Gentoo Archives: gentoo-commits

From: Jason Zaman <perfinion@g.o>
To: gentoo-commits@l.g.o
Subject: [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/, policy/modules/apps/, policy/modules/kernel/, ...
Date: Tue, 13 Oct 2020 03:02:16
Message-Id: 1602467866.0b43c7867705de4ae377de61aefe59fe43e4486d.perfinion@gentoo
1 commit: 0b43c7867705de4ae377de61aefe59fe43e4486d
2 Author: Jason Zaman <perfinion <AT> gentoo <DOT> org>
3 AuthorDate: Mon Oct 12 00:58:21 2020 +0000
4 Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
5 CommitDate: Mon Oct 12 01:57:46 2020 +0000
6 URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=0b43c786
7
8 Fix selint issues
9
10 Signed-off-by: Jason Zaman <perfinion <AT> gentoo.org>
11
12 policy/modules/admin/portage.fc | 3 ---
13 policy/modules/admin/puppet.te | 2 +-
14 policy/modules/admin/shorewall.fc | 11 -----------
15 policy/modules/apps/java.fc | 5 -----
16 policy/modules/apps/mozilla.fc | 1 -
17 policy/modules/contrib/ceph.if | 2 +-
18 policy/modules/contrib/ceph.te | 2 +-
19 policy/modules/contrib/dirsrv.if | 4 ++--
20 policy/modules/contrib/dirsrv.te | 4 ++--
21 policy/modules/contrib/dropbox.fc | 4 ----
22 policy/modules/contrib/dropbox.if | 1 +
23 policy/modules/contrib/gorg.te | 4 ++--
24 policy/modules/contrib/links.if | 6 +++---
25 policy/modules/contrib/logsentry.te | 4 ++--
26 policy/modules/contrib/mutt.if | 4 ++--
27 policy/modules/contrib/nginx.if | 2 +-
28 policy/modules/contrib/pan.te | 2 +-
29 policy/modules/contrib/resolvconf.fc | 2 --
30 policy/modules/contrib/skype.if | 8 ++++----
31 policy/modules/contrib/uwsgi.if | 4 ++--
32 policy/modules/contrib/vde.if | 5 ++---
33 policy/modules/kernel/corecommands.fc | 18 ++++++++++++++++++
34 policy/modules/kernel/corenetwork.if.in | 18 ++++++------------
35 policy/modules/kernel/devices.if | 2 +-
36 policy/modules/kernel/files.fc | 5 +++++
37 policy/modules/services/mysql.fc | 5 -----
38 policy/modules/services/networkmanager.if | 2 +-
39 policy/modules/services/postgresql.if | 2 +-
40 policy/modules/services/snmp.if | 4 ++--
41 policy/modules/system/init.te | 2 +-
42 policy/modules/system/libraries.fc | 6 +++++-
43 policy/modules/system/logging.if | 2 +-
44 policy/modules/system/modutils.te | 2 +-
45 33 files changed, 69 insertions(+), 79 deletions(-)
46
47 diff --git a/policy/modules/admin/portage.fc b/policy/modules/admin/portage.fc
48 index 6a7e4582..5757deaa 100644
49 --- a/policy/modules/admin/portage.fc
50 +++ b/policy/modules/admin/portage.fc
51 @@ -2,7 +2,6 @@
52 /etc/make\.globals -- gen_context(system_u:object_r:portage_conf_t,s0)
53 /etc/make\.profile -l gen_context(system_u:object_r:portage_conf_t,s0)
54 /etc/portage(/.*)? gen_context(system_u:object_r:portage_conf_t,s0)
55 -/etc/portage/bin(/.*)? -- gen_context(system_u:object_r:bin_t,s0)
56 /etc/portage/gpg(/.*)? gen_context(system_u:object_r:portage_gpg_t,s0)
57
58 /usr/bin/emerge -- gen_context(system_u:object_r:portage_exec_t,s0)
59 @@ -11,11 +10,9 @@
60 /usr/bin/layman -- gen_context(system_u:object_r:portage_fetch_exec_t,s0)
61 /usr/bin/sandbox -- gen_context(system_u:object_r:portage_exec_t,s0)
62
63 -/usr/lib/portage/bin/ebuild -- gen_context(system_u:object_r:bin_t,s0)
64 /usr/lib/portage/bin/emerge -- gen_context(system_u:object_r:portage_exec_t,s0)
65 /usr/lib/portage/bin/emerge-webrsync -- gen_context(system_u:object_r:portage_fetch_exec_t,s0)
66 /usr/lib/portage/bin/quickpkg -- gen_context(system_u:object_r:portage_exec_t,s0)
67 -/usr/lib/portage/bin/ebuild\.sh -- gen_context(system_u:object_r:bin_t,s0)
68 /usr/lib/portage/bin/regenworld -- gen_context(system_u:object_r:portage_exec_t,s0)
69 /usr/lib/portage/bin/sandbox -- gen_context(system_u:object_r:portage_exec_t,s0)
70
71
72 diff --git a/policy/modules/admin/puppet.te b/policy/modules/admin/puppet.te
73 index fdb2640b..e0e7127e 100644
74 --- a/policy/modules/admin/puppet.te
75 +++ b/policy/modules/admin/puppet.te
76 @@ -376,7 +376,7 @@ ifdef(`distro_gentoo',`
77 # So, we duplicate the content of files_relabel_all_files except for
78 # the policy configuration stuff and hope users do that through Portage
79
80 - gen_require(`
81 + gen_require(` #selint-disable:S-001
82 attribute file_type;
83 attribute security_file_type;
84 type policy_config_t;
85
86 diff --git a/policy/modules/admin/shorewall.fc b/policy/modules/admin/shorewall.fc
87 index aae46ecb..b18aab7e 100644
88 --- a/policy/modules/admin/shorewall.fc
89 +++ b/policy/modules/admin/shorewall.fc
90 @@ -16,14 +16,3 @@
91 /var/lock/subsys/shorewall -- gen_context(system_u:object_r:shorewall_lock_t,s0)
92
93 /var/log/shorewall.* gen_context(system_u:object_r:shorewall_log_t,s0)
94 -
95 -ifdef(`distro_gentoo',`
96 -/usr/share/shorewall/compiler\.pl -- gen_context(system_u:object_r:bin_t,s0)
97 -/usr/share/shorewall/configpath -- gen_context(system_u:object_r:bin_t,s0)
98 -/usr/share/shorewall/getparams -- gen_context(system_u:object_r:bin_t,s0)
99 -/usr/share/shorewall/wait4ifup -- gen_context(system_u:object_r:bin_t,s0)
100 -/usr/share/shorewall-perl(/.*)? gen_context(system_u:object_r:bin_t,s0)
101 -/usr/share/shorewall-shell(/.*)? gen_context(system_u:object_r:bin_t,s0)
102 -/usr/share/shorewall-lite(/.*)? gen_context(system_u:object_r:bin_t,s0)
103 -/usr/share/shorewall6-lite(/.*)? gen_context(system_u:object_r:bin_t,s0)
104 -')
105
106 diff --git a/policy/modules/apps/java.fc b/policy/modules/apps/java.fc
107 index d0476be2..8b34cace 100644
108 --- a/policy/modules/apps/java.fc
109 +++ b/policy/modules/apps/java.fc
110 @@ -31,8 +31,3 @@ HOME_DIR/\.java(/.*)? gen_context(system_u:object_r:java_home_t,s0)
111 /usr/local/matlab.*/bin.*/MATLAB.* -- gen_context(system_u:object_r:java_exec_t,s0)
112
113 /usr/matlab.*/bin.*/MATLAB.* -- gen_context(system_u:object_r:java_exec_t,s0)
114 -
115 -ifdef(`distro_gentoo',`
116 -# Running maven (mvn) command needs read access to this, yet the file is marked as bin_t otherwise
117 -/usr/share/maven-bin-[^/]*/bin/m2\.conf -- gen_context(system_u:object_r:usr_t,s0)
118 -')
119
120 diff --git a/policy/modules/apps/mozilla.fc b/policy/modules/apps/mozilla.fc
121 index 3a16e166..87bdab59 100644
122 --- a/policy/modules/apps/mozilla.fc
123 +++ b/policy/modules/apps/mozilla.fc
124 @@ -43,7 +43,6 @@ HOME_DIR/zimbrauserdata(/.*)? gen_context(system_u:object_r:mozilla_plugin_home_
125 /usr/lib/xulrunner[^/]*/plugin-container -- gen_context(system_u:object_r:mozilla_plugin_exec_t,s0)
126 /usr/lib/[^/]*firefox[^/]*/plugin-container -- gen_context(system_u:object_r:mozilla_plugin_exec_t,s0)
127
128 -/opt/firefox/libxul\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
129 /opt/firefox/firefox -- gen_context(system_u:object_r:mozilla_exec_t,s0)
130 /opt/firefox/run-mozilla\.sh -- gen_context(system_u:object_r:mozilla_exec_t,s0)
131 /opt/firefox/firefox-bin -- gen_context(system_u:object_r:mozilla_exec_t,s0)
132
133 diff --git a/policy/modules/contrib/ceph.if b/policy/modules/contrib/ceph.if
134 index b1e3208b..010c6b11 100644
135 --- a/policy/modules/contrib/ceph.if
136 +++ b/policy/modules/contrib/ceph.if
137 @@ -39,7 +39,7 @@ template(`ceph_domain_template',`
138 # Rules which cannot be made part of the domain
139
140 allow ceph_$1_t ceph_$1_runtime_t:file manage_file_perms;
141 - allow ceph_$1_t ceph_$1_runtime_t:sock_file manage_file_perms;
142 + allow ceph_$1_t ceph_$1_runtime_t:sock_file manage_sock_file_perms;
143 allow ceph_$1_t ceph_$1_data_t:dir manage_dir_perms;
144 allow ceph_$1_t ceph_$1_data_t:file manage_file_perms;
145
146
147 diff --git a/policy/modules/contrib/ceph.te b/policy/modules/contrib/ceph.te
148 index 99a0b193..b1994a53 100644
149 --- a/policy/modules/contrib/ceph.te
150 +++ b/policy/modules/contrib/ceph.te
151 @@ -40,7 +40,7 @@ ceph_domain_template(osd)
152 ceph_domain_template(mds)
153 ceph_domain_template(mon)
154
155 -allow cephdomain self:fifo_file rw_file_perms;
156 +allow cephdomain self:fifo_file rw_fifo_file_perms;
157
158 read_files_pattern(cephdomain, ceph_conf_t, { ceph_conf_t ceph_key_t })
159 allow cephdomain ceph_log_t:dir manage_dir_perms;
160
161 diff --git a/policy/modules/contrib/dirsrv.if b/policy/modules/contrib/dirsrv.if
162 index 332bf2f5..ac56f143 100644
163 --- a/policy/modules/contrib/dirsrv.if
164 +++ b/policy/modules/contrib/dirsrv.if
165 @@ -20,7 +20,7 @@ interface(`dirsrv_domtrans',`
166 domain_auto_transition_pattern($1, dirsrv_exec_t, dirsrv_t)
167
168 allow dirsrv_t $1:fd use;
169 - allow dirsrv_t $1:fifo_file rw_file_perms;
170 + allow dirsrv_t $1:fifo_file rw_fifo_file_perms;
171 allow dirsrv_t $1:process sigchld;
172 ')
173
174 @@ -116,7 +116,7 @@ interface(`dirsrv_manage_var_run',`
175 ')
176 allow $1 dirsrv_runtime_t:dir manage_dir_perms;
177 allow $1 dirsrv_runtime_t:file manage_file_perms;
178 - allow $1 dirsrv_runtime_t:sock_file manage_file_perms;
179 + allow $1 dirsrv_runtime_t:sock_file manage_sock_file_perms;
180 ')
181
182 ######################################
183
184 diff --git a/policy/modules/contrib/dirsrv.te b/policy/modules/contrib/dirsrv.te
185 index 36e2203b..80a24f24 100644
186 --- a/policy/modules/contrib/dirsrv.te
187 +++ b/policy/modules/contrib/dirsrv.te
188 @@ -57,7 +57,7 @@ files_tmpfs_file(dirsrv_tmpfs_t)
189
190 # shared files
191 type dirsrv_share_t;
192 -files_type(dirsrv_share_t);
193 +files_type(dirsrv_share_t)
194
195 ########################################
196 #
197 @@ -188,7 +188,7 @@ files_runtime_filetrans(dirsrv_snmp_t, dirsrv_snmp_runtime_t, { file sock_file }
198 search_dirs_pattern(dirsrv_snmp_t, dirsrv_runtime_t, dirsrv_runtime_t)
199
200 # log file
201 -manage_files_pattern(dirsrv_snmp_t, dirsrv_var_log_t, dirsrv_snmp_var_log_t);
202 +manage_files_pattern(dirsrv_snmp_t, dirsrv_var_log_t, dirsrv_snmp_var_log_t)
203 filetrans_pattern(dirsrv_snmp_t, dirsrv_var_log_t, dirsrv_snmp_var_log_t, file)
204
205 # Init script handling
206
207 diff --git a/policy/modules/contrib/dropbox.fc b/policy/modules/contrib/dropbox.fc
208 index bcd85a60..1a9fdff7 100644
209 --- a/policy/modules/contrib/dropbox.fc
210 +++ b/policy/modules/contrib/dropbox.fc
211 @@ -7,8 +7,4 @@ HOME_DIR/\.dropbox-master(/.*)? gen_context(system_u:object_r:dropbo
212 HOME_DIR/\.dropbox-dist(/.*)?/dropboxd? -- gen_context(system_u:object_r:dropbox_exec_t,s0)
213
214 /opt/bin/dropbox -l gen_context(system_u:object_r:dropbox_exec_t,s0)
215 -/opt/dropbox/.*py?\.?.*egg(/.*)? gen_context(system_u:object_r:lib_t,s0)
216 -/opt/dropbox/lib.*\.so\.[0-9]+ -- gen_context(system_u:object_r:lib_t,s0)
217 /opt/dropbox/dropboxd? -- gen_context(system_u:object_r:dropbox_exec_t,s0)
218 -/opt/dropbox/library\.zip -l gen_context(system_u:object_r:lib_t,s0)
219 -
220
221 diff --git a/policy/modules/contrib/dropbox.if b/policy/modules/contrib/dropbox.if
222 index 51e9f88c..a010d912 100644
223 --- a/policy/modules/contrib/dropbox.if
224 +++ b/policy/modules/contrib/dropbox.if
225 @@ -18,6 +18,7 @@
226 interface(`dropbox_role',`
227 gen_require(`
228 type dropbox_t;
229 + type dropbox_content_t;
230 type dropbox_exec_t;
231 type dropbox_home_t;
232 type dropbox_tmp_t;
233
234 diff --git a/policy/modules/contrib/gorg.te b/policy/modules/contrib/gorg.te
235 index b0c8ae33..59befaaa 100644
236 --- a/policy/modules/contrib/gorg.te
237 +++ b/policy/modules/contrib/gorg.te
238 @@ -5,10 +5,10 @@ type gorg_exec_t;
239 application_domain(gorg_t, gorg_exec_t)
240
241 type gorg_cache_t;
242 -files_type(gorg_cache_t);
243 +files_type(gorg_cache_t)
244
245 type gorg_config_t;
246 -files_type(gorg_config_t);
247 +files_type(gorg_config_t)
248
249 ###################################
250 #
251
252 diff --git a/policy/modules/contrib/links.if b/policy/modules/contrib/links.if
253 index 61254fc3..b3ad618e 100644
254 --- a/policy/modules/contrib/links.if
255 +++ b/policy/modules/contrib/links.if
256 @@ -17,14 +17,14 @@
257 #
258 interface(`links_role',`
259 gen_require(`
260 - type links_t, links_exec_t, links_tmpfs_t, links_home_t;
261 + type links_t, links_exec_t, links_home_t;
262 ')
263
264 #######################################
265 #
266 # Declarations
267 #
268 -
269 +
270 role $1 types links_t;
271
272 ############################
273 @@ -43,4 +43,4 @@ interface(`links_role',`
274 domtrans_pattern($2, links_exec_t, links_t)
275
276 ps_process_pattern($2, links_t)
277 -')
278 +')
279
280 diff --git a/policy/modules/contrib/logsentry.te b/policy/modules/contrib/logsentry.te
281 index d80cdc8b..5863369b 100644
282 --- a/policy/modules/contrib/logsentry.te
283 +++ b/policy/modules/contrib/logsentry.te
284 @@ -11,10 +11,10 @@ application_domain(logsentry_t, logsentry_exec_t)
285 role system_r types logsentry_t;
286
287 type logsentry_etc_t;
288 -files_type(logsentry_etc_t);
289 +files_type(logsentry_etc_t)
290
291 type logsentry_tmp_t;
292 -files_tmp_file(logsentry_tmp_t);
293 +files_tmp_file(logsentry_tmp_t)
294
295 type logsentry_filter_t;
296 files_type(logsentry_filter_t)
297
298 diff --git a/policy/modules/contrib/mutt.if b/policy/modules/contrib/mutt.if
299 index eabe82e9..596b0fd1 100644
300 --- a/policy/modules/contrib/mutt.if
301 +++ b/policy/modules/contrib/mutt.if
302 @@ -17,7 +17,7 @@
303 #
304 interface(`mutt_role',`
305 gen_require(`
306 - type mutt_t, mutt_exec_t, mutt_home_t, mutt_conf_t, mutt_etc_t;
307 + type mutt_t, mutt_exec_t, mutt_home_t, mutt_conf_t;
308 type mutt_tmp_t;
309 ')
310
311 @@ -99,6 +99,6 @@ interface(`mutt_rw_tmp_files',`
312
313 # The use of rw_files_pattern here is not needed, since this incurs the open privilege as well
314 allow $1 mutt_tmp_t:dir search_dir_perms;
315 - allow $1 mutt_tmp_t:file { read write };
316 + allow $1 mutt_tmp_t:file rw_inherited_file_perms;
317 files_search_tmp($1)
318 ')
319
320 diff --git a/policy/modules/contrib/nginx.if b/policy/modules/contrib/nginx.if
321 index b9066d97..d39b0964 100644
322 --- a/policy/modules/contrib/nginx.if
323 +++ b/policy/modules/contrib/nginx.if
324 @@ -57,7 +57,7 @@ interface(`nginx_domtrans',`
325 type nginx_t, nginx_exec_t;
326 ')
327 allow nginx_t $1:fd use;
328 - allow nginx_t $1:fifo_file rw_file_perms;
329 + allow nginx_t $1:fifo_file rw_fifo_file_perms;
330 allow nginx_t $1:process sigchld;
331
332 domain_auto_transition_pattern($1, nginx_exec_t, nginx_t)
333
334 diff --git a/policy/modules/contrib/pan.te b/policy/modules/contrib/pan.te
335 index 48b07b85..ad60d29d 100644
336 --- a/policy/modules/contrib/pan.te
337 +++ b/policy/modules/contrib/pan.te
338 @@ -33,7 +33,7 @@ ubac_constrained(pan_tmpfs_t)
339 #
340 allow pan_t self:process { getsched signal };
341 allow pan_t self:fifo_file rw_fifo_file_perms;
342 -allow pan_t pan_tmpfs_t:file { read write };
343 +allow pan_t pan_tmpfs_t:file rw_inherited_file_perms;
344
345 # Allow pan to work with its ~/.pan2 location
346 manage_dirs_pattern(pan_t, pan_home_t, pan_home_t)
347
348 diff --git a/policy/modules/contrib/resolvconf.fc b/policy/modules/contrib/resolvconf.fc
349 index 51383c24..fcfa9b7d 100644
350 --- a/policy/modules/contrib/resolvconf.fc
351 +++ b/policy/modules/contrib/resolvconf.fc
352 @@ -1,7 +1,5 @@
353 /etc/resolvconf\.conf -- gen_context(system_u:object_r:resolvconf_conf_t,s0)
354
355 -/usr/lib/resolvconf(/.*)? gen_context(system_u:object_r:bin_t,s0)
356 -
357 /usr/sbin/resolvconf -- gen_context(system_u:object_r:resolvconf_exec_t,s0)
358
359 /run/resolvconf(/.*)? gen_context(system_u:object_r:resolvconf_runtime_t,s0)
360
361 diff --git a/policy/modules/contrib/skype.if b/policy/modules/contrib/skype.if
362 index 789b8f8a..88c9849c 100644
363 --- a/policy/modules/contrib/skype.if
364 +++ b/policy/modules/contrib/skype.if
365 @@ -17,11 +17,11 @@
366 #
367 interface(`skype_role',`
368 gen_require(`
369 - type skype_t, skype_exec_t, skype_tmpfs_t, skype_home_t;
370 + type skype_t, skype_exec_t, skype_home_t;
371 ')
372 -
373 +
374 role $1 types skype_t;
375 -
376 +
377 domtrans_pattern($2, skype_exec_t, skype_t)
378
379 allow $2 skype_t:process { ptrace signal_perms };
380 @@ -36,4 +36,4 @@ interface(`skype_role',`
381 relabel_lnk_files_pattern($2, skype_home_t, skype_home_t)
382
383 ps_process_pattern($2, skype_t)
384 -')
385 +')
386
387 diff --git a/policy/modules/contrib/uwsgi.if b/policy/modules/contrib/uwsgi.if
388 index c6b39de5..f5a54aa7 100644
389 --- a/policy/modules/contrib/uwsgi.if
390 +++ b/policy/modules/contrib/uwsgi.if
391 @@ -33,7 +33,7 @@ interface(`uwsgi_stream_connect',`
392 #
393 interface(`uwsgi_manage_content',`
394 gen_require(`
395 - type uwsgi_content_t;
396 + type uwsgi_content_t, uwsgi_content_exec_t;
397 ')
398
399 files_search_runtime($1)
400 @@ -81,7 +81,7 @@ interface(`uwsgi_domtrans',`
401 #
402 interface(`uwsgi_content_exec',`
403 gen_require(`
404 - type uwsgi_t, uwsgi_exec_t, uwsgi_content_exec_t;
405 + type uwsgi_content_exec_t;
406 ')
407
408 corecmd_search_bin($1)
409
410 diff --git a/policy/modules/contrib/vde.if b/policy/modules/contrib/vde.if
411 index 01579707..437b65ed 100644
412 --- a/policy/modules/contrib/vde.if
413 +++ b/policy/modules/contrib/vde.if
414 @@ -18,9 +18,8 @@
415 #
416 interface(`vde_role',`
417 gen_require(`
418 - type vde_t, vde_tmp_t;
419 - type vde_runtime_t;
420 - type vde_initrc_exec_t, vde_exec_t;
421 + type vde_t;
422 + type vde_exec_t;
423 ')
424
425 role $1 types vde_t;
426
427 diff --git a/policy/modules/kernel/corecommands.fc b/policy/modules/kernel/corecommands.fc
428 index 07a09873..48540ef9 100644
429 --- a/policy/modules/kernel/corecommands.fc
430 +++ b/policy/modules/kernel/corecommands.fc
431 @@ -115,6 +115,10 @@ ifdef(`distro_debian',`
432 /etc/mysql/debian-start -- gen_context(system_u:object_r:bin_t,s0)
433 ')
434
435 +ifdef(`distro_gentoo',`
436 +/etc/portage/bin(/.*)? -- gen_context(system_u:object_r:bin_t,s0)
437 +')
438 +
439 #
440 # /opt
441 #
442 @@ -391,6 +395,20 @@ ifdef(`distro_gentoo', `
443 /usr/lib/rc/bin/.* -- gen_context(system_u:object_r:bin_t,s0)
444 /usr/lib/rc/sbin/.* -- gen_context(system_u:object_r:bin_t,s0)
445 /usr/lib/rc/sh/.* -- gen_context(system_u:object_r:bin_t,s0)
446 +
447 +/usr/lib/portage/bin/ebuild -- gen_context(system_u:object_r:bin_t,s0)
448 +/usr/lib/portage/bin/ebuild\.sh -- gen_context(system_u:object_r:bin_t,s0)
449 +/usr/lib/resolvconf(/.*)? gen_context(system_u:object_r:bin_t,s0)
450 +
451 +/usr/share/mysql/scripts(/.*)? gen_context(system_u:object_r:bin_t,s0)
452 +/usr/share/shorewall/compiler\.pl -- gen_context(system_u:object_r:bin_t,s0)
453 +/usr/share/shorewall/configpath -- gen_context(system_u:object_r:bin_t,s0)
454 +/usr/share/shorewall/getparams -- gen_context(system_u:object_r:bin_t,s0)
455 +/usr/share/shorewall/wait4ifup -- gen_context(system_u:object_r:bin_t,s0)
456 +/usr/share/shorewall-perl(/.*)? gen_context(system_u:object_r:bin_t,s0)
457 +/usr/share/shorewall-shell(/.*)? gen_context(system_u:object_r:bin_t,s0)
458 +/usr/share/shorewall-lite(/.*)? gen_context(system_u:object_r:bin_t,s0)
459 +/usr/share/shorewall6-lite(/.*)? gen_context(system_u:object_r:bin_t,s0)
460 ')
461
462 ifdef(`distro_redhat', `
463
464 diff --git a/policy/modules/kernel/corenetwork.if.in b/policy/modules/kernel/corenetwork.if.in
465 index 7b77d8d8..65e54854 100644
466 --- a/policy/modules/kernel/corenetwork.if.in
467 +++ b/policy/modules/kernel/corenetwork.if.in
468 @@ -1494,11 +1494,11 @@ interface(`corenet_udp_send_all_ports',`
469 #
470 interface(`corenet_sctp_bind_generic_port',`
471 gen_require(`
472 - type port_t, unreserved_port_t, ephemeral_port_t;
473 + type port_t, unreserved_port_t;
474 attribute defined_port_type;
475 ')
476
477 - allow $1 { port_t unreserved_port_t ephemeral_port_t }:sctp_socket name_bind;
478 + allow $1 { port_t unreserved_port_t }:sctp_socket name_bind;
479 dontaudit $1 defined_port_type:sctp_socket name_bind;
480 ')
481
482 @@ -1567,10 +1567,10 @@ interface(`corenet_udp_sendrecv_all_ports',`
483 #
484 interface(`corenet_dontaudit_sctp_bind_generic_port',`
485 gen_require(`
486 - type port_t, unreserved_port_t, ephemeral_port_t;
487 + type port_t, unreserved_port_t;
488 ')
489
490 - dontaudit $1 { port_t unreserved_port_t ephemeral_port_t }:sctp_socket name_bind;
491 + dontaudit $1 { port_t unreserved_port_t }:sctp_socket name_bind;
492 ')
493
494 ########################################
495 @@ -1641,10 +1641,10 @@ interface(`corenet_udp_bind_all_ports',`
496 #
497 interface(`corenet_sctp_connect_generic_port',`
498 gen_require(`
499 - type port_t, unreserved_port_t,ephemeral_port_t;
500 + type port_t, unreserved_port_t;
501 ')
502
503 - allow $1 { port_t unreserved_port_t ephemeral_port_t }:sctp_socket name_connect;
504 + allow $1 { port_t unreserved_port_t }:sctp_socket name_connect;
505 ')
506
507 ########################################
508 @@ -3335,13 +3335,7 @@ interface(`corenet_relabelto_all_server_packets',`
509 ## </param>
510 #
511 interface(`corenet_sctp_recvfrom_unlabeled',`
512 - gen_require(`
513 - attribute corenet_unlabeled_type;
514 - ')
515 -
516 kernel_recvfrom_unlabeled_peer($1)
517 -
518 - typeattribute $1 corenet_unlabeled_type;
519 kernel_sendrecv_unlabeled_association($1)
520 ')
521
522
523 diff --git a/policy/modules/kernel/devices.if b/policy/modules/kernel/devices.if
524 index 1fae36ed..474b4035 100644
525 --- a/policy/modules/kernel/devices.if
526 +++ b/policy/modules/kernel/devices.if
527 @@ -5630,6 +5630,6 @@ interface(`dev_dontaudit_read_usbmon_dev',`
528 type usbmon_device_t;
529 ')
530
531 - dontaudit $1 usbmon_device_t:chr_file read_file_perms;
532 + dontaudit $1 usbmon_device_t:chr_file read_chr_file_perms;
533 ')
534
535
536 diff --git a/policy/modules/kernel/files.fc b/policy/modules/kernel/files.fc
537 index 1bec89a0..d7b46a3d 100644
538 --- a/policy/modules/kernel/files.fc
539 +++ b/policy/modules/kernel/files.fc
540 @@ -215,6 +215,11 @@ HOME_ROOT/lost\+found/.* <<none>>
541 /usr/share/doc(/.*)?/README.* gen_context(system_u:object_r:usr_t,s0)
542 /usr/share/docbook2X/xslt/man(/.*)? gen_context(system_u:object_r:usr_t,s0)
543
544 +ifdef(`distro_gentoo',`
545 +# Running maven (mvn) command needs read access to this, yet the file is marked as bin_t otherwise
546 +/usr/share/maven-bin-[^/]*/bin/m2\.conf -- gen_context(system_u:object_r:usr_t,s0)
547 +')
548 +
549 /usr/tmp -d gen_context(system_u:object_r:tmp_t,s0-mls_systemhigh)
550 /usr/tmp/.* <<none>>
551
552
553 diff --git a/policy/modules/services/mysql.fc b/policy/modules/services/mysql.fc
554 index e1f090fa..7739d36d 100644
555 --- a/policy/modules/services/mysql.fc
556 +++ b/policy/modules/services/mysql.fc
557 @@ -30,8 +30,3 @@ HOME_DIR/\.my\.cnf -- gen_context(system_u:object_r:mysqld_home_t,s0)
558 /run/mysqld.* gen_context(system_u:object_r:mysqld_runtime_t,s0)
559 /run/mysqlmanager.* -- gen_context(system_u:object_r:mysqlmanagerd_runtime_t,s0)
560 /run/mysqld/mysqlmanager.* -- gen_context(system_u:object_r:mysqlmanagerd_runtime_t,s0)
561 -
562 -
563 -ifdef(`distro_gentoo',`
564 -/usr/share/mysql/scripts(/.*)? gen_context(system_u:object_r:bin_t,s0)
565 -')
566
567 diff --git a/policy/modules/services/networkmanager.if b/policy/modules/services/networkmanager.if
568 index 2897a484..de48cdbe 100644
569 --- a/policy/modules/services/networkmanager.if
570 +++ b/policy/modules/services/networkmanager.if
571 @@ -485,7 +485,7 @@ interface(`networkmanager_domtrans_wpa_cli',`
572 #
573 interface(`networkmanager_run_wpa_cli',`
574 gen_require(`
575 - type wpa_cli_exec_t;
576 + type wpa_cli_t;
577 ')
578
579 networkmanager_domtrans_wpa_cli($1)
580
581 diff --git a/policy/modules/services/postgresql.if b/policy/modules/services/postgresql.if
582 index 6089d18d..c8b31909 100644
583 --- a/policy/modules/services/postgresql.if
584 +++ b/policy/modules/services/postgresql.if
585 @@ -349,7 +349,7 @@ interface(`postgresql_exec',`
586 type postgresql_exec_t;
587 ')
588
589 - can_exec($1, postgresql_exec_t);
590 + can_exec($1, postgresql_exec_t)
591 ')
592
593 ########################################
594
595 diff --git a/policy/modules/services/snmp.if b/policy/modules/services/snmp.if
596 index a945c50e..4d4bf888 100644
597 --- a/policy/modules/services/snmp.if
598 +++ b/policy/modules/services/snmp.if
599 @@ -193,8 +193,8 @@ interface(`snmp_admin',`
600 #
601 interface(`snmp_append_var_lib_files',`
602 gen_require(`
603 - type snmp_var_lib_t;
604 + type snmpd_var_lib_t;
605 ')
606
607 - allow $1 snmp_var_lib_t:file append_file_perms;
608 + allow $1 snmpd_var_lib_t:file append_file_perms;
609 ')
610
611 diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
612 index eb78df9a..b52eaddb 100644
613 --- a/policy/modules/system/init.te
614 +++ b/policy/modules/system/init.te
615 @@ -1003,7 +1003,7 @@ ifdef(`enabled_mls',`
616 # Allow initrc_su_t, now defined, to transition to postgresql_t
617 postgresql_domtrans(initrc_su_t)
618 # Allow initrc_su_t to use the initrc_devpts_t (needed for init script failure output)
619 - allow initrc_su_t initrc_devpts_t:chr_file { read write };
620 + allow initrc_su_t initrc_devpts_t:chr_file rw_inherited_term_perms;
621 ')
622 ')
623
624
625 diff --git a/policy/modules/system/libraries.fc b/policy/modules/system/libraries.fc
626 index 3cdc22f9..757b18bc 100644
627 --- a/policy/modules/system/libraries.fc
628 +++ b/policy/modules/system/libraries.fc
629 @@ -60,10 +60,14 @@ ifdef(`distro_gentoo',`
630 /opt/Acrobat[5-9]/Reader/intellinux/plug_ins/.*\.api -- gen_context(system_u:object_r:lib_t,s0)
631 /opt/Acrobat[5-9]/Reader/intellinux/plug_ins3d/.*\.x3d -- gen_context(system_u:object_r:lib_t,s0)
632 /opt/Acrobat[5-9]/Reader/intellinux/SPPlugins/.*\.ap[il] -- gen_context(system_u:object_r:lib_t,s0)
633 +/opt/dropbox/.*py?\.?.*egg(/.*)? gen_context(system_u:object_r:lib_t,s0)
634 +/opt/dropbox/lib.*\.so\.[0-9]+ -- gen_context(system_u:object_r:lib_t,s0)
635 +/opt/dropbox/library\.zip -l gen_context(system_u:object_r:lib_t,s0)
636
637 +/opt/firefox/libxul\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
638 /opt/netscape/plugins(/.*)? gen_context(system_u:object_r:lib_t,s0)
639 /opt/netscape/plugins/libflashplayer\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
640 -/opt/netscape/plugins/nppdf\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
641 +/opt/netscape/plugins/nppdf\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
642 /opt/RealPlayer/codecs(/.*)? gen_context(system_u:object_r:lib_t,s0)
643 /opt/RealPlayer/common(/.*)? gen_context(system_u:object_r:lib_t,s0)
644 /opt/RealPlayer/lib(/.*)? gen_context(system_u:object_r:lib_t,s0)
645
646 diff --git a/policy/modules/system/logging.if b/policy/modules/system/logging.if
647 index ae993536..0f6efef8 100644
648 --- a/policy/modules/system/logging.if
649 +++ b/policy/modules/system/logging.if
650 @@ -1068,7 +1068,7 @@ interface(`logging_append_all_inherited_logs',`
651 attribute logfile;
652 ')
653
654 - allow $1 logfile:file { getattr append ioctl lock };
655 + allow $1 logfile:file append_inherited_file_perms;
656 ')
657
658 ########################################
659
660 diff --git a/policy/modules/system/modutils.te b/policy/modules/system/modutils.te
661 index 9e7fd769..e002e6e3 100644
662 --- a/policy/modules/system/modutils.te
663 +++ b/policy/modules/system/modutils.te
664 @@ -213,5 +213,5 @@ ifdef(`distro_gentoo',`
665
666 # for /run/tmpfiles.d/kmod.conf
667 tmpfiles_create_runtime_files(kmod_t)
668 - filetrans_add_pattern(kmod_t, tmpfiles_runtime_t, kmod_tmpfiles_conf_t, file)
669 + filetrans_add_pattern(kmod_t, tmpfiles_runtime_t, kmod_tmpfiles_conf_t, file) #selint-disable:W-001
670 ')