| 1 |
commit: 0b43c7867705de4ae377de61aefe59fe43e4486d |
| 2 |
Author: Jason Zaman <perfinion <AT> gentoo <DOT> org> |
| 3 |
AuthorDate: Mon Oct 12 00:58:21 2020 +0000 |
| 4 |
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org> |
| 5 |
CommitDate: Mon Oct 12 01:57:46 2020 +0000 |
| 6 |
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=0b43c786 |
| 7 |
|
| 8 |
Fix selint issues |
| 9 |
|
| 10 |
Signed-off-by: Jason Zaman <perfinion <AT> gentoo.org> |
| 11 |
|
| 12 |
policy/modules/admin/portage.fc | 3 --- |
| 13 |
policy/modules/admin/puppet.te | 2 +- |
| 14 |
policy/modules/admin/shorewall.fc | 11 ----------- |
| 15 |
policy/modules/apps/java.fc | 5 ----- |
| 16 |
policy/modules/apps/mozilla.fc | 1 - |
| 17 |
policy/modules/contrib/ceph.if | 2 +- |
| 18 |
policy/modules/contrib/ceph.te | 2 +- |
| 19 |
policy/modules/contrib/dirsrv.if | 4 ++-- |
| 20 |
policy/modules/contrib/dirsrv.te | 4 ++-- |
| 21 |
policy/modules/contrib/dropbox.fc | 4 ---- |
| 22 |
policy/modules/contrib/dropbox.if | 1 + |
| 23 |
policy/modules/contrib/gorg.te | 4 ++-- |
| 24 |
policy/modules/contrib/links.if | 6 +++--- |
| 25 |
policy/modules/contrib/logsentry.te | 4 ++-- |
| 26 |
policy/modules/contrib/mutt.if | 4 ++-- |
| 27 |
policy/modules/contrib/nginx.if | 2 +- |
| 28 |
policy/modules/contrib/pan.te | 2 +- |
| 29 |
policy/modules/contrib/resolvconf.fc | 2 -- |
| 30 |
policy/modules/contrib/skype.if | 8 ++++---- |
| 31 |
policy/modules/contrib/uwsgi.if | 4 ++-- |
| 32 |
policy/modules/contrib/vde.if | 5 ++--- |
| 33 |
policy/modules/kernel/corecommands.fc | 18 ++++++++++++++++++ |
| 34 |
policy/modules/kernel/corenetwork.if.in | 18 ++++++------------ |
| 35 |
policy/modules/kernel/devices.if | 2 +- |
| 36 |
policy/modules/kernel/files.fc | 5 +++++ |
| 37 |
policy/modules/services/mysql.fc | 5 ----- |
| 38 |
policy/modules/services/networkmanager.if | 2 +- |
| 39 |
policy/modules/services/postgresql.if | 2 +- |
| 40 |
policy/modules/services/snmp.if | 4 ++-- |
| 41 |
policy/modules/system/init.te | 2 +- |
| 42 |
policy/modules/system/libraries.fc | 6 +++++- |
| 43 |
policy/modules/system/logging.if | 2 +- |
| 44 |
policy/modules/system/modutils.te | 2 +- |
| 45 |
33 files changed, 69 insertions(+), 79 deletions(-) |
| 46 |
|
| 47 |
diff --git a/policy/modules/admin/portage.fc b/policy/modules/admin/portage.fc |
| 48 |
index 6a7e4582..5757deaa 100644 |
| 49 |
--- a/policy/modules/admin/portage.fc |
| 50 |
+++ b/policy/modules/admin/portage.fc |
| 51 |
@@ -2,7 +2,6 @@ |
| 52 |
/etc/make\.globals -- gen_context(system_u:object_r:portage_conf_t,s0) |
| 53 |
/etc/make\.profile -l gen_context(system_u:object_r:portage_conf_t,s0) |
| 54 |
/etc/portage(/.*)? gen_context(system_u:object_r:portage_conf_t,s0) |
| 55 |
-/etc/portage/bin(/.*)? -- gen_context(system_u:object_r:bin_t,s0) |
| 56 |
/etc/portage/gpg(/.*)? gen_context(system_u:object_r:portage_gpg_t,s0) |
| 57 |
|
| 58 |
/usr/bin/emerge -- gen_context(system_u:object_r:portage_exec_t,s0) |
| 59 |
@@ -11,11 +10,9 @@ |
| 60 |
/usr/bin/layman -- gen_context(system_u:object_r:portage_fetch_exec_t,s0) |
| 61 |
/usr/bin/sandbox -- gen_context(system_u:object_r:portage_exec_t,s0) |
| 62 |
|
| 63 |
-/usr/lib/portage/bin/ebuild -- gen_context(system_u:object_r:bin_t,s0) |
| 64 |
/usr/lib/portage/bin/emerge -- gen_context(system_u:object_r:portage_exec_t,s0) |
| 65 |
/usr/lib/portage/bin/emerge-webrsync -- gen_context(system_u:object_r:portage_fetch_exec_t,s0) |
| 66 |
/usr/lib/portage/bin/quickpkg -- gen_context(system_u:object_r:portage_exec_t,s0) |
| 67 |
-/usr/lib/portage/bin/ebuild\.sh -- gen_context(system_u:object_r:bin_t,s0) |
| 68 |
/usr/lib/portage/bin/regenworld -- gen_context(system_u:object_r:portage_exec_t,s0) |
| 69 |
/usr/lib/portage/bin/sandbox -- gen_context(system_u:object_r:portage_exec_t,s0) |
| 70 |
|
| 71 |
|
| 72 |
diff --git a/policy/modules/admin/puppet.te b/policy/modules/admin/puppet.te |
| 73 |
index fdb2640b..e0e7127e 100644 |
| 74 |
--- a/policy/modules/admin/puppet.te |
| 75 |
+++ b/policy/modules/admin/puppet.te |
| 76 |
@@ -376,7 +376,7 @@ ifdef(`distro_gentoo',` |
| 77 |
# So, we duplicate the content of files_relabel_all_files except for |
| 78 |
# the policy configuration stuff and hope users do that through Portage |
| 79 |
|
| 80 |
- gen_require(` |
| 81 |
+ gen_require(` #selint-disable:S-001 |
| 82 |
attribute file_type; |
| 83 |
attribute security_file_type; |
| 84 |
type policy_config_t; |
| 85 |
|
| 86 |
diff --git a/policy/modules/admin/shorewall.fc b/policy/modules/admin/shorewall.fc |
| 87 |
index aae46ecb..b18aab7e 100644 |
| 88 |
--- a/policy/modules/admin/shorewall.fc |
| 89 |
+++ b/policy/modules/admin/shorewall.fc |
| 90 |
@@ -16,14 +16,3 @@ |
| 91 |
/var/lock/subsys/shorewall -- gen_context(system_u:object_r:shorewall_lock_t,s0) |
| 92 |
|
| 93 |
/var/log/shorewall.* gen_context(system_u:object_r:shorewall_log_t,s0) |
| 94 |
- |
| 95 |
-ifdef(`distro_gentoo',` |
| 96 |
-/usr/share/shorewall/compiler\.pl -- gen_context(system_u:object_r:bin_t,s0) |
| 97 |
-/usr/share/shorewall/configpath -- gen_context(system_u:object_r:bin_t,s0) |
| 98 |
-/usr/share/shorewall/getparams -- gen_context(system_u:object_r:bin_t,s0) |
| 99 |
-/usr/share/shorewall/wait4ifup -- gen_context(system_u:object_r:bin_t,s0) |
| 100 |
-/usr/share/shorewall-perl(/.*)? gen_context(system_u:object_r:bin_t,s0) |
| 101 |
-/usr/share/shorewall-shell(/.*)? gen_context(system_u:object_r:bin_t,s0) |
| 102 |
-/usr/share/shorewall-lite(/.*)? gen_context(system_u:object_r:bin_t,s0) |
| 103 |
-/usr/share/shorewall6-lite(/.*)? gen_context(system_u:object_r:bin_t,s0) |
| 104 |
-') |
| 105 |
|
| 106 |
diff --git a/policy/modules/apps/java.fc b/policy/modules/apps/java.fc |
| 107 |
index d0476be2..8b34cace 100644 |
| 108 |
--- a/policy/modules/apps/java.fc |
| 109 |
+++ b/policy/modules/apps/java.fc |
| 110 |
@@ -31,8 +31,3 @@ HOME_DIR/\.java(/.*)? gen_context(system_u:object_r:java_home_t,s0) |
| 111 |
/usr/local/matlab.*/bin.*/MATLAB.* -- gen_context(system_u:object_r:java_exec_t,s0) |
| 112 |
|
| 113 |
/usr/matlab.*/bin.*/MATLAB.* -- gen_context(system_u:object_r:java_exec_t,s0) |
| 114 |
- |
| 115 |
-ifdef(`distro_gentoo',` |
| 116 |
-# Running maven (mvn) command needs read access to this, yet the file is marked as bin_t otherwise |
| 117 |
-/usr/share/maven-bin-[^/]*/bin/m2\.conf -- gen_context(system_u:object_r:usr_t,s0) |
| 118 |
-') |
| 119 |
|
| 120 |
diff --git a/policy/modules/apps/mozilla.fc b/policy/modules/apps/mozilla.fc |
| 121 |
index 3a16e166..87bdab59 100644 |
| 122 |
--- a/policy/modules/apps/mozilla.fc |
| 123 |
+++ b/policy/modules/apps/mozilla.fc |
| 124 |
@@ -43,7 +43,6 @@ HOME_DIR/zimbrauserdata(/.*)? gen_context(system_u:object_r:mozilla_plugin_home_ |
| 125 |
/usr/lib/xulrunner[^/]*/plugin-container -- gen_context(system_u:object_r:mozilla_plugin_exec_t,s0) |
| 126 |
/usr/lib/[^/]*firefox[^/]*/plugin-container -- gen_context(system_u:object_r:mozilla_plugin_exec_t,s0) |
| 127 |
|
| 128 |
-/opt/firefox/libxul\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) |
| 129 |
/opt/firefox/firefox -- gen_context(system_u:object_r:mozilla_exec_t,s0) |
| 130 |
/opt/firefox/run-mozilla\.sh -- gen_context(system_u:object_r:mozilla_exec_t,s0) |
| 131 |
/opt/firefox/firefox-bin -- gen_context(system_u:object_r:mozilla_exec_t,s0) |
| 132 |
|
| 133 |
diff --git a/policy/modules/contrib/ceph.if b/policy/modules/contrib/ceph.if |
| 134 |
index b1e3208b..010c6b11 100644 |
| 135 |
--- a/policy/modules/contrib/ceph.if |
| 136 |
+++ b/policy/modules/contrib/ceph.if |
| 137 |
@@ -39,7 +39,7 @@ template(`ceph_domain_template',` |
| 138 |
# Rules which cannot be made part of the domain |
| 139 |
|
| 140 |
allow ceph_$1_t ceph_$1_runtime_t:file manage_file_perms; |
| 141 |
- allow ceph_$1_t ceph_$1_runtime_t:sock_file manage_file_perms; |
| 142 |
+ allow ceph_$1_t ceph_$1_runtime_t:sock_file manage_sock_file_perms; |
| 143 |
allow ceph_$1_t ceph_$1_data_t:dir manage_dir_perms; |
| 144 |
allow ceph_$1_t ceph_$1_data_t:file manage_file_perms; |
| 145 |
|
| 146 |
|
| 147 |
diff --git a/policy/modules/contrib/ceph.te b/policy/modules/contrib/ceph.te |
| 148 |
index 99a0b193..b1994a53 100644 |
| 149 |
--- a/policy/modules/contrib/ceph.te |
| 150 |
+++ b/policy/modules/contrib/ceph.te |
| 151 |
@@ -40,7 +40,7 @@ ceph_domain_template(osd) |
| 152 |
ceph_domain_template(mds) |
| 153 |
ceph_domain_template(mon) |
| 154 |
|
| 155 |
-allow cephdomain self:fifo_file rw_file_perms; |
| 156 |
+allow cephdomain self:fifo_file rw_fifo_file_perms; |
| 157 |
|
| 158 |
read_files_pattern(cephdomain, ceph_conf_t, { ceph_conf_t ceph_key_t }) |
| 159 |
allow cephdomain ceph_log_t:dir manage_dir_perms; |
| 160 |
|
| 161 |
diff --git a/policy/modules/contrib/dirsrv.if b/policy/modules/contrib/dirsrv.if |
| 162 |
index 332bf2f5..ac56f143 100644 |
| 163 |
--- a/policy/modules/contrib/dirsrv.if |
| 164 |
+++ b/policy/modules/contrib/dirsrv.if |
| 165 |
@@ -20,7 +20,7 @@ interface(`dirsrv_domtrans',` |
| 166 |
domain_auto_transition_pattern($1, dirsrv_exec_t, dirsrv_t) |
| 167 |
|
| 168 |
allow dirsrv_t $1:fd use; |
| 169 |
- allow dirsrv_t $1:fifo_file rw_file_perms; |
| 170 |
+ allow dirsrv_t $1:fifo_file rw_fifo_file_perms; |
| 171 |
allow dirsrv_t $1:process sigchld; |
| 172 |
') |
| 173 |
|
| 174 |
@@ -116,7 +116,7 @@ interface(`dirsrv_manage_var_run',` |
| 175 |
') |
| 176 |
allow $1 dirsrv_runtime_t:dir manage_dir_perms; |
| 177 |
allow $1 dirsrv_runtime_t:file manage_file_perms; |
| 178 |
- allow $1 dirsrv_runtime_t:sock_file manage_file_perms; |
| 179 |
+ allow $1 dirsrv_runtime_t:sock_file manage_sock_file_perms; |
| 180 |
') |
| 181 |
|
| 182 |
###################################### |
| 183 |
|
| 184 |
diff --git a/policy/modules/contrib/dirsrv.te b/policy/modules/contrib/dirsrv.te |
| 185 |
index 36e2203b..80a24f24 100644 |
| 186 |
--- a/policy/modules/contrib/dirsrv.te |
| 187 |
+++ b/policy/modules/contrib/dirsrv.te |
| 188 |
@@ -57,7 +57,7 @@ files_tmpfs_file(dirsrv_tmpfs_t) |
| 189 |
|
| 190 |
# shared files |
| 191 |
type dirsrv_share_t; |
| 192 |
-files_type(dirsrv_share_t); |
| 193 |
+files_type(dirsrv_share_t) |
| 194 |
|
| 195 |
######################################## |
| 196 |
# |
| 197 |
@@ -188,7 +188,7 @@ files_runtime_filetrans(dirsrv_snmp_t, dirsrv_snmp_runtime_t, { file sock_file } |
| 198 |
search_dirs_pattern(dirsrv_snmp_t, dirsrv_runtime_t, dirsrv_runtime_t) |
| 199 |
|
| 200 |
# log file |
| 201 |
-manage_files_pattern(dirsrv_snmp_t, dirsrv_var_log_t, dirsrv_snmp_var_log_t); |
| 202 |
+manage_files_pattern(dirsrv_snmp_t, dirsrv_var_log_t, dirsrv_snmp_var_log_t) |
| 203 |
filetrans_pattern(dirsrv_snmp_t, dirsrv_var_log_t, dirsrv_snmp_var_log_t, file) |
| 204 |
|
| 205 |
# Init script handling |
| 206 |
|
| 207 |
diff --git a/policy/modules/contrib/dropbox.fc b/policy/modules/contrib/dropbox.fc |
| 208 |
index bcd85a60..1a9fdff7 100644 |
| 209 |
--- a/policy/modules/contrib/dropbox.fc |
| 210 |
+++ b/policy/modules/contrib/dropbox.fc |
| 211 |
@@ -7,8 +7,4 @@ HOME_DIR/\.dropbox-master(/.*)? gen_context(system_u:object_r:dropbo |
| 212 |
HOME_DIR/\.dropbox-dist(/.*)?/dropboxd? -- gen_context(system_u:object_r:dropbox_exec_t,s0) |
| 213 |
|
| 214 |
/opt/bin/dropbox -l gen_context(system_u:object_r:dropbox_exec_t,s0) |
| 215 |
-/opt/dropbox/.*py?\.?.*egg(/.*)? gen_context(system_u:object_r:lib_t,s0) |
| 216 |
-/opt/dropbox/lib.*\.so\.[0-9]+ -- gen_context(system_u:object_r:lib_t,s0) |
| 217 |
/opt/dropbox/dropboxd? -- gen_context(system_u:object_r:dropbox_exec_t,s0) |
| 218 |
-/opt/dropbox/library\.zip -l gen_context(system_u:object_r:lib_t,s0) |
| 219 |
- |
| 220 |
|
| 221 |
diff --git a/policy/modules/contrib/dropbox.if b/policy/modules/contrib/dropbox.if |
| 222 |
index 51e9f88c..a010d912 100644 |
| 223 |
--- a/policy/modules/contrib/dropbox.if |
| 224 |
+++ b/policy/modules/contrib/dropbox.if |
| 225 |
@@ -18,6 +18,7 @@ |
| 226 |
interface(`dropbox_role',` |
| 227 |
gen_require(` |
| 228 |
type dropbox_t; |
| 229 |
+ type dropbox_content_t; |
| 230 |
type dropbox_exec_t; |
| 231 |
type dropbox_home_t; |
| 232 |
type dropbox_tmp_t; |
| 233 |
|
| 234 |
diff --git a/policy/modules/contrib/gorg.te b/policy/modules/contrib/gorg.te |
| 235 |
index b0c8ae33..59befaaa 100644 |
| 236 |
--- a/policy/modules/contrib/gorg.te |
| 237 |
+++ b/policy/modules/contrib/gorg.te |
| 238 |
@@ -5,10 +5,10 @@ type gorg_exec_t; |
| 239 |
application_domain(gorg_t, gorg_exec_t) |
| 240 |
|
| 241 |
type gorg_cache_t; |
| 242 |
-files_type(gorg_cache_t); |
| 243 |
+files_type(gorg_cache_t) |
| 244 |
|
| 245 |
type gorg_config_t; |
| 246 |
-files_type(gorg_config_t); |
| 247 |
+files_type(gorg_config_t) |
| 248 |
|
| 249 |
################################### |
| 250 |
# |
| 251 |
|
| 252 |
diff --git a/policy/modules/contrib/links.if b/policy/modules/contrib/links.if |
| 253 |
index 61254fc3..b3ad618e 100644 |
| 254 |
--- a/policy/modules/contrib/links.if |
| 255 |
+++ b/policy/modules/contrib/links.if |
| 256 |
@@ -17,14 +17,14 @@ |
| 257 |
# |
| 258 |
interface(`links_role',` |
| 259 |
gen_require(` |
| 260 |
- type links_t, links_exec_t, links_tmpfs_t, links_home_t; |
| 261 |
+ type links_t, links_exec_t, links_home_t; |
| 262 |
') |
| 263 |
|
| 264 |
####################################### |
| 265 |
# |
| 266 |
# Declarations |
| 267 |
# |
| 268 |
- |
| 269 |
+ |
| 270 |
role $1 types links_t; |
| 271 |
|
| 272 |
############################ |
| 273 |
@@ -43,4 +43,4 @@ interface(`links_role',` |
| 274 |
domtrans_pattern($2, links_exec_t, links_t) |
| 275 |
|
| 276 |
ps_process_pattern($2, links_t) |
| 277 |
-') |
| 278 |
+') |
| 279 |
|
| 280 |
diff --git a/policy/modules/contrib/logsentry.te b/policy/modules/contrib/logsentry.te |
| 281 |
index d80cdc8b..5863369b 100644 |
| 282 |
--- a/policy/modules/contrib/logsentry.te |
| 283 |
+++ b/policy/modules/contrib/logsentry.te |
| 284 |
@@ -11,10 +11,10 @@ application_domain(logsentry_t, logsentry_exec_t) |
| 285 |
role system_r types logsentry_t; |
| 286 |
|
| 287 |
type logsentry_etc_t; |
| 288 |
-files_type(logsentry_etc_t); |
| 289 |
+files_type(logsentry_etc_t) |
| 290 |
|
| 291 |
type logsentry_tmp_t; |
| 292 |
-files_tmp_file(logsentry_tmp_t); |
| 293 |
+files_tmp_file(logsentry_tmp_t) |
| 294 |
|
| 295 |
type logsentry_filter_t; |
| 296 |
files_type(logsentry_filter_t) |
| 297 |
|
| 298 |
diff --git a/policy/modules/contrib/mutt.if b/policy/modules/contrib/mutt.if |
| 299 |
index eabe82e9..596b0fd1 100644 |
| 300 |
--- a/policy/modules/contrib/mutt.if |
| 301 |
+++ b/policy/modules/contrib/mutt.if |
| 302 |
@@ -17,7 +17,7 @@ |
| 303 |
# |
| 304 |
interface(`mutt_role',` |
| 305 |
gen_require(` |
| 306 |
- type mutt_t, mutt_exec_t, mutt_home_t, mutt_conf_t, mutt_etc_t; |
| 307 |
+ type mutt_t, mutt_exec_t, mutt_home_t, mutt_conf_t; |
| 308 |
type mutt_tmp_t; |
| 309 |
') |
| 310 |
|
| 311 |
@@ -99,6 +99,6 @@ interface(`mutt_rw_tmp_files',` |
| 312 |
|
| 313 |
# The use of rw_files_pattern here is not needed, since this incurs the open privilege as well |
| 314 |
allow $1 mutt_tmp_t:dir search_dir_perms; |
| 315 |
- allow $1 mutt_tmp_t:file { read write }; |
| 316 |
+ allow $1 mutt_tmp_t:file rw_inherited_file_perms; |
| 317 |
files_search_tmp($1) |
| 318 |
') |
| 319 |
|
| 320 |
diff --git a/policy/modules/contrib/nginx.if b/policy/modules/contrib/nginx.if |
| 321 |
index b9066d97..d39b0964 100644 |
| 322 |
--- a/policy/modules/contrib/nginx.if |
| 323 |
+++ b/policy/modules/contrib/nginx.if |
| 324 |
@@ -57,7 +57,7 @@ interface(`nginx_domtrans',` |
| 325 |
type nginx_t, nginx_exec_t; |
| 326 |
') |
| 327 |
allow nginx_t $1:fd use; |
| 328 |
- allow nginx_t $1:fifo_file rw_file_perms; |
| 329 |
+ allow nginx_t $1:fifo_file rw_fifo_file_perms; |
| 330 |
allow nginx_t $1:process sigchld; |
| 331 |
|
| 332 |
domain_auto_transition_pattern($1, nginx_exec_t, nginx_t) |
| 333 |
|
| 334 |
diff --git a/policy/modules/contrib/pan.te b/policy/modules/contrib/pan.te |
| 335 |
index 48b07b85..ad60d29d 100644 |
| 336 |
--- a/policy/modules/contrib/pan.te |
| 337 |
+++ b/policy/modules/contrib/pan.te |
| 338 |
@@ -33,7 +33,7 @@ ubac_constrained(pan_tmpfs_t) |
| 339 |
# |
| 340 |
allow pan_t self:process { getsched signal }; |
| 341 |
allow pan_t self:fifo_file rw_fifo_file_perms; |
| 342 |
-allow pan_t pan_tmpfs_t:file { read write }; |
| 343 |
+allow pan_t pan_tmpfs_t:file rw_inherited_file_perms; |
| 344 |
|
| 345 |
# Allow pan to work with its ~/.pan2 location |
| 346 |
manage_dirs_pattern(pan_t, pan_home_t, pan_home_t) |
| 347 |
|
| 348 |
diff --git a/policy/modules/contrib/resolvconf.fc b/policy/modules/contrib/resolvconf.fc |
| 349 |
index 51383c24..fcfa9b7d 100644 |
| 350 |
--- a/policy/modules/contrib/resolvconf.fc |
| 351 |
+++ b/policy/modules/contrib/resolvconf.fc |
| 352 |
@@ -1,7 +1,5 @@ |
| 353 |
/etc/resolvconf\.conf -- gen_context(system_u:object_r:resolvconf_conf_t,s0) |
| 354 |
|
| 355 |
-/usr/lib/resolvconf(/.*)? gen_context(system_u:object_r:bin_t,s0) |
| 356 |
- |
| 357 |
/usr/sbin/resolvconf -- gen_context(system_u:object_r:resolvconf_exec_t,s0) |
| 358 |
|
| 359 |
/run/resolvconf(/.*)? gen_context(system_u:object_r:resolvconf_runtime_t,s0) |
| 360 |
|
| 361 |
diff --git a/policy/modules/contrib/skype.if b/policy/modules/contrib/skype.if |
| 362 |
index 789b8f8a..88c9849c 100644 |
| 363 |
--- a/policy/modules/contrib/skype.if |
| 364 |
+++ b/policy/modules/contrib/skype.if |
| 365 |
@@ -17,11 +17,11 @@ |
| 366 |
# |
| 367 |
interface(`skype_role',` |
| 368 |
gen_require(` |
| 369 |
- type skype_t, skype_exec_t, skype_tmpfs_t, skype_home_t; |
| 370 |
+ type skype_t, skype_exec_t, skype_home_t; |
| 371 |
') |
| 372 |
- |
| 373 |
+ |
| 374 |
role $1 types skype_t; |
| 375 |
- |
| 376 |
+ |
| 377 |
domtrans_pattern($2, skype_exec_t, skype_t) |
| 378 |
|
| 379 |
allow $2 skype_t:process { ptrace signal_perms }; |
| 380 |
@@ -36,4 +36,4 @@ interface(`skype_role',` |
| 381 |
relabel_lnk_files_pattern($2, skype_home_t, skype_home_t) |
| 382 |
|
| 383 |
ps_process_pattern($2, skype_t) |
| 384 |
-') |
| 385 |
+') |
| 386 |
|
| 387 |
diff --git a/policy/modules/contrib/uwsgi.if b/policy/modules/contrib/uwsgi.if |
| 388 |
index c6b39de5..f5a54aa7 100644 |
| 389 |
--- a/policy/modules/contrib/uwsgi.if |
| 390 |
+++ b/policy/modules/contrib/uwsgi.if |
| 391 |
@@ -33,7 +33,7 @@ interface(`uwsgi_stream_connect',` |
| 392 |
# |
| 393 |
interface(`uwsgi_manage_content',` |
| 394 |
gen_require(` |
| 395 |
- type uwsgi_content_t; |
| 396 |
+ type uwsgi_content_t, uwsgi_content_exec_t; |
| 397 |
') |
| 398 |
|
| 399 |
files_search_runtime($1) |
| 400 |
@@ -81,7 +81,7 @@ interface(`uwsgi_domtrans',` |
| 401 |
# |
| 402 |
interface(`uwsgi_content_exec',` |
| 403 |
gen_require(` |
| 404 |
- type uwsgi_t, uwsgi_exec_t, uwsgi_content_exec_t; |
| 405 |
+ type uwsgi_content_exec_t; |
| 406 |
') |
| 407 |
|
| 408 |
corecmd_search_bin($1) |
| 409 |
|
| 410 |
diff --git a/policy/modules/contrib/vde.if b/policy/modules/contrib/vde.if |
| 411 |
index 01579707..437b65ed 100644 |
| 412 |
--- a/policy/modules/contrib/vde.if |
| 413 |
+++ b/policy/modules/contrib/vde.if |
| 414 |
@@ -18,9 +18,8 @@ |
| 415 |
# |
| 416 |
interface(`vde_role',` |
| 417 |
gen_require(` |
| 418 |
- type vde_t, vde_tmp_t; |
| 419 |
- type vde_runtime_t; |
| 420 |
- type vde_initrc_exec_t, vde_exec_t; |
| 421 |
+ type vde_t; |
| 422 |
+ type vde_exec_t; |
| 423 |
') |
| 424 |
|
| 425 |
role $1 types vde_t; |
| 426 |
|
| 427 |
diff --git a/policy/modules/kernel/corecommands.fc b/policy/modules/kernel/corecommands.fc |
| 428 |
index 07a09873..48540ef9 100644 |
| 429 |
--- a/policy/modules/kernel/corecommands.fc |
| 430 |
+++ b/policy/modules/kernel/corecommands.fc |
| 431 |
@@ -115,6 +115,10 @@ ifdef(`distro_debian',` |
| 432 |
/etc/mysql/debian-start -- gen_context(system_u:object_r:bin_t,s0) |
| 433 |
') |
| 434 |
|
| 435 |
+ifdef(`distro_gentoo',` |
| 436 |
+/etc/portage/bin(/.*)? -- gen_context(system_u:object_r:bin_t,s0) |
| 437 |
+') |
| 438 |
+ |
| 439 |
# |
| 440 |
# /opt |
| 441 |
# |
| 442 |
@@ -391,6 +395,20 @@ ifdef(`distro_gentoo', ` |
| 443 |
/usr/lib/rc/bin/.* -- gen_context(system_u:object_r:bin_t,s0) |
| 444 |
/usr/lib/rc/sbin/.* -- gen_context(system_u:object_r:bin_t,s0) |
| 445 |
/usr/lib/rc/sh/.* -- gen_context(system_u:object_r:bin_t,s0) |
| 446 |
+ |
| 447 |
+/usr/lib/portage/bin/ebuild -- gen_context(system_u:object_r:bin_t,s0) |
| 448 |
+/usr/lib/portage/bin/ebuild\.sh -- gen_context(system_u:object_r:bin_t,s0) |
| 449 |
+/usr/lib/resolvconf(/.*)? gen_context(system_u:object_r:bin_t,s0) |
| 450 |
+ |
| 451 |
+/usr/share/mysql/scripts(/.*)? gen_context(system_u:object_r:bin_t,s0) |
| 452 |
+/usr/share/shorewall/compiler\.pl -- gen_context(system_u:object_r:bin_t,s0) |
| 453 |
+/usr/share/shorewall/configpath -- gen_context(system_u:object_r:bin_t,s0) |
| 454 |
+/usr/share/shorewall/getparams -- gen_context(system_u:object_r:bin_t,s0) |
| 455 |
+/usr/share/shorewall/wait4ifup -- gen_context(system_u:object_r:bin_t,s0) |
| 456 |
+/usr/share/shorewall-perl(/.*)? gen_context(system_u:object_r:bin_t,s0) |
| 457 |
+/usr/share/shorewall-shell(/.*)? gen_context(system_u:object_r:bin_t,s0) |
| 458 |
+/usr/share/shorewall-lite(/.*)? gen_context(system_u:object_r:bin_t,s0) |
| 459 |
+/usr/share/shorewall6-lite(/.*)? gen_context(system_u:object_r:bin_t,s0) |
| 460 |
') |
| 461 |
|
| 462 |
ifdef(`distro_redhat', ` |
| 463 |
|
| 464 |
diff --git a/policy/modules/kernel/corenetwork.if.in b/policy/modules/kernel/corenetwork.if.in |
| 465 |
index 7b77d8d8..65e54854 100644 |
| 466 |
--- a/policy/modules/kernel/corenetwork.if.in |
| 467 |
+++ b/policy/modules/kernel/corenetwork.if.in |
| 468 |
@@ -1494,11 +1494,11 @@ interface(`corenet_udp_send_all_ports',` |
| 469 |
# |
| 470 |
interface(`corenet_sctp_bind_generic_port',` |
| 471 |
gen_require(` |
| 472 |
- type port_t, unreserved_port_t, ephemeral_port_t; |
| 473 |
+ type port_t, unreserved_port_t; |
| 474 |
attribute defined_port_type; |
| 475 |
') |
| 476 |
|
| 477 |
- allow $1 { port_t unreserved_port_t ephemeral_port_t }:sctp_socket name_bind; |
| 478 |
+ allow $1 { port_t unreserved_port_t }:sctp_socket name_bind; |
| 479 |
dontaudit $1 defined_port_type:sctp_socket name_bind; |
| 480 |
') |
| 481 |
|
| 482 |
@@ -1567,10 +1567,10 @@ interface(`corenet_udp_sendrecv_all_ports',` |
| 483 |
# |
| 484 |
interface(`corenet_dontaudit_sctp_bind_generic_port',` |
| 485 |
gen_require(` |
| 486 |
- type port_t, unreserved_port_t, ephemeral_port_t; |
| 487 |
+ type port_t, unreserved_port_t; |
| 488 |
') |
| 489 |
|
| 490 |
- dontaudit $1 { port_t unreserved_port_t ephemeral_port_t }:sctp_socket name_bind; |
| 491 |
+ dontaudit $1 { port_t unreserved_port_t }:sctp_socket name_bind; |
| 492 |
') |
| 493 |
|
| 494 |
######################################## |
| 495 |
@@ -1641,10 +1641,10 @@ interface(`corenet_udp_bind_all_ports',` |
| 496 |
# |
| 497 |
interface(`corenet_sctp_connect_generic_port',` |
| 498 |
gen_require(` |
| 499 |
- type port_t, unreserved_port_t,ephemeral_port_t; |
| 500 |
+ type port_t, unreserved_port_t; |
| 501 |
') |
| 502 |
|
| 503 |
- allow $1 { port_t unreserved_port_t ephemeral_port_t }:sctp_socket name_connect; |
| 504 |
+ allow $1 { port_t unreserved_port_t }:sctp_socket name_connect; |
| 505 |
') |
| 506 |
|
| 507 |
######################################## |
| 508 |
@@ -3335,13 +3335,7 @@ interface(`corenet_relabelto_all_server_packets',` |
| 509 |
## </param> |
| 510 |
# |
| 511 |
interface(`corenet_sctp_recvfrom_unlabeled',` |
| 512 |
- gen_require(` |
| 513 |
- attribute corenet_unlabeled_type; |
| 514 |
- ') |
| 515 |
- |
| 516 |
kernel_recvfrom_unlabeled_peer($1) |
| 517 |
- |
| 518 |
- typeattribute $1 corenet_unlabeled_type; |
| 519 |
kernel_sendrecv_unlabeled_association($1) |
| 520 |
') |
| 521 |
|
| 522 |
|
| 523 |
diff --git a/policy/modules/kernel/devices.if b/policy/modules/kernel/devices.if |
| 524 |
index 1fae36ed..474b4035 100644 |
| 525 |
--- a/policy/modules/kernel/devices.if |
| 526 |
+++ b/policy/modules/kernel/devices.if |
| 527 |
@@ -5630,6 +5630,6 @@ interface(`dev_dontaudit_read_usbmon_dev',` |
| 528 |
type usbmon_device_t; |
| 529 |
') |
| 530 |
|
| 531 |
- dontaudit $1 usbmon_device_t:chr_file read_file_perms; |
| 532 |
+ dontaudit $1 usbmon_device_t:chr_file read_chr_file_perms; |
| 533 |
') |
| 534 |
|
| 535 |
|
| 536 |
diff --git a/policy/modules/kernel/files.fc b/policy/modules/kernel/files.fc |
| 537 |
index 1bec89a0..d7b46a3d 100644 |
| 538 |
--- a/policy/modules/kernel/files.fc |
| 539 |
+++ b/policy/modules/kernel/files.fc |
| 540 |
@@ -215,6 +215,11 @@ HOME_ROOT/lost\+found/.* <<none>> |
| 541 |
/usr/share/doc(/.*)?/README.* gen_context(system_u:object_r:usr_t,s0) |
| 542 |
/usr/share/docbook2X/xslt/man(/.*)? gen_context(system_u:object_r:usr_t,s0) |
| 543 |
|
| 544 |
+ifdef(`distro_gentoo',` |
| 545 |
+# Running maven (mvn) command needs read access to this, yet the file is marked as bin_t otherwise |
| 546 |
+/usr/share/maven-bin-[^/]*/bin/m2\.conf -- gen_context(system_u:object_r:usr_t,s0) |
| 547 |
+') |
| 548 |
+ |
| 549 |
/usr/tmp -d gen_context(system_u:object_r:tmp_t,s0-mls_systemhigh) |
| 550 |
/usr/tmp/.* <<none>> |
| 551 |
|
| 552 |
|
| 553 |
diff --git a/policy/modules/services/mysql.fc b/policy/modules/services/mysql.fc |
| 554 |
index e1f090fa..7739d36d 100644 |
| 555 |
--- a/policy/modules/services/mysql.fc |
| 556 |
+++ b/policy/modules/services/mysql.fc |
| 557 |
@@ -30,8 +30,3 @@ HOME_DIR/\.my\.cnf -- gen_context(system_u:object_r:mysqld_home_t,s0) |
| 558 |
/run/mysqld.* gen_context(system_u:object_r:mysqld_runtime_t,s0) |
| 559 |
/run/mysqlmanager.* -- gen_context(system_u:object_r:mysqlmanagerd_runtime_t,s0) |
| 560 |
/run/mysqld/mysqlmanager.* -- gen_context(system_u:object_r:mysqlmanagerd_runtime_t,s0) |
| 561 |
- |
| 562 |
- |
| 563 |
-ifdef(`distro_gentoo',` |
| 564 |
-/usr/share/mysql/scripts(/.*)? gen_context(system_u:object_r:bin_t,s0) |
| 565 |
-') |
| 566 |
|
| 567 |
diff --git a/policy/modules/services/networkmanager.if b/policy/modules/services/networkmanager.if |
| 568 |
index 2897a484..de48cdbe 100644 |
| 569 |
--- a/policy/modules/services/networkmanager.if |
| 570 |
+++ b/policy/modules/services/networkmanager.if |
| 571 |
@@ -485,7 +485,7 @@ interface(`networkmanager_domtrans_wpa_cli',` |
| 572 |
# |
| 573 |
interface(`networkmanager_run_wpa_cli',` |
| 574 |
gen_require(` |
| 575 |
- type wpa_cli_exec_t; |
| 576 |
+ type wpa_cli_t; |
| 577 |
') |
| 578 |
|
| 579 |
networkmanager_domtrans_wpa_cli($1) |
| 580 |
|
| 581 |
diff --git a/policy/modules/services/postgresql.if b/policy/modules/services/postgresql.if |
| 582 |
index 6089d18d..c8b31909 100644 |
| 583 |
--- a/policy/modules/services/postgresql.if |
| 584 |
+++ b/policy/modules/services/postgresql.if |
| 585 |
@@ -349,7 +349,7 @@ interface(`postgresql_exec',` |
| 586 |
type postgresql_exec_t; |
| 587 |
') |
| 588 |
|
| 589 |
- can_exec($1, postgresql_exec_t); |
| 590 |
+ can_exec($1, postgresql_exec_t) |
| 591 |
') |
| 592 |
|
| 593 |
######################################## |
| 594 |
|
| 595 |
diff --git a/policy/modules/services/snmp.if b/policy/modules/services/snmp.if |
| 596 |
index a945c50e..4d4bf888 100644 |
| 597 |
--- a/policy/modules/services/snmp.if |
| 598 |
+++ b/policy/modules/services/snmp.if |
| 599 |
@@ -193,8 +193,8 @@ interface(`snmp_admin',` |
| 600 |
# |
| 601 |
interface(`snmp_append_var_lib_files',` |
| 602 |
gen_require(` |
| 603 |
- type snmp_var_lib_t; |
| 604 |
+ type snmpd_var_lib_t; |
| 605 |
') |
| 606 |
|
| 607 |
- allow $1 snmp_var_lib_t:file append_file_perms; |
| 608 |
+ allow $1 snmpd_var_lib_t:file append_file_perms; |
| 609 |
') |
| 610 |
|
| 611 |
diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te |
| 612 |
index eb78df9a..b52eaddb 100644 |
| 613 |
--- a/policy/modules/system/init.te |
| 614 |
+++ b/policy/modules/system/init.te |
| 615 |
@@ -1003,7 +1003,7 @@ ifdef(`enabled_mls',` |
| 616 |
# Allow initrc_su_t, now defined, to transition to postgresql_t |
| 617 |
postgresql_domtrans(initrc_su_t) |
| 618 |
# Allow initrc_su_t to use the initrc_devpts_t (needed for init script failure output) |
| 619 |
- allow initrc_su_t initrc_devpts_t:chr_file { read write }; |
| 620 |
+ allow initrc_su_t initrc_devpts_t:chr_file rw_inherited_term_perms; |
| 621 |
') |
| 622 |
') |
| 623 |
|
| 624 |
|
| 625 |
diff --git a/policy/modules/system/libraries.fc b/policy/modules/system/libraries.fc |
| 626 |
index 3cdc22f9..757b18bc 100644 |
| 627 |
--- a/policy/modules/system/libraries.fc |
| 628 |
+++ b/policy/modules/system/libraries.fc |
| 629 |
@@ -60,10 +60,14 @@ ifdef(`distro_gentoo',` |
| 630 |
/opt/Acrobat[5-9]/Reader/intellinux/plug_ins/.*\.api -- gen_context(system_u:object_r:lib_t,s0) |
| 631 |
/opt/Acrobat[5-9]/Reader/intellinux/plug_ins3d/.*\.x3d -- gen_context(system_u:object_r:lib_t,s0) |
| 632 |
/opt/Acrobat[5-9]/Reader/intellinux/SPPlugins/.*\.ap[il] -- gen_context(system_u:object_r:lib_t,s0) |
| 633 |
+/opt/dropbox/.*py?\.?.*egg(/.*)? gen_context(system_u:object_r:lib_t,s0) |
| 634 |
+/opt/dropbox/lib.*\.so\.[0-9]+ -- gen_context(system_u:object_r:lib_t,s0) |
| 635 |
+/opt/dropbox/library\.zip -l gen_context(system_u:object_r:lib_t,s0) |
| 636 |
|
| 637 |
+/opt/firefox/libxul\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) |
| 638 |
/opt/netscape/plugins(/.*)? gen_context(system_u:object_r:lib_t,s0) |
| 639 |
/opt/netscape/plugins/libflashplayer\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) |
| 640 |
-/opt/netscape/plugins/nppdf\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) |
| 641 |
+/opt/netscape/plugins/nppdf\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) |
| 642 |
/opt/RealPlayer/codecs(/.*)? gen_context(system_u:object_r:lib_t,s0) |
| 643 |
/opt/RealPlayer/common(/.*)? gen_context(system_u:object_r:lib_t,s0) |
| 644 |
/opt/RealPlayer/lib(/.*)? gen_context(system_u:object_r:lib_t,s0) |
| 645 |
|
| 646 |
diff --git a/policy/modules/system/logging.if b/policy/modules/system/logging.if |
| 647 |
index ae993536..0f6efef8 100644 |
| 648 |
--- a/policy/modules/system/logging.if |
| 649 |
+++ b/policy/modules/system/logging.if |
| 650 |
@@ -1068,7 +1068,7 @@ interface(`logging_append_all_inherited_logs',` |
| 651 |
attribute logfile; |
| 652 |
') |
| 653 |
|
| 654 |
- allow $1 logfile:file { getattr append ioctl lock }; |
| 655 |
+ allow $1 logfile:file append_inherited_file_perms; |
| 656 |
') |
| 657 |
|
| 658 |
######################################## |
| 659 |
|
| 660 |
diff --git a/policy/modules/system/modutils.te b/policy/modules/system/modutils.te |
| 661 |
index 9e7fd769..e002e6e3 100644 |
| 662 |
--- a/policy/modules/system/modutils.te |
| 663 |
+++ b/policy/modules/system/modutils.te |
| 664 |
@@ -213,5 +213,5 @@ ifdef(`distro_gentoo',` |
| 665 |
|
| 666 |
# for /run/tmpfiles.d/kmod.conf |
| 667 |
tmpfiles_create_runtime_files(kmod_t) |
| 668 |
- filetrans_add_pattern(kmod_t, tmpfiles_runtime_t, kmod_tmpfiles_conf_t, file) |
| 669 |
+ filetrans_add_pattern(kmod_t, tmpfiles_runtime_t, kmod_tmpfiles_conf_t, file) #selint-disable:W-001 |
| 670 |
') |
Archives