| 1 |
commit: 6821d0d812722efa73ccba5bee8410241b622721 |
| 2 |
Author: Russell Coker <russell <AT> coker <DOT> com <DOT> au> |
| 3 |
AuthorDate: Thu Jan 31 02:58:52 2019 +0000 |
| 4 |
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org> |
| 5 |
CommitDate: Sun Feb 10 04:11:25 2019 +0000 |
| 6 |
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=6821d0d8 |
| 7 |
|
| 8 |
more misc stuff |
| 9 |
|
| 10 |
Here's the latest stuff, most of which is to make staff_t usable as a login |
| 11 |
domain. Please merge whatever you think is good and skip the rest. |
| 12 |
|
| 13 |
Signed-off-by: Jason Zaman <jason <AT> perfinion.com> |
| 14 |
|
| 15 |
policy/modules/kernel/corecommands.fc | 2 ++ |
| 16 |
policy/modules/roles/staff.te | 4 ++++ |
| 17 |
policy/modules/roles/unprivuser.te | 4 ++++ |
| 18 |
policy/modules/services/ssh.te | 1 + |
| 19 |
policy/modules/system/locallogin.te | 1 + |
| 20 |
policy/modules/system/systemd.te | 3 ++- |
| 21 |
6 files changed, 14 insertions(+), 1 deletion(-) |
| 22 |
|
| 23 |
diff --git a/policy/modules/kernel/corecommands.fc b/policy/modules/kernel/corecommands.fc |
| 24 |
index 6a94f6ef..3b5f9c4d 100644 |
| 25 |
--- a/policy/modules/kernel/corecommands.fc |
| 26 |
+++ b/policy/modules/kernel/corecommands.fc |
| 27 |
@@ -168,6 +168,7 @@ ifdef(`distro_gentoo',` |
| 28 |
|
| 29 |
/usr/lib/at-spi2-core(/.*)? gen_context(system_u:object_r:bin_t,s0) |
| 30 |
/usr/lib/avahi/avahi-daemon-check-dns\.sh -- gen_context(system_u:object_r:bin_t,s0) |
| 31 |
+/usr/lib/bluetooth/.* -- gen_context(system_u:object_r:bin_t,s0) |
| 32 |
/usr/lib/bridge-utils/.*\.sh -- gen_context(system_u:object_r:bin_t,s0) |
| 33 |
/usr/lib/ccache/bin(/.*)? gen_context(system_u:object_r:bin_t,s0) |
| 34 |
#/usr/lib/dhcpcd/dhcpcd-hooks(/.*)? gen_context(system_u:object_r:bin_t,s0) |
| 35 |
@@ -200,6 +201,7 @@ ifdef(`distro_gentoo',` |
| 36 |
/usr/lib/gvfs/gvfs.* -- gen_context(system_u:object_r:bin_t,s0) |
| 37 |
/usr/lib/ipsec/.* -- gen_context(system_u:object_r:bin_t,s0) |
| 38 |
/usr/lib/kde4/libexec/.* -- gen_context(system_u:object_r:bin_t,s0) |
| 39 |
+/usr/lib/[^/]+/libexec/kf5/.* -- gen_context(system_u:object_r:bin_t,s0) |
| 40 |
/usr/lib/mailman/bin(/.*)? gen_context(system_u:object_r:bin_t,s0) |
| 41 |
/usr/lib/mailman/mail(/.*)? gen_context(system_u:object_r:bin_t,s0) |
| 42 |
/usr/lib/mediawiki/math/texvc.* gen_context(system_u:object_r:bin_t,s0) |
| 43 |
|
| 44 |
diff --git a/policy/modules/roles/staff.te b/policy/modules/roles/staff.te |
| 45 |
index 803cca2a..1db51e0f 100644 |
| 46 |
--- a/policy/modules/roles/staff.te |
| 47 |
+++ b/policy/modules/roles/staff.te |
| 48 |
@@ -31,6 +31,10 @@ optional_policy(` |
| 49 |
git_role(staff_r, staff_t) |
| 50 |
') |
| 51 |
|
| 52 |
+optional_policy(` |
| 53 |
+ modemmanager_dbus_chat(staff_t) |
| 54 |
+') |
| 55 |
+ |
| 56 |
optional_policy(` |
| 57 |
postgresql_role(staff_r, staff_t) |
| 58 |
') |
| 59 |
|
| 60 |
diff --git a/policy/modules/roles/unprivuser.te b/policy/modules/roles/unprivuser.te |
| 61 |
index 0e21b2ad..f3241612 100644 |
| 62 |
--- a/policy/modules/roles/unprivuser.te |
| 63 |
+++ b/policy/modules/roles/unprivuser.te |
| 64 |
@@ -20,6 +20,10 @@ optional_policy(` |
| 65 |
git_role(user_r, user_t) |
| 66 |
') |
| 67 |
|
| 68 |
+optional_policy(` |
| 69 |
+ modemmanager_dbus_chat(user_t) |
| 70 |
+') |
| 71 |
+ |
| 72 |
optional_policy(` |
| 73 |
screen_role_template(user, user_r, user_t) |
| 74 |
') |
| 75 |
|
| 76 |
diff --git a/policy/modules/services/ssh.te b/policy/modules/services/ssh.te |
| 77 |
index 9a9b1061..ccc29001 100644 |
| 78 |
--- a/policy/modules/services/ssh.te |
| 79 |
+++ b/policy/modules/services/ssh.te |
| 80 |
@@ -178,6 +178,7 @@ logging_read_generic_logs(ssh_t) |
| 81 |
|
| 82 |
auth_use_nsswitch(ssh_t) |
| 83 |
|
| 84 |
+miscfiles_read_generic_certs(ssh_t) |
| 85 |
miscfiles_read_localization(ssh_t) |
| 86 |
|
| 87 |
seutil_read_config(ssh_t) |
| 88 |
|
| 89 |
diff --git a/policy/modules/system/locallogin.te b/policy/modules/system/locallogin.te |
| 90 |
index 9908a645..adbe775e 100644 |
| 91 |
--- a/policy/modules/system/locallogin.te |
| 92 |
+++ b/policy/modules/system/locallogin.te |
| 93 |
@@ -209,6 +209,7 @@ optional_policy(` |
| 94 |
') |
| 95 |
|
| 96 |
optional_policy(` |
| 97 |
+ xserver_link_xdm_keys(local_login_t) |
| 98 |
xserver_read_xdm_tmp_files(local_login_t) |
| 99 |
xserver_rw_xdm_tmp_files(local_login_t) |
| 100 |
xserver_rw_xdm_keys(local_login_t) |
| 101 |
|
| 102 |
diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te |
| 103 |
index e5f37321..34c38cad 100644 |
| 104 |
--- a/policy/modules/system/systemd.te |
| 105 |
+++ b/policy/modules/system/systemd.te |
| 106 |
@@ -1008,6 +1008,7 @@ files_create_lock_dirs(systemd_tmpfiles_t) |
| 107 |
files_manage_all_pid_dirs(systemd_tmpfiles_t) |
| 108 |
files_delete_usr_files(systemd_tmpfiles_t) |
| 109 |
files_list_home(systemd_tmpfiles_t) |
| 110 |
+files_list_locks(systemd_tmpfiles_t) |
| 111 |
files_manage_generic_tmp_dirs(systemd_tmpfiles_t) |
| 112 |
files_manage_var_dirs(systemd_tmpfiles_t) |
| 113 |
files_manage_var_lib_dirs(systemd_tmpfiles_t) |
| 114 |
@@ -1026,8 +1027,8 @@ files_relabelto_etc_dirs(systemd_tmpfiles_t) |
| 115 |
files_manage_etc_symlinks(systemd_tmpfiles_t) |
| 116 |
|
| 117 |
fs_getattr_tmpfs(systemd_tmpfiles_t) |
| 118 |
-fs_getattr_tmpfs_dirs(systemd_tmpfiles_t) |
| 119 |
fs_getattr_xattr_fs(systemd_tmpfiles_t) |
| 120 |
+fs_list_tmpfs(systemd_tmpfiles_t) |
| 121 |
|
| 122 |
selinux_get_fs_mount(systemd_tmpfiles_t) |
| 123 |
selinux_search_fs(systemd_tmpfiles_t) |
Archives