1 |
commit: 6821d0d812722efa73ccba5bee8410241b622721 |
2 |
Author: Russell Coker <russell <AT> coker <DOT> com <DOT> au> |
3 |
AuthorDate: Thu Jan 31 02:58:52 2019 +0000 |
4 |
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org> |
5 |
CommitDate: Sun Feb 10 04:11:25 2019 +0000 |
6 |
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=6821d0d8 |
7 |
|
8 |
more misc stuff |
9 |
|
10 |
Here's the latest stuff, most of which is to make staff_t usable as a login |
11 |
domain. Please merge whatever you think is good and skip the rest. |
12 |
|
13 |
Signed-off-by: Jason Zaman <jason <AT> perfinion.com> |
14 |
|
15 |
policy/modules/kernel/corecommands.fc | 2 ++ |
16 |
policy/modules/roles/staff.te | 4 ++++ |
17 |
policy/modules/roles/unprivuser.te | 4 ++++ |
18 |
policy/modules/services/ssh.te | 1 + |
19 |
policy/modules/system/locallogin.te | 1 + |
20 |
policy/modules/system/systemd.te | 3 ++- |
21 |
6 files changed, 14 insertions(+), 1 deletion(-) |
22 |
|
23 |
diff --git a/policy/modules/kernel/corecommands.fc b/policy/modules/kernel/corecommands.fc |
24 |
index 6a94f6ef..3b5f9c4d 100644 |
25 |
--- a/policy/modules/kernel/corecommands.fc |
26 |
+++ b/policy/modules/kernel/corecommands.fc |
27 |
@@ -168,6 +168,7 @@ ifdef(`distro_gentoo',` |
28 |
|
29 |
/usr/lib/at-spi2-core(/.*)? gen_context(system_u:object_r:bin_t,s0) |
30 |
/usr/lib/avahi/avahi-daemon-check-dns\.sh -- gen_context(system_u:object_r:bin_t,s0) |
31 |
+/usr/lib/bluetooth/.* -- gen_context(system_u:object_r:bin_t,s0) |
32 |
/usr/lib/bridge-utils/.*\.sh -- gen_context(system_u:object_r:bin_t,s0) |
33 |
/usr/lib/ccache/bin(/.*)? gen_context(system_u:object_r:bin_t,s0) |
34 |
#/usr/lib/dhcpcd/dhcpcd-hooks(/.*)? gen_context(system_u:object_r:bin_t,s0) |
35 |
@@ -200,6 +201,7 @@ ifdef(`distro_gentoo',` |
36 |
/usr/lib/gvfs/gvfs.* -- gen_context(system_u:object_r:bin_t,s0) |
37 |
/usr/lib/ipsec/.* -- gen_context(system_u:object_r:bin_t,s0) |
38 |
/usr/lib/kde4/libexec/.* -- gen_context(system_u:object_r:bin_t,s0) |
39 |
+/usr/lib/[^/]+/libexec/kf5/.* -- gen_context(system_u:object_r:bin_t,s0) |
40 |
/usr/lib/mailman/bin(/.*)? gen_context(system_u:object_r:bin_t,s0) |
41 |
/usr/lib/mailman/mail(/.*)? gen_context(system_u:object_r:bin_t,s0) |
42 |
/usr/lib/mediawiki/math/texvc.* gen_context(system_u:object_r:bin_t,s0) |
43 |
|
44 |
diff --git a/policy/modules/roles/staff.te b/policy/modules/roles/staff.te |
45 |
index 803cca2a..1db51e0f 100644 |
46 |
--- a/policy/modules/roles/staff.te |
47 |
+++ b/policy/modules/roles/staff.te |
48 |
@@ -31,6 +31,10 @@ optional_policy(` |
49 |
git_role(staff_r, staff_t) |
50 |
') |
51 |
|
52 |
+optional_policy(` |
53 |
+ modemmanager_dbus_chat(staff_t) |
54 |
+') |
55 |
+ |
56 |
optional_policy(` |
57 |
postgresql_role(staff_r, staff_t) |
58 |
') |
59 |
|
60 |
diff --git a/policy/modules/roles/unprivuser.te b/policy/modules/roles/unprivuser.te |
61 |
index 0e21b2ad..f3241612 100644 |
62 |
--- a/policy/modules/roles/unprivuser.te |
63 |
+++ b/policy/modules/roles/unprivuser.te |
64 |
@@ -20,6 +20,10 @@ optional_policy(` |
65 |
git_role(user_r, user_t) |
66 |
') |
67 |
|
68 |
+optional_policy(` |
69 |
+ modemmanager_dbus_chat(user_t) |
70 |
+') |
71 |
+ |
72 |
optional_policy(` |
73 |
screen_role_template(user, user_r, user_t) |
74 |
') |
75 |
|
76 |
diff --git a/policy/modules/services/ssh.te b/policy/modules/services/ssh.te |
77 |
index 9a9b1061..ccc29001 100644 |
78 |
--- a/policy/modules/services/ssh.te |
79 |
+++ b/policy/modules/services/ssh.te |
80 |
@@ -178,6 +178,7 @@ logging_read_generic_logs(ssh_t) |
81 |
|
82 |
auth_use_nsswitch(ssh_t) |
83 |
|
84 |
+miscfiles_read_generic_certs(ssh_t) |
85 |
miscfiles_read_localization(ssh_t) |
86 |
|
87 |
seutil_read_config(ssh_t) |
88 |
|
89 |
diff --git a/policy/modules/system/locallogin.te b/policy/modules/system/locallogin.te |
90 |
index 9908a645..adbe775e 100644 |
91 |
--- a/policy/modules/system/locallogin.te |
92 |
+++ b/policy/modules/system/locallogin.te |
93 |
@@ -209,6 +209,7 @@ optional_policy(` |
94 |
') |
95 |
|
96 |
optional_policy(` |
97 |
+ xserver_link_xdm_keys(local_login_t) |
98 |
xserver_read_xdm_tmp_files(local_login_t) |
99 |
xserver_rw_xdm_tmp_files(local_login_t) |
100 |
xserver_rw_xdm_keys(local_login_t) |
101 |
|
102 |
diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te |
103 |
index e5f37321..34c38cad 100644 |
104 |
--- a/policy/modules/system/systemd.te |
105 |
+++ b/policy/modules/system/systemd.te |
106 |
@@ -1008,6 +1008,7 @@ files_create_lock_dirs(systemd_tmpfiles_t) |
107 |
files_manage_all_pid_dirs(systemd_tmpfiles_t) |
108 |
files_delete_usr_files(systemd_tmpfiles_t) |
109 |
files_list_home(systemd_tmpfiles_t) |
110 |
+files_list_locks(systemd_tmpfiles_t) |
111 |
files_manage_generic_tmp_dirs(systemd_tmpfiles_t) |
112 |
files_manage_var_dirs(systemd_tmpfiles_t) |
113 |
files_manage_var_lib_dirs(systemd_tmpfiles_t) |
114 |
@@ -1026,8 +1027,8 @@ files_relabelto_etc_dirs(systemd_tmpfiles_t) |
115 |
files_manage_etc_symlinks(systemd_tmpfiles_t) |
116 |
|
117 |
fs_getattr_tmpfs(systemd_tmpfiles_t) |
118 |
-fs_getattr_tmpfs_dirs(systemd_tmpfiles_t) |
119 |
fs_getattr_xattr_fs(systemd_tmpfiles_t) |
120 |
+fs_list_tmpfs(systemd_tmpfiles_t) |
121 |
|
122 |
selinux_get_fs_mount(systemd_tmpfiles_t) |
123 |
selinux_search_fs(systemd_tmpfiles_t) |