Get Gentoo!
gentoo.org sites
gentoo.org Wiki Bugs Forums Packages
Planet Archives Sources
Infra Status

Gentoo Archives: gentoo-commits

From: Jason Zaman <perfinion@g.o>
To: gentoo-commits@l.g.o
Subject: [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/
Date: Sun, 07 May 2017 16:09:08
Message-Id: 1494172156.542af989565d81b90ef54fcb78d259fb7073bfba.perfinion@gentoo
1 commit: 542af989565d81b90ef54fcb78d259fb7073bfba
2 Author: Nicolas Iooss <nicolas.iooss <AT> m4x <DOT> org>
3 AuthorDate: Sat Apr 15 18:23:34 2017 +0000
4 Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
5 CommitDate: Sun May 7 15:49:16 2017 +0000
6 URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=542af989
7
8 Synchronize file patterns for /usr/bin/mount... and /usr/sbin/mount...
9
10 mount.fc defines file contexts for /usr/bin/mount.*, /usr/bin/umount.*
11 and /usr/sbin/mount\.zfs. These patterns are not consistent for two
12 reasons:
13
14 - some distributions use /sbin/mount... for other file systems that zfs.
15 For example Debian uses /sbin/mount.ntfs-3g
16 (https://packages.debian.org/jessie/amd64/ntfs-3g/filelist)
17 - mount_exec_t type should only be applied to mount, umount, mount.$FS
18 and umount.udisks2, not mountpoint.
19
20 Replace the file patterns with ones that do not match mountpoint and
21 match every mount and umount programs in /usr/bin and /usr/sbin.
22
23 policy/modules/system/mount.fc | 7 ++++---
24 1 file changed, 4 insertions(+), 3 deletions(-)
25
26 diff --git a/policy/modules/system/mount.fc b/policy/modules/system/mount.fc
27 index 39ea6f5c..97e2596b 100644
28 --- a/policy/modules/system/mount.fc
29 +++ b/policy/modules/system/mount.fc
30 @@ -1,8 +1,9 @@
31 /usr/bin/fusermount -- gen_context(system_u:object_r:mount_exec_t,s0)
32 -/usr/bin/mount.* -- gen_context(system_u:object_r:mount_exec_t,s0)
33 -/usr/bin/umount.* -- gen_context(system_u:object_r:mount_exec_t,s0)
34 +/usr/bin/mount(\.[^/]+)? -- gen_context(system_u:object_r:mount_exec_t,s0)
35 +/usr/bin/umount(\.[^/]+)? -- gen_context(system_u:object_r:mount_exec_t,s0)
36
37 -/usr/sbin/mount\.zfs -- gen_context(system_u:object_r:mount_exec_t,s0)
38 +/usr/sbin/mount(\.[^/]+)? -- gen_context(system_u:object_r:mount_exec_t,s0)
39 +/usr/sbin/umount(\.[^/]+)? -- gen_context(system_u:object_r:mount_exec_t,s0)
40 /usr/sbin/zfs -- gen_context(system_u:object_r:mount_exec_t,s0)
41 /usr/sbin/zpool -- gen_context(system_u:object_r:mount_exec_t,s0)
Report Message
Find on MARC Find on Google Groups