gorg_config_t; |
246 |
-files_type(gorg_config_t); |
247 |
+files_type(gorg_config_t) |
248 |
|
249 |
################################### |
250 |
# |
251 |
|
252 |
diff --git a/policy/modules/contrib/links.if b/policy/modules/contrib/links.if |
253 |
index 61254fc3..b3ad618e 100644 |
254 |
--- a/policy/modules/contrib/links.if |
255 |
+++ b/policy/modules/contrib/links.if |
256 |
@@ -17,14 +17,14 @@ |
257 |
# |
258 |
interface(`links_role',` |
259 |
gen_require(` |
260 |
- type links_t, links_exec_t, links_tmpfs_t, links_home_t; |
261 |
+ type links_t, links_exec_t, links_home_t; |
262 |
') |
263 |
|
264 |
####################################### |
265 |
# |
266 |
# Declarations |
267 |
# |
268 |
- |
269 |
+ |
270 |
role $1 types links_t; |
271 |
|
272 |
############################ |
273 |
@@ -43,4 +43,4 @@ interface(`links_role',` |
274 |
domtrans_pattern($2, links_exec_t, links_t) |
275 |
|
276 |
ps_process_pattern($2, links_t) |
277 |
-') |
278 |
+') |
279 |
|
280 |
diff --git a/policy/modules/contrib/logsentry.te b/policy/modules/contrib/logsentry.te |
281 |
index d80cdc8b..5863369b 100644 |
282 |
--- a/policy/modules/contrib/logsentry.te |
283 |
+++ b/policy/modules/contrib/logsentry.te |
284 |
@@ -11,10 +11,10 @@ application_domain(logsentry_t, logsentry_exec_t) |
285 |
role system_r types logsentry_t; |
286 |
|
287 |
type logsentry_etc_t; |
288 |
-files_type(logsentry_etc_t); |
289 |
+files_type(logsentry_etc_t) |
290 |
|
291 |
type logsentry_tmp_t; |
292 |
-files_tmp_file(logsentry_tmp_t); |
293 |
+files_tmp_file(logsentry_tmp_t) |
294 |
|
295 |
type logsentry_filter_t; |
296 |
files_type(logsentry_filter_t) |
297 |
|
298 |
diff --git a/policy/modules/contrib/mutt.if b/policy/modules/contrib/mutt.if |
299 |
index eabe82e9..596b0fd1 100644 |
300 |
--- a/policy/modules/contrib/mutt.if |
301 |
+++ b/policy/modules/contrib/mutt.if |
302 |
@@ -17,7 +17,7 @@ |
303 |
# |
304 |
interface(`mutt_role',` |
305 |
gen_require(` |
306 |
- type mutt_t, mutt_exec_t, mutt_home_t, mutt_conf_t, mutt_etc_t; |
307 |
+ type mutt_t, mutt_exec_t, mutt_home_t, mutt_conf_t; |
308 |
type mutt_tmp_t; |
309 |
') |
310 |
|
311 |
@@ -99,6 +99,6 @@ interface(`mutt_rw_tmp_files',` |
312 |
|
313 |
# The use of rw_files_pattern here is not needed, since this incurs the open privilege as well |
314 |
allow $1 mutt_tmp_t:dir search_dir_perms; |
315 |
- allow $1 mutt_tmp_t:file { read write }; |
316 |
+ allow $1 mutt_tmp_t:file rw_inherited_file_perms; |
317 |
files_search_tmp($1) |
318 |
') |
319 |
|
320 |
diff --git a/policy/modules/contrib/nginx.if b/policy/modules/contrib/nginx.if |
321 |
index b9066d97..d39b0964 100644 |
322 |
--- a/policy/modules/contrib/nginx.if |
323 |
+++ b/policy/modules/contrib/nginx.if |
324 |
@@ -57,7 +57,7 @@ interface(`nginx_domtrans',` |
325 |
type nginx_t, nginx_exec_t; |
326 |
') |
327 |
allow nginx_t $1:fd use; |
328 |
- allow nginx_t $1:fifo_file rw_file_perms; |
329 |
+ allow nginx_t $1:fifo_file rw_fifo_file_perms; |
330 |
allow nginx_t $1:process sigchld; |
331 |
|
332 |
domain_auto_transition_pattern($1, nginx_exec_t, nginx_t) |
333 |
|
334 |
diff --git a/policy/modules/contrib/pan.te b/policy/modules/contrib/pan.te |
335 |
index 48b07b85..ad60d29d 100644 |
336 |
--- a/policy/modules/contrib/pan.te |
337 |
+++ b/policy/modules/contrib/pan.te |
338 |
@@ -33,7 +33,7 @@ ubac_constrained(pan_tmpfs_t) |
339 |
# |
340 |
allow pan_t self:process { getsched signal }; |
341 |
allow pan_t self:fifo_file rw_fifo_file_perms; |
342 |
-allow pan_t pan_tmpfs_t:file { read write }; |
343 |
+allow pan_t pan_tmpfs_t:file rw_inherited_file_perms; |
344 |
|
345 |
# Allow pan to work with its ~/.pan2 location |
346 |
manage_dirs_pattern(pan_t, pan_home_t, pan_home_t) |
347 |
|
348 |
diff --git a/policy/modules/contrib/resolvconf.fc b/policy/modules/contrib/resolvconf.fc |
349 |
index 51383c24..fcfa9b7d 100644 |
350 |
--- a/policy/modules/contrib/resolvconf.fc |
351 |
+++ b/policy/modules/contrib/resolvconf.fc |
352 |
@@ -1,7 +1,5 @@ |
353 |
/etc/resolvconf\.conf -- gen_context(system_u:object_r:resolvconf_conf_t,s0) |
354 |
|
355 |
-/usr/lib/resolvconf(/.*)? gen_context(system_u:object_r:bin_t,s0) |
356 |
- |
357 |
/usr/sbin/resolvconf -- gen_context(system_u:object_r:resolvconf_exec_t,s0) |
358 |
|
359 |
/run/resolvconf(/.*)? gen_context(system_u:object_r:resolvconf_runtime_t,s0) |
360 |
|
361 |
diff --git a/policy/modules/contrib/skype.if b/policy/modules/contrib/skype.if |
362 |
index 789b8f8a..88c9849c 100644 |
363 |
--- a/policy/modules/contrib/skype.if |
364 |
+++ b/policy/modules/contrib/skype.if |
365 |
@@ -17,11 +17,11 @@ |
366 |
# |
367 |
interface(`skype_role',` |
368 |
gen_require(` |
369 |
- type skype_t, skype_exec_t, skype_tmpfs_t, skype_home_t; |
370 |
+ type skype_t, skype_exec_t, skype_home_t; |
371 |
') |
372 |
- |
373 |
+ |
374 |
role $1 types skype_t; |
375 |
- |
376 |
+ |
377 |
domtrans_pattern($2, skype_exec_t, skype_t) |
378 |
|
379 |
allow $2 skype_t:process { ptrace signal_perms }; |
380 |
@@ -36,4 +36,4 @@ interface(`skype_role',` |
381 |
relabel_lnk_files_pattern($2, skype_home_t, skype_home_t) |
382 |
|
383 |
ps_process_pattern($2, skype_t) |
384 |
-') |
385 |
+') |
386 |
|
387 |
diff --git a/policy/modules/contrib/uwsgi.if b/policy/modules/contrib/uwsgi.if |
388 |
index c6b39de5..f5a54aa7 100644 |
389 |
--- a/policy/modules/contrib/uwsgi.if |
390 |
+++ b/policy/modules/contrib/uwsgi.if |
391 |
@@ -33,7 +33,7 @@ interface(`uwsgi_stream_connect',` |
392 |
# |
393 |
interface(`uwsgi_manage_content',` |
394 |
gen_require(` |
395 |
- type uwsgi_content_t; |
396 |
+ type uwsgi_content_t, uwsgi_content_exec_t; |
397 |
') |
398 |
|
399 |
files_search_runtime($1) |
400 |
@@ -81,7 +81,7 @@ interface(`uwsgi_domtrans',` |
401 |
# |
402 |
interface(`uwsgi_content_exec',` |
403 |
gen_require(` |
404 |
- type uwsgi_t, uwsgi_exec_t, uwsgi_content_exec_t; |
405 |
+ type uwsgi_content_exec_t; |
406 |
') |
407 |
|
408 |
corecmd_search_bin($1) |
409 |
|
410 |
diff --git a/policy/modules/contrib/vde.if b/policy/modules/contrib/vde.if |
411 |
index 01579707..437b65ed 100644 |
412 |
--- a/policy/modules/contrib/vde.if |
413 |
+++ b/policy/modules/contrib/vde.if |
414 |
@@ -18,9 +18,8 @@ |
415 |
# |
416 |
interface(`vde_role',` |
417 |
gen_require(` |
418 |
- type vde_t, vde_tmp_t; |
419 |
- type vde_runtime_t; |
420 |
- type vde_initrc_exec_t, vde_exec_t; |
421 |
+ type vde_t; |
422 |
+ type vde_exec_t; |
423 |
') |
424 |
|
425 |
role $1 types vde_t; |
426 |
|
427 |
diff --git a/policy/modules/kernel/corecommands.fc b/policy/modules/kernel/corecommands.fc |
428 |
index 07a09873..48540ef9 100644 |
429 |
--- a/policy/modules/kernel/corecommands.fc |
430 |
+++ b/policy/modules/kernel/corecommands.fc |
431 |
@@ -115,6 +115,10 @@ ifdef(`distro_debian',` |
432 |
/etc/mysql/debian-start -- gen_context(system_u:object_r:bin_t,s0) |
433 |
') |
434 |
|
435 |
+ifdef(`distro_gentoo',` |
436 |
+/etc/portage/bin(/.*)? -- gen_context(system_u:object_r:bin_t,s0) |
437 |
+') |
438 |
+ |
439 |
# |
440 |
# /opt |
441 |
# |
442 |
@@ -391,6 +395,20 @@ ifdef(`distro_gentoo', ` |
443 |
/usr/lib/rc/bin/.* -- gen_context(system_u:object_r:bin_t,s0) |
444 |
/usr/lib/rc/sbin/.* -- gen_context(system_u:object_r:bin_t,s0) |
445 |
/usr/lib/rc/sh/.* -- gen_context(system_u:object_r:bin_t,s0) |
446 |
+ |
447 |
+/usr/lib/portage/bin/ebuild -- gen_context(system_u:object_r:bin_t,s0) |
448 |
+/usr/lib/portage/bin/ebuild\.sh -- gen_context(system_u:object_r:bin_t,s0) |
449 |
+/usr/lib/resolvconf(/.*)? gen_context(system_u:object_r:bin_t,s0) |
450 |
+ |
451 |
+/usr/share/mysql/scripts(/.*)? gen_context(system_u:object_r:bin_t,s0) |
452 |
+/usr/share/shorewall/compiler\.pl -- gen_context(system_u:object_r:bin_t,s0) |
453 |
+/usr/share/shorewall/configpath -- gen_context(system_u:object_r:bin_t,s0) |
454 |
+/usr/share/shorewall/getparams -- gen_context(system_u:object_r:bin_t,s0) |
455 |
+/usr/share/shorewall/wait4ifup -- gen_context(system_u:object_r:bin_t,s0) |
456 |
+/usr/share/shorewall-perl(/.*)? gen_context(system_u:object_r:bin_t,s0) |
457 |
+/usr/share/shorewall-shell(/.*)? gen_context(system_u:object_r:bin_t,s0) |
458 |
+/usr/share/shorewall-lite(/.*)? gen_context(system_u:object_r:bin_t,s0) |
459 |
+/usr/share/shorewall6-lite(/.*)? gen_context(system_u:object_r:bin_t,s0) |
460 |
') |
461 |
|
462 |
ifdef(`distro_redhat', ` |
463 |
|
464 |
diff --git a/policy/modules/kernel/corenetwork.if.in b/policy/modules/kernel/corenetwork.if.in |
465 |
index 7b77d8d8..65e54854 100644 |
466 |
--- a/policy/modules/kernel/corenetwork.if.in |
467 |
+++ b/policy/modules/kernel/corenetwork.if.in |
468 |
@@ -1494,11 +1494,11 @@ interface(`corenet_udp_send_all_ports',` |
469 |
# |
470 |
interface(`corenet_sctp_bind_generic_port',` |
471 |
gen_require(` |
472 |
- type port_t, unreserved_port_t, ephemeral_port_t; |
473 |
+ type port_t, unreserved_port_t; |
474 |
attribute defined_port_type; |
475 |
') |
476 |
|
477 |
- allow $1 { port_t unreserved_port_t ephemeral_port_t }:sctp_socket name_bind; |
478 |
+ allow $1 { port_t unreserved_port_t }:sctp_socket name_bind; |
479 |
dontaudit $1 defined_port_type:sctp_socket name_bind; |
480 |
') |
481 |
|
482 |
@@ -1567,10 +1567,10 @@ interface(`corenet_udp_sendrecv_all_ports',` |
483 |
# |
484 |
interface(`corenet_dontaudit_sctp_bind_generic_port',` |
485 |
gen_require(` |
486 |
- type port_t, unreserved_port_t, ephemeral_port_t; |
487 |
+ type port_t, unreserved_port_t; |
488 |
') |
489 |
|
490 |
- dontaudit $1 { port_t unreserved_port_t ephemeral_port_t }:sctp_socket name_bind; |
491 |
+ dontaudit $1 { port_t unreserved_port_t }:sctp_socket name_bind; |
492 |
') |
493 |
|
494 |
######################################## |
495 |
@@ -1641,10 +1641,10 @@ interface(`corenet_udp_bind_all_ports',` |
496 |
# |
497 |
interface(`corenet_sctp_connect_generic_port',` |
498 |
gen_require(` |
499 |
- type port_t, unreserved_port_t,ephemeral_port_t; |
500 |
+ type port_t, unreserved_port_t; |
501 |
') |
502 |
|
503 |
- allow $1 { port_t unreserved_port_t ephemeral_port_t }:sctp_socket name_connect; |
504 |
+ allow $1 { port_t unreserved_port_t }:sctp_socket name_connect; |
505 |
') |
506 |
|
507 |
######################################## |
508 |
@@ -3335,13 +3335,7 @@ interface(`corenet_relabelto_all_server_packets',` |
509 |
## </param> |
510 |
# |
511 |
interface(`corenet_sctp_recvfrom_unlabeled',` |
512 |
- gen_require(` |
513 |
- attribute corenet_unlabeled_type; |
514 |
- ') |
515 |
- |
516 |
kernel_recvfrom_unlabeled_peer($1) |
517 |
- |
518 |
- typeattribute $1 corenet_unlabeled_type; |
519 |
kernel_sendrecv_unlabeled_association($1) |
520 |
') |
521 |
|
522 |
|
523 |
diff --git a/policy/modules/kernel/devices.if b/policy/modules/kernel/devices.if |
524 |
index 1fae36ed..474b4035 100644 |
525 |
--- a/policy/modules/kernel/devices.if |
526 |
+++ b/policy/modules/kernel/devices.if |
527 |
@@ -5630,6 +5630,6 @@ interface(`dev_dontaudit_read_usbmon_dev',` |
528 |
type usbmon_device_t; |
529 |
') |
530 |
|
531 |
- dontaudit $1 usbmon_device_t:chr_file read_file_perms; |
532 |
+ dontaudit $1 usbmon_device_t:chr_file read_chr_file_perms; |
533 |
') |
534 |
|
535 |
|
536 |
diff --git a/policy/modules/kernel/files.fc b/policy/modules/kernel/files.fc |
537 |
index 1bec89a0..d7b46a3d 100644 |
538 |
--- a/policy/modules/kernel/files.fc |
539 |
+++ b/policy/modules/kernel/files.fc |
540 |
@@ -215,6 +215,11 @@ HOME_ROOT/lost\+found/.* <<none>> |
541 |
/usr/share/doc(/.*)?/README.* gen_context(system_u:object_r:usr_t,s0) |
542 |
/usr/share/docbook2X/xslt/man(/.*)? gen_context(system_u:object_r:usr_t,s0) |
543 |
|
544 |
+ifdef(`distro_gentoo',` |
545 |
+# Running maven (mvn) command needs read access to this, yet the file is marked as bin_t otherwise |
546 |
+/usr/share/maven-bin-[^/]*/bin/m2\.conf -- gen_context(system_u:object_r:usr_t,s0) |
547 |
+') |
548 |
+ |
549 |
/usr/tmp -d gen_context(system_u:object_r:tmp_t,s0-mls_systemhigh) |
550 |
/usr/tmp/.* <<none>> |
551 |
|
552 |
|
553 |
diff --git a/policy/modules/services/mysql.fc b/policy/modules/services/mysql.fc |
554 |
index e1f090fa..7739d36d 100644 |
555 |
--- a/policy/modules/services/mysql.fc |
556 |
+++ b/policy/modules/services/mysql.fc |
557 |
@@ -30,8 +30,3 @@ HOME_DIR/\.my\.cnf -- gen_context(system_u:object_r:mysqld_home_t,s0) |
558 |
/run/mysqld.* gen_context(system_u:object_r:mysqld_runtime_t,s0) |
559 |
/run/mysqlmanager.* -- gen_context(system_u:object_r:mysqlmanagerd_runtime_t,s0) |
560 |
/run/mysqld/mysqlmanager.* -- gen_context(system_u:object_r:mysqlmanagerd_runtime_t,s0) |
561 |
- |
562 |
- |
563 |
-ifdef(`distro_gentoo',` |
564 |
-/usr/share/mysql/scripts(/.*)? gen_context(system_u:object_r:bin_t,s0) |
565 |
-') |
566 |
|
567 |
diff --git a/policy/modules/services/networkmanager.if b/policy/modules/services/networkmanager.if |
568 |
index 2897a484..de48cdbe 100644 |
569 |
--- a/policy/modules/services/networkmanager.if |
570 |
+++ b/policy/modules/services/networkmanager.if |
571 |
@@ -485,7 +485,7 @@ interface(`networkmanager_domtrans_wpa_cli',` |
572 |
# |
573 |
interface(`networkmanager_run_wpa_cli',` |
574 |
gen_require(` |
575 |
- type wpa_cli_exec_t; |
576 |
+ type wpa_cli_t; |
577 |
') |
578 |
|
579 |
networkmanager_domtrans_wpa_cli($1) |
580 |
|
581 |
diff --git a/policy/modules/services/postgresql.if b/policy/modules/services/postgresql.if |
582 |
index 6089d18d..c8b31909 100644 |
583 |
--- a/policy/modules/services/postgresql.if |
584 |
+++ b/policy/modules/services/postgresql.if |
585 |
@@ -349,7 +349,7 @@ interface(`postgresql_exec',` |
586 |
type postgresql_exec_t; |
587 |
') |
588 |
|
589 |
- can_exec($1, postgresql_exec_t); |
590 |
+ can_exec($1, postgresql_exec_t) |
591 |
') |
592 |
|
593 |
######################################## |
594 |
|
595 |
diff --git a/policy/modules/services/snmp.if b/policy/modules/services/snmp.if |
596 |
index a945c50e..4d4bf888 100644 |
597 |
--- a/policy/modules/services/snmp.if |
598 |
+++ b/policy/modules/services/snmp.if |
599 |
@@ -193,8 +193,8 @@ interface(`snmp_admin',` |
600 |
# |
601 |
interface(`snmp_append_var_lib_files',` |
602 |
gen_require(` |
603 |
- type snmp_var_lib_t; |
604 |
+ type snmpd_var_lib_t; |
605 |
') |
606 |
|
607 |
- allow $1 snmp_var_lib_t:file append_file_perms; |
608 |
+ allow $1 snmpd_var_lib_t:file append_file_perms; |
609 |
') |
610 |
|
611 |
diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te |
612 |
index eb78df9a..b52eaddb 100644 |
613 |
--- a/policy/modules/system/init.te |
614 |
+++ b/policy/modules/system/init.te |
615 |
@@ -1003,7 +1003,7 @@ ifdef(`enabled_mls',` |
616 |
# Allow initrc_su_t, now defined, to transition to postgresql_t |
617 |
postgresql_domtrans(initrc_su_t) |
618 |
# Allow initrc_su_t to use the initrc_devpts_t (needed for init script failure output) |
619 |
- allow initrc_su_t initrc_devpts_t:chr_file { read write }; |
620 |
+ allow initrc_su_t initrc_devpts_t:chr_file rw_inherited_term_perms; |
621 |
') |
622 |
') |
623 |
|
624 |
|
625 |
diff --git a/policy/modules/system/libraries.fc b/policy/modules/system/libraries.fc |
626 |
index 3cdc22f9..757b18bc 100644 |
627 |
--- a/policy/modules/system/libraries.fc |
628 |
+++ b/policy/modules/system/libraries.fc |
629 |
@@ -60,10 +60,14 @@ ifdef(`distro_gentoo',` |
630 |
/opt/Acrobat[5-9]/Reader/intellinux/plug_ins/.*\.api -- gen_context(system_u:object_r:lib_t,s0) |
631 |
/opt/Acrobat[5-9]/Reader/intellinux/plug_ins3d/.*\.x3d -- gen_context(system_u:object_r:lib_t,s0) |
632 |
/opt/Acrobat[5-9]/Reader/intellinux/SPPlugins/.*\.ap[il] -- gen_context(system_u:object_r:lib_t,s0) |
633 |
+/opt/dropbox/.*py?\.?.*egg(/.*)? gen_context(system_u:object_r:lib_t,s0) |
634 |
+/opt/dropbox/lib.*\.so\.[0-9]+ -- gen_context(system_u:object_r:lib_t,s0) |
635 |
+/opt/dropbox/library\.zip -l gen_context(system_u:object_r:lib_t,s0) |
636 |
|
637 |
+/opt/firefox/libxul\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) |
638 |
/opt/netscape/plugins(/.*)? gen_context(system_u:object_r:lib_t,s0) |
639 |
/opt/netscape/plugins/libflashplayer\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) |
640 |
-/opt/netscape/plugins/nppdf\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) |
641 |
+/opt/netscape/plugins/nppdf\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) |
642 |
/opt/RealPlayer/codecs(/.*)? gen_context(system_u:object_r:lib_t,s0) |
643 |
/opt/RealPlayer/common(/.*)? gen_context(system_u:object_r:lib_t,s0) |
644 |
/opt/RealPlayer/lib(/.*)? gen_context(system_u:object_r:lib_t,s0) |
645 |
|
646 |
diff --git a/policy/modules/system/logging.if b/policy/modules/system/logging.if |
647 |
index ae993536..0f6efef8 100644 |
648 |
--- a/policy/modules/system/logging.if |
649 |
+++ b/policy/modules/system/logging.if |
650 |
@@ -1068,7 +1068,7 @@ interface(`logging_append_all_inherited_logs',` |
651 |
attribute logfile; |
652 |
') |
653 |
|
654 |
- allow $1 logfile:file { getattr append ioctl lock }; |
655 |
+ allow $1 logfile:file append_inherited_file_perms; |
656 |
') |
657 |
|
658 |
######################################## |
659 |
|
660 |
diff --git a/policy/modules/system/modutils.te b/policy/modules/system/modutils.te |
661 |
index 9e7fd769..e002e6e3 100644 |
662 |
--- a/policy/modules/system/modutils.te |
663 |
+++ b/policy/modules/system/modutils.te |
664 |
@@ -213,5 +213,5 @@ ifdef(`distro_gentoo',` |
665 |
|
666 |
# for /run/tmpfiles.d/kmod.conf |
667 |
tmpfiles_create_runtime_files(kmod_t) |
668 |
- filetrans_add_pattern(kmod_t, tmpfiles_runtime_t, kmod_tmpfiles_conf_t, file) |
669 |
+ filetrans_add_pattern(kmod_t, tmpfiles_runtime_t, kmod_tmpfiles_conf_t, file) #selint-disable:W-001 |
670 |
') |