1 |
commit: 35a8e7e6fe55cadb8bb8d163e9beb2c69e4e534b |
2 |
Author: Dominick Grift <dominick.grift <AT> gmail <DOT> com> |
3 |
AuthorDate: Wed Sep 25 15:44:30 2013 +0000 |
4 |
Commit: Sven Vermeulen <swift <AT> gentoo <DOT> org> |
5 |
CommitDate: Mon Sep 30 19:00:52 2013 +0000 |
6 |
URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=35a8e7e6 |
7 |
|
8 |
apt: As it turns out the /var/backups directory is labeled in the backup module (which i incidentally did not have installed earlier). Instead of creating this file with a file type transition to apt_var_cache_t, allow apt_t to manage backup_store files |
9 |
|
10 |
Signed-off-by: Dominick Grift <dominick.grift <AT> gmail.com> |
11 |
|
12 |
--- |
13 |
policy/modules/contrib/apt.fc | 2 -- |
14 |
policy/modules/contrib/apt.te | 6 +++++- |
15 |
policy/modules/contrib/backup.if | 20 ++++++++++++++++++++ |
16 |
policy/modules/contrib/backup.te | 2 +- |
17 |
4 files changed, 26 insertions(+), 4 deletions(-) |
18 |
|
19 |
diff --git a/policy/modules/contrib/apt.fc b/policy/modules/contrib/apt.fc |
20 |
index edb4fd4..7b20801 100644 |
21 |
--- a/policy/modules/contrib/apt.fc |
22 |
+++ b/policy/modules/contrib/apt.fc |
23 |
@@ -10,8 +10,6 @@ ifndef(`distro_redhat',` |
24 |
/var/lib/PackageKit(/.*)? gen_context(system_u:object_r:apt_var_lib_t,s0) |
25 |
') |
26 |
|
27 |
-/var/backups/dpkg.* -- gen_context(system_u:object_r:apt_var_cache_t,s0) |
28 |
- |
29 |
/var/cache/apt(/.*)? gen_context(system_u:object_r:apt_var_cache_t,s0) |
30 |
|
31 |
/var/lib/apt(/.*)? gen_context(system_u:object_r:apt_var_lib_t,s0) |
32 |
|
33 |
diff --git a/policy/modules/contrib/apt.te b/policy/modules/contrib/apt.te |
34 |
index 90c630d..e423967 100644 |
35 |
--- a/policy/modules/contrib/apt.te |
36 |
+++ b/policy/modules/contrib/apt.te |
37 |
@@ -1,4 +1,4 @@ |
38 |
-policy_module(apt, 1.8.0) |
39 |
+policy_module(apt, 1.8.1) |
40 |
|
41 |
######################################## |
42 |
# |
43 |
@@ -121,6 +121,10 @@ sysnet_read_config(apt_t) |
44 |
userdom_use_user_terminals(apt_t) |
45 |
|
46 |
optional_policy(` |
47 |
+ backup_manage_store_files(apt_t) |
48 |
+') |
49 |
+ |
50 |
+optional_policy(` |
51 |
cron_system_entry(apt_t, apt_exec_t) |
52 |
') |
53 |
|
54 |
|
55 |
diff --git a/policy/modules/contrib/backup.if b/policy/modules/contrib/backup.if |
56 |
index 894810e..fe3f740 100644 |
57 |
--- a/policy/modules/contrib/backup.if |
58 |
+++ b/policy/modules/contrib/backup.if |
59 |
@@ -45,3 +45,23 @@ interface(`backup_run',` |
60 |
backup_domtrans($1) |
61 |
roleattribute $2 backup_roles; |
62 |
') |
63 |
+ |
64 |
+######################################## |
65 |
+## <summary> |
66 |
+## Create, read, and write backup |
67 |
+## store files. |
68 |
+## </summary> |
69 |
+## <param name="domain"> |
70 |
+## <summary> |
71 |
+## Domain allowed access. |
72 |
+## </summary> |
73 |
+## </param> |
74 |
+# |
75 |
+interface(`backup_manage_store_files',` |
76 |
+ gen_require(` |
77 |
+ type backup_store_t; |
78 |
+ ') |
79 |
+ |
80 |
+ files_search_var($1) |
81 |
+ manage_files_pattern($1, backup_store_t, backup_store_t) |
82 |
+') |
83 |
|
84 |
diff --git a/policy/modules/contrib/backup.te b/policy/modules/contrib/backup.te |
85 |
index b9f8b55..1bb1e7f 100644 |
86 |
--- a/policy/modules/contrib/backup.te |
87 |
+++ b/policy/modules/contrib/backup.te |
88 |
@@ -1,4 +1,4 @@ |
89 |
-policy_module(backup, 1.6.0) |
90 |
+policy_module(backup, 1.6.1) |
91 |
|
92 |
######################################## |
93 |
# |