[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/services/ - gentoo-commits

From:	Jason Zaman <perfinion@g.o>
To:	gentoo-commits@l.g.o
Subject:	[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/services/
Date:	Mon, 01 Feb 2021 02:10:12
Message-Id:	`1612142502.44c7994f453c43349074368972d58e465e1f5d27.perfinion@gentoo`

1

commit:     44c7994f453c43349074368972d58e465e1f5d27

2

Author:     Chris PeBenito <pebenito <AT> ieee <DOT> org>

3

AuthorDate: Thu Jan 28 15:53:04 2021 +0000

4

Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>

5

CommitDate: Mon Feb  1 01:21:42 2021 +0000

6

URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=44c7994f

7

8

apache, mysql, postgrey, samba, squid: Apply new mmap_manage_files_pattern().

9

10

Signed-off-by: Chris PeBenito <pebenito <AT> ieee.org>

11

Signed-off-by: Jason Zaman <perfinion <AT> gentoo.org>

12

13

 policy/modules/services/apache.if   |  6 ++----

14

 policy/modules/services/apache.te   | 15 +++++----------

15

 policy/modules/services/mysql.te    |  6 ++----

16

 policy/modules/services/postgrey.te |  3 +--

17

 policy/modules/services/samba.te    | 15 +++++----------

18

 policy/modules/services/squid.te    |  3 +--

19

 6 files changed, 16 insertions(+), 32 deletions(-)

20

21

diff --git a/policy/modules/services/apache.if b/policy/modules/services/apache.if

22

index 44767359..1695af75 100644

23

--- a/policy/modules/services/apache.if

24

+++ b/policy/modules/services/apache.if

25

@@ -70,8 +70,7 @@ template(`apache_content_template',`

26

 	allow httpd_$1_script_t { httpd_$1_content_t httpd_$1_script_exec_t }:lnk_file read_lnk_file_perms;

27

28

 	manage_dirs_pattern(httpd_$1_script_t, httpd_$1_rw_content_t, httpd_$1_rw_content_t)

29

-	manage_files_pattern(httpd_$1_script_t, httpd_$1_rw_content_t, httpd_$1_rw_content_t)

30

-	allow httpd_$1_script_t httpd_$1_rw_content_t:file map;

31

+	mmap_manage_files_pattern(httpd_$1_script_t, httpd_$1_rw_content_t, httpd_$1_rw_content_t)

32

 	manage_lnk_files_pattern(httpd_$1_script_t, httpd_$1_rw_content_t, httpd_$1_rw_content_t)

33

 	manage_fifo_files_pattern(httpd_$1_script_t, httpd_$1_rw_content_t, httpd_$1_rw_content_t)

34

 	manage_sock_files_pattern(httpd_$1_script_t, httpd_$1_rw_content_t, httpd_$1_rw_content_t)

35

@@ -1025,8 +1024,7 @@ interface(`apache_manage_sys_rw_content',`

36

37

 	apache_search_sys_content($1)

38

 	manage_dirs_pattern($1, httpd_sys_rw_content_t, httpd_sys_rw_content_t)

39

-	manage_files_pattern($1,httpd_sys_rw_content_t, httpd_sys_rw_content_t)

40

-	allow $1 httpd_sys_rw_content_t:file map;

41

+	mmap_manage_files_pattern($1,httpd_sys_rw_content_t, httpd_sys_rw_content_t)

42

 	manage_lnk_files_pattern($1, httpd_sys_rw_content_t, httpd_sys_rw_content_t)

43

')

44

45

46

diff --git a/policy/modules/services/apache.te b/policy/modules/services/apache.te

47

index da43a1d8..35fafe56 100644

48

--- a/policy/modules/services/apache.te

49

+++ b/policy/modules/services/apache.te

50

@@ -378,10 +378,9 @@ allow httpd_t self:unix_stream_socket { accept connectto listen };

51

 allow httpd_t self:tcp_socket { accept listen };

52

53

 manage_dirs_pattern(httpd_t, httpd_cache_t, httpd_cache_t)

54

-manage_files_pattern(httpd_t, httpd_cache_t, httpd_cache_t)

55

+mmap_manage_files_pattern(httpd_t, httpd_cache_t, httpd_cache_t)

56

 manage_lnk_files_pattern(httpd_t, httpd_cache_t, httpd_cache_t)

57

 files_var_filetrans(httpd_t, httpd_cache_t, dir)

58

-allow httpd_t httpd_cache_t:file map;

59

60

 allow httpd_t httpd_config_t:dir list_dir_perms;

61

 read_files_pattern(httpd_t, httpd_config_t, httpd_config_t)

62

@@ -415,9 +414,8 @@ read_lnk_files_pattern(httpd_t, httpd_modules_t, httpd_modules_t)

63

 allow httpd_t httpd_rotatelogs_t:process signal_perms;

64

65

 manage_dirs_pattern(httpd_t, httpd_squirrelmail_t, httpd_squirrelmail_t)

66

-manage_files_pattern(httpd_t, httpd_squirrelmail_t, httpd_squirrelmail_t)

67

+mmap_manage_files_pattern(httpd_t, httpd_squirrelmail_t, httpd_squirrelmail_t)

68

 manage_lnk_files_pattern(httpd_t, httpd_squirrelmail_t, httpd_squirrelmail_t)

69

-allow httpd_t httpd_squirrelmail_t:file map;

70

71

 allow httpd_t httpd_suexec_exec_t:file read_file_perms;

72

73

@@ -441,8 +439,7 @@ manage_sock_files_pattern(httpd_t, httpd_tmpfs_t, httpd_tmpfs_t)

74

 fs_tmpfs_filetrans(httpd_t, httpd_tmpfs_t, { dir file lnk_file sock_file fifo_file })

75

76

 manage_dirs_pattern(httpd_t, httpd_var_lib_t, httpd_var_lib_t)

77

-manage_files_pattern(httpd_t, httpd_var_lib_t, httpd_var_lib_t)

78

-allow httpd_t httpd_var_lib_t:file map;

79

+mmap_manage_files_pattern(httpd_t, httpd_var_lib_t, httpd_var_lib_t)

80

 manage_lnk_files_pattern(httpd_t, httpd_var_lib_t, httpd_var_lib_t)

81

 files_var_lib_filetrans(httpd_t, httpd_var_lib_t, { dir file })

82

83

@@ -622,8 +619,7 @@ tunable_policy(`httpd_enable_cgi && httpd_unified && httpd_builtin_scripting',`

84

 	domtrans_pattern(httpd_t, httpdcontent, httpd_sys_script_t)

85

86

 	manage_dirs_pattern(httpd_t, httpdcontent, httpdcontent)

87

-	manage_files_pattern(httpd_t, httpdcontent, httpdcontent)

88

-	allow httpd_t httpdcontent:file map;

89

+	mmap_manage_files_pattern(httpd_t, httpdcontent, httpdcontent)

90

 	manage_fifo_files_pattern(httpd_t, httpdcontent, httpdcontent)

91

 	manage_lnk_files_pattern(httpd_t, httpdcontent, httpdcontent)

92

 	manage_sock_files_pattern(httpd_t, httpdcontent, httpdcontent)

93

@@ -908,8 +904,7 @@ optional_policy(`

94

 # Helper local policy

95

#

96

97

-read_files_pattern(httpd_helper_t, httpd_config_t, httpd_config_t)

98

-allow httpd_t httpd_config_t:file map;

99

+mmap_read_files_pattern(httpd_helper_t, httpd_config_t, httpd_config_t)

100

101

 append_files_pattern(httpd_helper_t, httpd_log_t, httpd_log_t)

102

 read_lnk_files_pattern(httpd_helper_t, httpd_log_t, httpd_log_t)

103

104

diff --git a/policy/modules/services/mysql.te b/policy/modules/services/mysql.te

105

index 5a264e2f..84a49b16 100644

106

--- a/policy/modules/services/mysql.te

107

+++ b/policy/modules/services/mysql.te

108

@@ -74,8 +74,7 @@ allow mysqld_t self:unix_stream_socket { connectto accept listen };

109

 allow mysqld_t self:tcp_socket { accept listen };

110

111

 manage_dirs_pattern(mysqld_t, mysqld_db_t, mysqld_db_t)

112

-manage_files_pattern(mysqld_t, mysqld_db_t, mysqld_db_t)

113

-allow mysqld_t mysqld_db_t:file map;

114

+mmap_manage_files_pattern(mysqld_t, mysqld_db_t, mysqld_db_t)

115

 manage_lnk_files_pattern(mysqld_t, mysqld_db_t, mysqld_db_t)

116

 files_var_lib_filetrans(mysqld_t, mysqld_db_t, { dir file lnk_file })

117

118

@@ -91,8 +90,7 @@ manage_lnk_files_pattern(mysqld_t, mysqld_log_t, mysqld_log_t)

119

 logging_log_filetrans(mysqld_t, mysqld_log_t, { dir file })

120

121

 manage_dirs_pattern(mysqld_t, mysqld_tmp_t, mysqld_tmp_t)

122

-manage_files_pattern(mysqld_t, mysqld_tmp_t, mysqld_tmp_t)

123

-allow mysqld_t mysqld_tmp_t:file map;

124

+mmap_manage_files_pattern(mysqld_t, mysqld_tmp_t, mysqld_tmp_t)

125

 files_tmp_filetrans(mysqld_t, mysqld_tmp_t, { file dir })

126

127

 manage_dirs_pattern(mysqld_t, mysqld_runtime_t, mysqld_runtime_t)

128

129

diff --git a/policy/modules/services/postgrey.te b/policy/modules/services/postgrey.te

130

index a96e9dd9..da47d1e0 100644

131

--- a/policy/modules/services/postgrey.te

132

+++ b/policy/modules/services/postgrey.te

133

@@ -46,8 +46,7 @@ manage_files_pattern(postgrey_t, postgrey_spool_t, postgrey_spool_t)

134

 manage_fifo_files_pattern(postgrey_t, postgrey_spool_t, postgrey_spool_t)

135

 manage_sock_files_pattern(postgrey_t, postgrey_spool_t, postgrey_spool_t)

136

137

-manage_files_pattern(postgrey_t, postgrey_var_lib_t, postgrey_var_lib_t)

138

-allow postgrey_t postgrey_var_lib_t:file map;

139

+mmap_manage_files_pattern(postgrey_t, postgrey_var_lib_t, postgrey_var_lib_t)

140

 files_var_lib_filetrans(postgrey_t, postgrey_var_lib_t, file)

141

142

 manage_dirs_pattern(postgrey_t, postgrey_runtime_t, postgrey_runtime_t)

143

144

diff --git a/policy/modules/services/samba.te b/policy/modules/services/samba.te

145

index 855d846d..40b6684c 100644

146

--- a/policy/modules/services/samba.te

147

+++ b/policy/modules/services/samba.te

148

@@ -217,8 +217,7 @@ manage_files_pattern(samba_net_t, samba_net_tmp_t, samba_net_tmp_t)

149

 files_tmp_filetrans(samba_net_t, samba_net_tmp_t, { file dir })

150

151

 manage_dirs_pattern(samba_net_t, samba_var_t, samba_var_t)

152

-manage_files_pattern(samba_net_t, samba_var_t, samba_var_t)

153

-allow samba_net_t samba_var_t:file map;

154

+mmap_manage_files_pattern(samba_net_t, samba_var_t, samba_var_t)

155

 manage_lnk_files_pattern(samba_net_t, samba_var_t, samba_var_t)

156

 files_var_filetrans(samba_net_t, samba_var_t, dir, "samba")

157

158

@@ -303,8 +302,7 @@ manage_lnk_files_pattern(smbd_t, samba_share_t, samba_share_t)

159

 allow smbd_t samba_share_t:filesystem { getattr quotaget };

160

161

 manage_dirs_pattern(smbd_t, samba_var_t, samba_var_t)

162

-manage_files_pattern(smbd_t, samba_var_t, samba_var_t)

163

-allow smbd_t samba_var_t:file map;

164

+mmap_manage_files_pattern(smbd_t, samba_var_t, samba_var_t)

165

 manage_lnk_files_pattern(smbd_t, samba_var_t, samba_var_t)

166

 manage_sock_files_pattern(smbd_t, samba_var_t, samba_var_t)

167

 files_var_filetrans(smbd_t, samba_var_t, dir, "samba")

168

@@ -314,8 +312,7 @@ manage_files_pattern(smbd_t, smbd_tmp_t, smbd_tmp_t)

169

 files_tmp_filetrans(smbd_t, smbd_tmp_t, { file dir })

170

171

 manage_dirs_pattern(smbd_t, samba_runtime_t, samba_runtime_t)

172

-manage_files_pattern(smbd_t, samba_runtime_t, samba_runtime_t)

173

-allow smbd_t samba_runtime_t:file map;

174

+mmap_manage_files_pattern(smbd_t, samba_runtime_t, samba_runtime_t)

175

 manage_sock_files_pattern(smbd_t, samba_runtime_t, samba_runtime_t)

176

 files_runtime_filetrans(smbd_t, samba_runtime_t, { dir file })

177

178

@@ -530,8 +527,7 @@ allow nmbd_t self:unix_dgram_socket sendto;

179

 allow nmbd_t self:unix_stream_socket { accept connectto listen };

180

181

 manage_dirs_pattern(nmbd_t, samba_runtime_t, samba_runtime_t)

182

-manage_files_pattern(nmbd_t, samba_runtime_t, samba_runtime_t)

183

-allow nmbd_t samba_runtime_t:file map;

184

+mmap_manage_files_pattern(nmbd_t, samba_runtime_t, samba_runtime_t)

185

 manage_sock_files_pattern(nmbd_t, samba_runtime_t, samba_runtime_t)

186

 files_runtime_filetrans(nmbd_t, samba_runtime_t, { dir file sock_file })

187

188

@@ -543,8 +539,7 @@ append_files_pattern(nmbd_t, samba_log_t, samba_log_t)

189

 create_files_pattern(nmbd_t, samba_log_t, samba_log_t)

190

 setattr_files_pattern(nmbd_t, samba_log_t, samba_log_t)

191

192

-manage_files_pattern(nmbd_t, samba_var_t, samba_var_t)

193

-allow nmbd_t samba_var_t:file map;

194

+mmap_manage_files_pattern(nmbd_t, samba_var_t, samba_var_t)

195

 manage_lnk_files_pattern(nmbd_t, samba_var_t, samba_var_t)

196

 manage_sock_files_pattern(nmbd_t, samba_var_t, samba_var_t)

197

 files_var_filetrans(nmbd_t, samba_var_t, dir, "nmbd")

198

199

diff --git a/policy/modules/services/squid.te b/policy/modules/services/squid.te

200

index f9890df1..263574f5 100644

201

--- a/policy/modules/services/squid.te

202

+++ b/policy/modules/services/squid.te

203

@@ -91,8 +91,7 @@ manage_dirs_pattern(squid_t, squid_tmp_t, squid_tmp_t)

204

 manage_files_pattern(squid_t, squid_tmp_t, squid_tmp_t)

205

 files_tmp_filetrans(squid_t, squid_tmp_t, { file dir })

206

207

-manage_files_pattern(squid_t, squid_tmpfs_t, squid_tmpfs_t)

208

-allow squid_t squid_tmpfs_t:file map;

209

+mmap_manage_files_pattern(squid_t, squid_tmpfs_t, squid_tmpfs_t)

210

 fs_tmpfs_filetrans(squid_t, squid_tmpfs_t, file)

211

212

 manage_files_pattern(squid_t, squid_runtime_t, squid_runtime_t)

1	commit: 44c7994f453c43349074368972d58e465e1f5d27
2	Author: Chris PeBenito <pebenito <AT> ieee <DOT> org>
3	AuthorDate: Thu Jan 28 15:53:04 2021 +0000
4	Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
5	CommitDate: Mon Feb 1 01:21:42 2021 +0000
6	URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=44c7994f
7
8	apache, mysql, postgrey, samba, squid: Apply new mmap_manage_files_pattern().
9
10	Signed-off-by: Chris PeBenito <pebenito <AT> ieee.org>
11	Signed-off-by: Jason Zaman <perfinion <AT> gentoo.org>
12
13	policy/modules/services/apache.if \| 6 ++----
14	policy/modules/services/apache.te \| 15 +++++----------
15	policy/modules/services/mysql.te \| 6 ++----
16	policy/modules/services/postgrey.te \| 3 +--
17	policy/modules/services/samba.te \| 15 +++++----------
18	policy/modules/services/squid.te \| 3 +--
19	6 files changed, 16 insertions(+), 32 deletions(-)
20
21	diff --git a/policy/modules/services/apache.if b/policy/modules/services/apache.if
22	index 44767359..1695af75 100644
23	--- a/policy/modules/services/apache.if
24	+++ b/policy/modules/services/apache.if
25	@@ -70,8 +70,7 @@ template(`apache_content_template',`
26	allow httpd_$1_script_t { httpd_$1_content_t httpd_$1_script_exec_t }:lnk_file read_lnk_file_perms;
27
28	manage_dirs_pattern(httpd_$1_script_t, httpd_$1_rw_content_t, httpd_$1_rw_content_t)
29	- manage_files_pattern(httpd_$1_script_t, httpd_$1_rw_content_t, httpd_$1_rw_content_t)
30	- allow httpd_$1_script_t httpd_$1_rw_content_t:file map;
31	+ mmap_manage_files_pattern(httpd_$1_script_t, httpd_$1_rw_content_t, httpd_$1_rw_content_t)
32	manage_lnk_files_pattern(httpd_$1_script_t, httpd_$1_rw_content_t, httpd_$1_rw_content_t)
33	manage_fifo_files_pattern(httpd_$1_script_t, httpd_$1_rw_content_t, httpd_$1_rw_content_t)
34	manage_sock_files_pattern(httpd_$1_script_t, httpd_$1_rw_content_t, httpd_$1_rw_content_t)
35	@@ -1025,8 +1024,7 @@ interface(`apache_manage_sys_rw_content',`
36
37	apache_search_sys_content($1)
38	manage_dirs_pattern($1, httpd_sys_rw_content_t, httpd_sys_rw_content_t)
39	- manage_files_pattern($1,httpd_sys_rw_content_t, httpd_sys_rw_content_t)
40	- allow $1 httpd_sys_rw_content_t:file map;
41	+ mmap_manage_files_pattern($1,httpd_sys_rw_content_t, httpd_sys_rw_content_t)
42	manage_lnk_files_pattern($1, httpd_sys_rw_content_t, httpd_sys_rw_content_t)
43	')
44
45
46	diff --git a/policy/modules/services/apache.te b/policy/modules/services/apache.te
47	index da43a1d8..35fafe56 100644
48	--- a/policy/modules/services/apache.te
49	+++ b/policy/modules/services/apache.te
50	@@ -378,10 +378,9 @@ allow httpd_t self:unix_stream_socket { accept connectto listen };
51	allow httpd_t self:tcp_socket { accept listen };
52
53	manage_dirs_pattern(httpd_t, httpd_cache_t, httpd_cache_t)
54	-manage_files_pattern(httpd_t, httpd_cache_t, httpd_cache_t)
55	+mmap_manage_files_pattern(httpd_t, httpd_cache_t, httpd_cache_t)
56	manage_lnk_files_pattern(httpd_t, httpd_cache_t, httpd_cache_t)
57	files_var_filetrans(httpd_t, httpd_cache_t, dir)
58	-allow httpd_t httpd_cache_t:file map;
59
60	allow httpd_t httpd_config_t:dir list_dir_perms;
61	read_files_pattern(httpd_t, httpd_config_t, httpd_config_t)
62	@@ -415,9 +414,8 @@ read_lnk_files_pattern(httpd_t, httpd_modules_t, httpd_modules_t)
63	allow httpd_t httpd_rotatelogs_t:process signal_perms;
64
65	manage_dirs_pattern(httpd_t, httpd_squirrelmail_t, httpd_squirrelmail_t)
66	-manage_files_pattern(httpd_t, httpd_squirrelmail_t, httpd_squirrelmail_t)
67	+mmap_manage_files_pattern(httpd_t, httpd_squirrelmail_t, httpd_squirrelmail_t)
68	manage_lnk_files_pattern(httpd_t, httpd_squirrelmail_t, httpd_squirrelmail_t)
69	-allow httpd_t httpd_squirrelmail_t:file map;
70
71	allow httpd_t httpd_suexec_exec_t:file read_file_perms;
72
73	@@ -441,8 +439,7 @@ manage_sock_files_pattern(httpd_t, httpd_tmpfs_t, httpd_tmpfs_t)
74	fs_tmpfs_filetrans(httpd_t, httpd_tmpfs_t, { dir file lnk_file sock_file fifo_file })
75
76	manage_dirs_pattern(httpd_t, httpd_var_lib_t, httpd_var_lib_t)
77	-manage_files_pattern(httpd_t, httpd_var_lib_t, httpd_var_lib_t)
78	-allow httpd_t httpd_var_lib_t:file map;
79	+mmap_manage_files_pattern(httpd_t, httpd_var_lib_t, httpd_var_lib_t)
80	manage_lnk_files_pattern(httpd_t, httpd_var_lib_t, httpd_var_lib_t)
81	files_var_lib_filetrans(httpd_t, httpd_var_lib_t, { dir file })
82
83	@@ -622,8 +619,7 @@ tunable_policy(`httpd_enable_cgi && httpd_unified && httpd_builtin_scripting',`
84	domtrans_pattern(httpd_t, httpdcontent, httpd_sys_script_t)
85
86	manage_dirs_pattern(httpd_t, httpdcontent, httpdcontent)
87	- manage_files_pattern(httpd_t, httpdcontent, httpdcontent)
88	- allow httpd_t httpdcontent:file map;
89	+ mmap_manage_files_pattern(httpd_t, httpdcontent, httpdcontent)
90	manage_fifo_files_pattern(httpd_t, httpdcontent, httpdcontent)
91	manage_lnk_files_pattern(httpd_t, httpdcontent, httpdcontent)
92	manage_sock_files_pattern(httpd_t, httpdcontent, httpdcontent)
93	@@ -908,8 +904,7 @@ optional_policy(`
94	# Helper local policy
95	#
96
97	-read_files_pattern(httpd_helper_t, httpd_config_t, httpd_config_t)
98	-allow httpd_t httpd_config_t:file map;
99	+mmap_read_files_pattern(httpd_helper_t, httpd_config_t, httpd_config_t)
100
101	append_files_pattern(httpd_helper_t, httpd_log_t, httpd_log_t)
102	read_lnk_files_pattern(httpd_helper_t, httpd_log_t, httpd_log_t)
103
104	diff --git a/policy/modules/services/mysql.te b/policy/modules/services/mysql.te
105	index 5a264e2f..84a49b16 100644
106	--- a/policy/modules/services/mysql.te
107	+++ b/policy/modules/services/mysql.te
108	@@ -74,8 +74,7 @@ allow mysqld_t self:unix_stream_socket { connectto accept listen };
109	allow mysqld_t self:tcp_socket { accept listen };
110
111	manage_dirs_pattern(mysqld_t, mysqld_db_t, mysqld_db_t)
112	-manage_files_pattern(mysqld_t, mysqld_db_t, mysqld_db_t)
113	-allow mysqld_t mysqld_db_t:file map;
114	+mmap_manage_files_pattern(mysqld_t, mysqld_db_t, mysqld_db_t)
115	manage_lnk_files_pattern(mysqld_t, mysqld_db_t, mysqld_db_t)
116	files_var_lib_filetrans(mysqld_t, mysqld_db_t, { dir file lnk_file })
117
118	@@ -91,8 +90,7 @@ manage_lnk_files_pattern(mysqld_t, mysqld_log_t, mysqld_log_t)
119	logging_log_filetrans(mysqld_t, mysqld_log_t, { dir file })
120
121	manage_dirs_pattern(mysqld_t, mysqld_tmp_t, mysqld_tmp_t)
122	-manage_files_pattern(mysqld_t, mysqld_tmp_t, mysqld_tmp_t)
123	-allow mysqld_t mysqld_tmp_t:file map;
124	+mmap_manage_files_pattern(mysqld_t, mysqld_tmp_t, mysqld_tmp_t)
125	files_tmp_filetrans(mysqld_t, mysqld_tmp_t, { file dir })
126
127	manage_dirs_pattern(mysqld_t, mysqld_runtime_t, mysqld_runtime_t)
128
129	diff --git a/policy/modules/services/postgrey.te b/policy/modules/services/postgrey.te
130	index a96e9dd9..da47d1e0 100644
131	--- a/policy/modules/services/postgrey.te
132	+++ b/policy/modules/services/postgrey.te
133	@@ -46,8 +46,7 @@ manage_files_pattern(postgrey_t, postgrey_spool_t, postgrey_spool_t)
134	manage_fifo_files_pattern(postgrey_t, postgrey_spool_t, postgrey_spool_t)
135	manage_sock_files_pattern(postgrey_t, postgrey_spool_t, postgrey_spool_t)
136
137	-manage_files_pattern(postgrey_t, postgrey_var_lib_t, postgrey_var_lib_t)
138	-allow postgrey_t postgrey_var_lib_t:file map;
139	+mmap_manage_files_pattern(postgrey_t, postgrey_var_lib_t, postgrey_var_lib_t)
140	files_var_lib_filetrans(postgrey_t, postgrey_var_lib_t, file)
141
142	manage_dirs_pattern(postgrey_t, postgrey_runtime_t, postgrey_runtime_t)
143
144	diff --git a/policy/modules/services/samba.te b/policy/modules/services/samba.te
145	index 855d846d..40b6684c 100644
146	--- a/policy/modules/services/samba.te
147	+++ b/policy/modules/services/samba.te
148	@@ -217,8 +217,7 @@ manage_files_pattern(samba_net_t, samba_net_tmp_t, samba_net_tmp_t)
149	files_tmp_filetrans(samba_net_t, samba_net_tmp_t, { file dir })
150
151	manage_dirs_pattern(samba_net_t, samba_var_t, samba_var_t)
152	-manage_files_pattern(samba_net_t, samba_var_t, samba_var_t)
153	-allow samba_net_t samba_var_t:file map;
154	+mmap_manage_files_pattern(samba_net_t, samba_var_t, samba_var_t)
155	manage_lnk_files_pattern(samba_net_t, samba_var_t, samba_var_t)
156	files_var_filetrans(samba_net_t, samba_var_t, dir, "samba")
157
158	@@ -303,8 +302,7 @@ manage_lnk_files_pattern(smbd_t, samba_share_t, samba_share_t)
159	allow smbd_t samba_share_t:filesystem { getattr quotaget };
160
161	manage_dirs_pattern(smbd_t, samba_var_t, samba_var_t)
162	-manage_files_pattern(smbd_t, samba_var_t, samba_var_t)
163	-allow smbd_t samba_var_t:file map;
164	+mmap_manage_files_pattern(smbd_t, samba_var_t, samba_var_t)
165	manage_lnk_files_pattern(smbd_t, samba_var_t, samba_var_t)
166	manage_sock_files_pattern(smbd_t, samba_var_t, samba_var_t)
167	files_var_filetrans(smbd_t, samba_var_t, dir, "samba")
168	@@ -314,8 +312,7 @@ manage_files_pattern(smbd_t, smbd_tmp_t, smbd_tmp_t)
169	files_tmp_filetrans(smbd_t, smbd_tmp_t, { file dir })
170
171	manage_dirs_pattern(smbd_t, samba_runtime_t, samba_runtime_t)
172	-manage_files_pattern(smbd_t, samba_runtime_t, samba_runtime_t)
173	-allow smbd_t samba_runtime_t:file map;
174	+mmap_manage_files_pattern(smbd_t, samba_runtime_t, samba_runtime_t)
175	manage_sock_files_pattern(smbd_t, samba_runtime_t, samba_runtime_t)
176	files_runtime_filetrans(smbd_t, samba_runtime_t, { dir file })
177
178	@@ -530,8 +527,7 @@ allow nmbd_t self:unix_dgram_socket sendto;
179	allow nmbd_t self:unix_stream_socket { accept connectto listen };
180
181	manage_dirs_pattern(nmbd_t, samba_runtime_t, samba_runtime_t)
182	-manage_files_pattern(nmbd_t, samba_runtime_t, samba_runtime_t)
183	-allow nmbd_t samba_runtime_t:file map;
184	+mmap_manage_files_pattern(nmbd_t, samba_runtime_t, samba_runtime_t)
185	manage_sock_files_pattern(nmbd_t, samba_runtime_t, samba_runtime_t)
186	files_runtime_filetrans(nmbd_t, samba_runtime_t, { dir file sock_file })
187
188	@@ -543,8 +539,7 @@ append_files_pattern(nmbd_t, samba_log_t, samba_log_t)
189	create_files_pattern(nmbd_t, samba_log_t, samba_log_t)
190	setattr_files_pattern(nmbd_t, samba_log_t, samba_log_t)
191
192	-manage_files_pattern(nmbd_t, samba_var_t, samba_var_t)
193	-allow nmbd_t samba_var_t:file map;
194	+mmap_manage_files_pattern(nmbd_t, samba_var_t, samba_var_t)
195	manage_lnk_files_pattern(nmbd_t, samba_var_t, samba_var_t)
196	manage_sock_files_pattern(nmbd_t, samba_var_t, samba_var_t)
197	files_var_filetrans(nmbd_t, samba_var_t, dir, "nmbd")
198
199	diff --git a/policy/modules/services/squid.te b/policy/modules/services/squid.te
200	index f9890df1..263574f5 100644
201	--- a/policy/modules/services/squid.te
202	+++ b/policy/modules/services/squid.te
203	@@ -91,8 +91,7 @@ manage_dirs_pattern(squid_t, squid_tmp_t, squid_tmp_t)
204	manage_files_pattern(squid_t, squid_tmp_t, squid_tmp_t)
205	files_tmp_filetrans(squid_t, squid_tmp_t, { file dir })
206
207	-manage_files_pattern(squid_t, squid_tmpfs_t, squid_tmpfs_t)
208	-allow squid_t squid_tmpfs_t:file map;
209	+mmap_manage_files_pattern(squid_t, squid_tmpfs_t, squid_tmpfs_t)
210	fs_tmpfs_filetrans(squid_t, squid_tmpfs_t, file)
211
212	manage_files_pattern(squid_t, squid_runtime_t, squid_runtime_t)

Gentoo Archives: gentoo-commits