1 |
commit: e4b056799a16ac4b3e00106baa3297b2862684a0 |
2 |
Author: Sven Vermeulen <swift <AT> gentoo <DOT> org> |
3 |
AuthorDate: Mon Apr 10 16:58:05 2017 +0000 |
4 |
Commit: Sven Vermeulen <swift <AT> gentoo <DOT> org> |
5 |
CommitDate: Mon Apr 10 16:58:05 2017 +0000 |
6 |
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=e4b05679 |
7 |
|
8 |
Backport "Misc fc changes from Russel Coker." |
9 |
|
10 |
git apply failed so had to do this manually |
11 |
|
12 |
policy/modules/kernel/corecommands.fc | 5 +++++ |
13 |
policy/modules/kernel/corecommands.te | 2 +- |
14 |
policy/modules/kernel/files.fc | 1 + |
15 |
policy/modules/kernel/files.te | 2 +- |
16 |
policy/modules/kernel/terminal.fc | 4 +++- |
17 |
policy/modules/kernel/terminal.te | 2 +- |
18 |
policy/modules/services/xserver.fc | 4 ++++ |
19 |
policy/modules/services/xserver.te | 2 +- |
20 |
policy/modules/system/init.fc | 5 ++++- |
21 |
policy/modules/system/init.te | 2 +- |
22 |
policy/modules/system/libraries.fc | 1 + |
23 |
policy/modules/system/libraries.te | 2 +- |
24 |
policy/modules/system/lvm.fc | 2 ++ |
25 |
policy/modules/system/lvm.te | 2 +- |
26 |
policy/modules/system/udev.fc | 1 + |
27 |
policy/modules/system/udev.te | 2 +- |
28 |
16 files changed, 29 insertions(+), 10 deletions(-) |
29 |
|
30 |
diff --git a/policy/modules/kernel/corecommands.fc b/policy/modules/kernel/corecommands.fc |
31 |
index 2b645e4d..f86daaf7 100644 |
32 |
--- a/policy/modules/kernel/corecommands.fc |
33 |
+++ b/policy/modules/kernel/corecommands.fc |
34 |
@@ -153,6 +153,7 @@ ifdef(`distro_gentoo',` |
35 |
/usr/bin/zsh.* -- gen_context(system_u:object_r:shell_exec_t,s0) |
36 |
|
37 |
/usr/lib/(.*/)?bin(/.*)? gen_context(system_u:object_r:bin_t,s0) |
38 |
+/usr/lib/postfix/configure-instance\.sh -- gen_context(system_u:object_r:bin_t,s0) |
39 |
|
40 |
/usr/(.*/)?sbin(/.*)? gen_context(system_u:object_r:bin_t,s0) |
41 |
/usr/lib/(.*/)?sbin(/.*)? gen_context(system_u:object_r:bin_t,s0) |
42 |
@@ -160,6 +161,7 @@ ifdef(`distro_gentoo',` |
43 |
/usr/lib/at-spi2-core(/.*)? gen_context(system_u:object_r:bin_t,s0) |
44 |
/usr/lib/avahi/avahi-daemon-check-dns\.sh -- gen_context(system_u:object_r:bin_t,s0) |
45 |
/usr/lib/ccache/bin(/.*)? gen_context(system_u:object_r:bin_t,s0) |
46 |
+/usr/lib/dovecot/.+ gen_context(system_u:object_r:bin_t,s0) |
47 |
/usr/lib/fence(/.*)? gen_context(system_u:object_r:bin_t,s0) |
48 |
/usr/lib/pgsql/test/regress/.*\.sh -- gen_context(system_u:object_r:bin_t,s0) |
49 |
/usr/lib/qt.*/bin(/.*)? gen_context(system_u:object_r:bin_t,s0) |
50 |
@@ -205,6 +207,7 @@ ifdef(`distro_gentoo',` |
51 |
/usr/lib/rpm/rpmq -- gen_context(system_u:object_r:bin_t,s0) |
52 |
/usr/lib/rpm/rpmv -- gen_context(system_u:object_r:bin_t,s0) |
53 |
/usr/lib/security/pam_krb5/pam_krb5_storetmp -- gen_context(system_u:object_r:bin_t,s0) |
54 |
+/usr/lib/selinux/hll/pp -- gen_context(system_u:object_r:bin_t,s0) |
55 |
/usr/lib/sftp-server -- gen_context(system_u:object_r:bin_t,s0) |
56 |
/usr/lib/ssh(/.*)? gen_context(system_u:object_r:bin_t,s0) |
57 |
/usr/lib/sudo/sesh -- gen_context(system_u:object_r:shell_exec_t,s0) |
58 |
@@ -266,6 +269,7 @@ ifdef(`distro_gentoo',` |
59 |
/usr/sbin/sesh -- gen_context(system_u:object_r:shell_exec_t,s0) |
60 |
/usr/sbin/smrsh -- gen_context(system_u:object_r:shell_exec_t,s0) |
61 |
|
62 |
+/usr/share/mdadm/checkarray -- gen_context(system_u:object_r:bin_t,s0) |
63 |
/usr/share/(.*/)?bin(/.*)? gen_context(system_u:object_r:bin_t,s0) |
64 |
/usr/share/ajaxterm/ajaxterm.py.* -- gen_context(system_u:object_r:bin_t,s0) |
65 |
/usr/share/ajaxterm/qweb.py.* -- gen_context(system_u:object_r:bin_t,s0) |
66 |
@@ -299,6 +303,7 @@ ifdef(`distro_gentoo',` |
67 |
/usr/share/printconf/util/print\.py -- gen_context(system_u:object_r:bin_t,s0) |
68 |
/usr/share/PackageKit/pk-upgrade-distro\.sh -- gen_context(system_u:object_r:bin_t,s0) |
69 |
/usr/share/PackageKit/helpers(/.*)? gen_context(system_u:object_r:bin_t,s0) |
70 |
+/usr/share/reportbug/handle_bugscript -- gen_context(system_u:object_r:bin_t,s0) |
71 |
/usr/share/sandbox/sandboxX.sh -- gen_context(system_u:object_r:bin_t,s0) |
72 |
/usr/share/sectool/.*\.py -- gen_context(system_u:object_r:bin_t,s0) |
73 |
/usr/share/selinux/devel/policygentool -- gen_context(system_u:object_r:bin_t,s0) |
74 |
|
75 |
diff --git a/policy/modules/kernel/corecommands.te b/policy/modules/kernel/corecommands.te |
76 |
index 1f532aa3..6f051a32 100644 |
77 |
--- a/policy/modules/kernel/corecommands.te |
78 |
+++ b/policy/modules/kernel/corecommands.te |
79 |
@@ -1,4 +1,4 @@ |
80 |
-policy_module(corecommands, 1.23.5) |
81 |
+policy_module(corecommands, 1.23.6) |
82 |
|
83 |
######################################## |
84 |
# |
85 |
|
86 |
diff --git a/policy/modules/kernel/files.fc b/policy/modules/kernel/files.fc |
87 |
index 548d1e03..e69a0025 100644 |
88 |
--- a/policy/modules/kernel/files.fc |
89 |
+++ b/policy/modules/kernel/files.fc |
90 |
@@ -215,6 +215,7 @@ HOME_ROOT/lost\+found/.* <<none>> |
91 |
ifdef(`distro_debian',` |
92 |
# on Debian /lib/init/rw is a tmpfs used like /run |
93 |
/usr/lib/init/rw(/.*)? gen_context(system_u:object_r:var_run_t,s0-mls_systemhigh) |
94 |
+/run/resolvconf(/.*)? -d gen_context(system_u:object_r:etc_t,s0) |
95 |
') |
96 |
|
97 |
ifndef(`distro_redhat',` |
98 |
|
99 |
diff --git a/policy/modules/kernel/files.te b/policy/modules/kernel/files.te |
100 |
index 33c92c70..67be5c71 100644 |
101 |
--- a/policy/modules/kernel/files.te |
102 |
+++ b/policy/modules/kernel/files.te |
103 |
@@ -1,4 +1,4 @@ |
104 |
-policy_module(files, 1.23.9) |
105 |
+policy_module(files, 1.23.10) |
106 |
|
107 |
######################################## |
108 |
# |
109 |
|
110 |
diff --git a/policy/modules/kernel/terminal.fc b/policy/modules/kernel/terminal.fc |
111 |
index 6657b048..51199ac4 100644 |
112 |
--- a/policy/modules/kernel/terminal.fc |
113 |
+++ b/policy/modules/kernel/terminal.fc |
114 |
@@ -24,8 +24,10 @@ |
115 |
/dev/pty/.* -c gen_context(system_u:object_r:bsdpty_device_t,s0) |
116 |
|
117 |
/dev/pts -d gen_context(system_u:object_r:devpts_t,s0-mls_systemhigh) |
118 |
-/dev/pts/ptmx -c gen_context(system_u:object_r:devpts_t,s0) |
119 |
/dev/pts/[0-9]+ -c gen_context(system_u:object_r:user_devpts_t,s0) |
120 |
+# if /dev/ptmx is a symlink to /dev/pts/ptmx then we need to have /dev/pts/ptmx |
121 |
+# relabelled before sshd etc are ready to accept connections |
122 |
+/dev/pts/ptmx -c gen_context(system_u:object_r:ptmx_t,s0) |
123 |
|
124 |
/dev/tts/[^/]* -c gen_context(system_u:object_r:tty_device_t,s0) |
125 |
|
126 |
|
127 |
diff --git a/policy/modules/kernel/terminal.te b/policy/modules/kernel/terminal.te |
128 |
index a1fca0da..bf1e11ff 100644 |
129 |
--- a/policy/modules/kernel/terminal.te |
130 |
+++ b/policy/modules/kernel/terminal.te |
131 |
@@ -1,4 +1,4 @@ |
132 |
-policy_module(terminal, 1.16.2) |
133 |
+policy_module(terminal, 1.16.3) |
134 |
|
135 |
######################################## |
136 |
# |
137 |
|
138 |
diff --git a/policy/modules/services/xserver.fc b/policy/modules/services/xserver.fc |
139 |
index f9f541d4..201d28fa 100644 |
140 |
--- a/policy/modules/services/xserver.fc |
141 |
+++ b/policy/modules/services/xserver.fc |
142 |
@@ -33,6 +33,7 @@ HOME_DIR/\.Xauthority.* -- gen_context(system_u:object_r:xauth_home_t,s0) |
143 |
/etc/kde[34]?/kdm/backgroundrc gen_context(system_u:object_r:xdm_var_run_t,s0) |
144 |
|
145 |
/etc/rc\.d/init\.d/x11-common -- gen_context(system_u:object_r:xdm_exec_t,s0) |
146 |
+/etc/sddm/Xsession -- gen_context(system_u:object_r:xsession_exec_t,s0) |
147 |
|
148 |
/etc/X11/[wx]dm/Xreset.* -- gen_context(system_u:object_r:xsession_exec_t,s0) |
149 |
/etc/X11/[wxg]dm/Xsession -- gen_context(system_u:object_r:xsession_exec_t,s0) |
150 |
@@ -66,6 +67,7 @@ HOME_DIR/\.Xauthority.* -- gen_context(system_u:object_r:xauth_home_t,s0) |
151 |
/usr/bin/gdm-binary -- gen_context(system_u:object_r:xdm_exec_t,s0) |
152 |
/usr/bin/lxdm(-binary)? -- gen_context(system_u:object_r:xdm_exec_t,s0) |
153 |
/usr/bin/[xkw]dm -- gen_context(system_u:object_r:xdm_exec_t,s0) |
154 |
+/usr/bin/sddm -- gen_context(system_u:object_r:xdm_exec_t,s0) |
155 |
/usr/bin/gpe-dm -- gen_context(system_u:object_r:xdm_exec_t,s0) |
156 |
/usr/bin/iceauth -- gen_context(system_u:object_r:iceauth_exec_t,s0) |
157 |
/usr/bin/slim -- gen_context(system_u:object_r:xdm_exec_t,s0) |
158 |
@@ -116,6 +118,7 @@ ifndef(`distro_debian',` |
159 |
/var/lib/lxdm(/.*)? gen_context(system_u:object_r:xdm_var_lib_t,s0) |
160 |
/var/lib/[xkw]dm(/.*)? gen_context(system_u:object_r:xdm_var_lib_t,s0) |
161 |
/var/lib/xkb(/.*)? gen_context(system_u:object_r:xkb_var_lib_t,s0) |
162 |
+/var/lib/sddm(/.*)? gen_context(system_u:object_r:xkb_var_lib_t,s0) |
163 |
|
164 |
/var/log/[kwx]dm\.log.* -- gen_context(system_u:object_r:xserver_log_t,s0) |
165 |
/var/log/lightdm(/.*)? gen_context(system_u:object_r:xserver_log_t,s0) |
166 |
@@ -125,6 +128,7 @@ ifndef(`distro_debian',` |
167 |
/var/log/XFree86.* -- gen_context(system_u:object_r:xserver_log_t,s0) |
168 |
/var/log/Xorg.* -- gen_context(system_u:object_r:xserver_log_t,s0) |
169 |
|
170 |
+/run/sddm(/.*)? gen_context(system_u:object_r:xdm_var_run_t,s0) |
171 |
/run/gdm(3)?(/.*)? gen_context(system_u:object_r:xdm_var_run_t,s0) |
172 |
/run/gdm(3)?\.pid -- gen_context(system_u:object_r:xdm_var_run_t,s0) |
173 |
/run/xdm\.pid -- gen_context(system_u:object_r:xdm_var_run_t,s0) |
174 |
|
175 |
diff --git a/policy/modules/services/xserver.te b/policy/modules/services/xserver.te |
176 |
index 5750e14e..a692f7a2 100644 |
177 |
--- a/policy/modules/services/xserver.te |
178 |
+++ b/policy/modules/services/xserver.te |
179 |
@@ -1,4 +1,4 @@ |
180 |
-policy_module(xserver, 3.13.5) |
181 |
+policy_module(xserver, 3.13.6) |
182 |
|
183 |
gen_require(` |
184 |
class x_drawable all_x_drawable_perms; |
185 |
|
186 |
diff --git a/policy/modules/system/init.fc b/policy/modules/system/init.fc |
187 |
index d39bdee6..49c84772 100644 |
188 |
--- a/policy/modules/system/init.fc |
189 |
+++ b/policy/modules/system/init.fc |
190 |
@@ -38,7 +38,6 @@ ifdef(`distro_gentoo', ` |
191 |
/usr/libexec/dcc/start-.* -- gen_context(system_u:object_r:initrc_exec_t,s0) |
192 |
/usr/libexec/dcc/stop-.* -- gen_context(system_u:object_r:initrc_exec_t,s0) |
193 |
|
194 |
-/usr/sbin/apachectl -- gen_context(system_u:object_r:initrc_exec_t,s0) |
195 |
/usr/sbin/init(ng)? -- gen_context(system_u:object_r:init_exec_t,s0) |
196 |
/usr/sbin/open_init_pty -- gen_context(system_u:object_r:initrc_exec_t,s0) |
197 |
/usr/sbin/upstart -- gen_context(system_u:object_r:init_exec_t,s0) |
198 |
@@ -65,6 +64,10 @@ ifdef(`distro_gentoo', ` |
199 |
ifdef(`distro_debian',` |
200 |
/run/hotkey-setup -- gen_context(system_u:object_r:initrc_var_run_t,s0) |
201 |
/run/kdm/.* -- gen_context(system_u:object_r:initrc_var_run_t,s0) |
202 |
+/etc/network/if-pre-up\.d/.* -- gen_context(system_u:object_r:initrc_exec_t,s0) |
203 |
+/etc/network/if-up\.d/.* -- gen_context(system_u:object_r:initrc_exec_t,s0) |
204 |
+/etc/network/if-down\.d/.* -- gen_context(system_u:object_r:initrc_exec_t,s0) |
205 |
+/etc/network/if-post-down\.d/.* -- gen_context(system_u:object_r:initrc_exec_t,s0) |
206 |
') |
207 |
|
208 |
ifdef(`distro_gentoo', ` |
209 |
|
210 |
diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te |
211 |
index a0a1723c..aed3e65a 100644 |
212 |
--- a/policy/modules/system/init.te |
213 |
+++ b/policy/modules/system/init.te |
214 |
@@ -1,4 +1,4 @@ |
215 |
-policy_module(init, 2.2.14) |
216 |
+policy_module(init, 2.2.15) |
217 |
|
218 |
gen_require(` |
219 |
class passwd rootok; |
220 |
|
221 |
diff --git a/policy/modules/system/libraries.fc b/policy/modules/system/libraries.fc |
222 |
index 1bac9659..f174ab68 100644 |
223 |
--- a/policy/modules/system/libraries.fc |
224 |
+++ b/policy/modules/system/libraries.fc |
225 |
@@ -105,6 +105,7 @@ ifdef(`distro_debian',` |
226 |
/usr/(.*/)?dh-python/dh_pypy -- gen_context(system_u:object_r:lib_t,s0) |
227 |
') |
228 |
|
229 |
+/usr/lib/postfix/lib.*so.* -- gen_context(system_u:object_r:lib_t,s0) |
230 |
/usr/lib/altivec/libavcodec\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) |
231 |
/usr/lib/cedega/.+\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) |
232 |
/usr/lib/dovecot/(.*/)?lib.*\.so.* -- gen_context(system_u:object_r:lib_t,s0) |
233 |
|
234 |
diff --git a/policy/modules/system/libraries.te b/policy/modules/system/libraries.te |
235 |
index bf5a9b63..a4e2764d 100644 |
236 |
--- a/policy/modules/system/libraries.te |
237 |
+++ b/policy/modules/system/libraries.te |
238 |
@@ -1,4 +1,4 @@ |
239 |
-policy_module(libraries, 2.14.1) |
240 |
+policy_module(libraries, 2.14.2) |
241 |
|
242 |
######################################## |
243 |
# |
244 |
|
245 |
diff --git a/policy/modules/system/lvm.fc b/policy/modules/system/lvm.fc |
246 |
index e9e7882e..d2f755f2 100644 |
247 |
--- a/policy/modules/system/lvm.fc |
248 |
+++ b/policy/modules/system/lvm.fc |
249 |
@@ -46,6 +46,7 @@ ifdef(`distro_gentoo',` |
250 |
/usr/sbin/lvdisplay -- gen_context(system_u:object_r:lvm_exec_t,s0) |
251 |
/usr/sbin/lvextend -- gen_context(system_u:object_r:lvm_exec_t,s0) |
252 |
/usr/sbin/lvm -- gen_context(system_u:object_r:lvm_exec_t,s0) |
253 |
+/usr/sbin/lvmetad -- gen_context(system_u:object_r:lvm_exec_t,s0) |
254 |
/usr/sbin/lvm\.static -- gen_context(system_u:object_r:lvm_exec_t,s0) |
255 |
/usr/sbin/lvmchange -- gen_context(system_u:object_r:lvm_exec_t,s0) |
256 |
/usr/sbin/lvmdiskscan -- gen_context(system_u:object_r:lvm_exec_t,s0) |
257 |
@@ -97,6 +98,7 @@ ifdef(`distro_gentoo',` |
258 |
/var/lock/lvm(/.*)? gen_context(system_u:object_r:lvm_lock_t,s0) |
259 |
/run/multipathd\.sock -s gen_context(system_u:object_r:lvm_var_run_t,s0) |
260 |
/run/dmevent.* gen_context(system_u:object_r:lvm_var_run_t,s0) |
261 |
+/run/lvm(/.*)? gen_context(system_u:object_r:lvm_var_run_t,s0) |
262 |
|
263 |
ifdef(`distro_gentoo',` |
264 |
# Bug 529430 comment 7 |
265 |
|
266 |
diff --git a/policy/modules/system/lvm.te b/policy/modules/system/lvm.te |
267 |
index 59cb1ba5..977a374b 100644 |
268 |
--- a/policy/modules/system/lvm.te |
269 |
+++ b/policy/modules/system/lvm.te |
270 |
@@ -1,4 +1,4 @@ |
271 |
-policy_module(lvm, 1.19.6) |
272 |
+policy_module(lvm, 1.19.7) |
273 |
|
274 |
######################################## |
275 |
# |
276 |
|
277 |
diff --git a/policy/modules/system/udev.fc b/policy/modules/system/udev.fc |
278 |
index 709d8330..0e433bed 100644 |
279 |
--- a/policy/modules/system/udev.fc |
280 |
+++ b/policy/modules/system/udev.fc |
281 |
@@ -38,6 +38,7 @@ ifdef(`distro_redhat',` |
282 |
/run/udev(/.*)? gen_context(system_u:object_r:udev_var_run_t,s0) |
283 |
|
284 |
ifdef(`distro_debian',` |
285 |
+/run/console-setup(/.*)? gen_context(system_u:object_r:udev_var_run_t,s0) |
286 |
/run/xen-hotplug -d gen_context(system_u:object_r:udev_var_run_t,s0) |
287 |
') |
288 |
|
289 |
|
290 |
diff --git a/policy/modules/system/udev.te b/policy/modules/system/udev.te |
291 |
index 18b0e29c..f115d9f8 100644 |
292 |
--- a/policy/modules/system/udev.te |
293 |
+++ b/policy/modules/system/udev.te |
294 |
@@ -1,4 +1,4 @@ |
295 |
-policy_module(udev, 1.21.5) |
296 |
+policy_module(udev, 1.21.6) |
297 |
|
298 |
######################################## |
299 |
# |