1 |
commit: 95bb9a0c4c8e7b00b48cd5ba7675efe259a03d41 |
2 |
Author: cgzones <cgzones <AT> googlemail <DOT> com> |
3 |
AuthorDate: Thu Jan 5 19:14:47 2017 +0000 |
4 |
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org> |
5 |
CommitDate: Mon Jan 23 12:56:05 2017 +0000 |
6 |
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=95bb9a0c |
7 |
|
8 |
update screen module |
9 |
|
10 |
policy/modules/contrib/screen.fc | 10 +++++----- |
11 |
policy/modules/contrib/screen.if | 10 +++++----- |
12 |
policy/modules/contrib/screen.te | 29 ++++++++++++----------------- |
13 |
3 files changed, 22 insertions(+), 27 deletions(-) |
14 |
|
15 |
diff --git a/policy/modules/contrib/screen.fc b/policy/modules/contrib/screen.fc |
16 |
index 975d48f..7196c59 100644 |
17 |
--- a/policy/modules/contrib/screen.fc |
18 |
+++ b/policy/modules/contrib/screen.fc |
19 |
@@ -1,9 +1,9 @@ |
20 |
-HOME_DIR/\.screen(/.*)? gen_context(system_u:object_r:screen_home_t,s0) |
21 |
+HOME_DIR/\.screen(/.*)? gen_context(system_u:object_r:screen_home_t,s0) |
22 |
HOME_DIR/\.screenrc -- gen_context(system_u:object_r:screen_home_t,s0) |
23 |
HOME_DIR/\.tmux\.conf -- gen_context(system_u:object_r:screen_home_t,s0) |
24 |
|
25 |
-/usr/bin/screen -- gen_context(system_u:object_r:screen_exec_t,s0) |
26 |
-/usr/bin/tmux -- gen_context(system_u:object_r:screen_exec_t,s0) |
27 |
+/run/screen(/.*)? gen_context(system_u:object_r:screen_runtime_t,s0) |
28 |
+/run/tmux(/.*)? gen_context(system_u:object_r:screen_runtime_t,s0) |
29 |
|
30 |
-/run/screen(/.*)? gen_context(system_u:object_r:screen_var_run_t,s0) |
31 |
-/run/tmux(/.*)? gen_context(system_u:object_r:screen_var_run_t,s0) |
32 |
+/usr/bin/screen -- gen_context(system_u:object_r:screen_exec_t,s0) |
33 |
+/usr/bin/tmux -- gen_context(system_u:object_r:screen_exec_t,s0) |
34 |
|
35 |
diff --git a/policy/modules/contrib/screen.if b/policy/modules/contrib/screen.if |
36 |
index 2795f69..884e261 100644 |
37 |
--- a/policy/modules/contrib/screen.if |
38 |
+++ b/policy/modules/contrib/screen.if |
39 |
@@ -26,7 +26,7 @@ template(`screen_role_template',` |
40 |
attribute screen_domain; |
41 |
attribute_role screen_roles; |
42 |
type screen_exec_t, screen_tmp_t; |
43 |
- type screen_home_t, screen_var_run_t; |
44 |
+ type screen_home_t, screen_runtime_t; |
45 |
') |
46 |
|
47 |
######################################## |
48 |
@@ -69,10 +69,10 @@ template(`screen_role_template',` |
49 |
userdom_user_home_dir_filetrans($3, screen_home_t, file, ".screenrc") |
50 |
userdom_user_home_dir_filetrans($3, screen_home_t, file, ".tmux.conf") |
51 |
|
52 |
- manage_dirs_pattern($3, screen_var_run_t, screen_var_run_t) |
53 |
- manage_files_pattern($3, screen_var_run_t, screen_var_run_t) |
54 |
- manage_lnk_files_pattern($3, screen_var_run_t, screen_var_run_t) |
55 |
- manage_fifo_files_pattern($3, screen_var_run_t, screen_var_run_t) |
56 |
+ manage_dirs_pattern($3, screen_runtime_t, screen_runtime_t) |
57 |
+ manage_files_pattern($3, screen_runtime_t, screen_runtime_t) |
58 |
+ manage_lnk_files_pattern($3, screen_runtime_t, screen_runtime_t) |
59 |
+ manage_fifo_files_pattern($3, screen_runtime_t, screen_runtime_t) |
60 |
|
61 |
corecmd_bin_domtrans($1_screen_t, $3) |
62 |
corecmd_shell_domtrans($1_screen_t, $3) |
63 |
|
64 |
diff --git a/policy/modules/contrib/screen.te b/policy/modules/contrib/screen.te |
65 |
index bebb3ec..d50f157 100644 |
66 |
--- a/policy/modules/contrib/screen.te |
67 |
+++ b/policy/modules/contrib/screen.te |
68 |
@@ -13,27 +13,23 @@ type screen_exec_t; |
69 |
application_executable_file(screen_exec_t) |
70 |
|
71 |
type screen_home_t; |
72 |
-typealias screen_home_t alias { user_screen_home_t staff_screen_home_t sysadm_screen_home_t }; |
73 |
-typealias screen_home_t alias { auditadm_screen_home_t secadm_screen_home_t }; |
74 |
userdom_user_home_content(screen_home_t) |
75 |
|
76 |
type screen_tmp_t; |
77 |
-typealias screen_tmp_t alias { user_screen_tmp_t staff_screen_tmp_t sysadm_screen_tmp_t }; |
78 |
-typealias screen_tmp_t alias { auditadm_screen_tmp_t secadm_screen_tmp_t }; |
79 |
userdom_user_tmp_file(screen_tmp_t) |
80 |
|
81 |
-type screen_var_run_t; |
82 |
-typealias screen_var_run_t alias { user_screen_var_run_t staff_screen_var_run_t sysadm_screen_var_run_t }; |
83 |
-typealias screen_var_run_t alias { auditadm_screen_var_run_t secadm_screen_var_run_t screen_dir_t }; |
84 |
-files_pid_file(screen_var_run_t) |
85 |
-ubac_constrained(screen_var_run_t) |
86 |
+type screen_runtime_t; |
87 |
+typealias screen_runtime_t alias screen_var_run_t; |
88 |
+files_pid_file(screen_runtime_t) |
89 |
+ubac_constrained(screen_runtime_t) |
90 |
|
91 |
######################################## |
92 |
# |
93 |
# Common screen domain local policy |
94 |
# |
95 |
|
96 |
-allow screen_domain self:capability { setuid setgid fsetid }; |
97 |
+# dac_override : read /dev/pts/ID |
98 |
+allow screen_domain self:capability { setuid setgid fsetid dac_override }; |
99 |
allow screen_domain self:process signal_perms; |
100 |
allow screen_domain self:fd use; |
101 |
allow screen_domain self:fifo_file rw_fifo_file_perms; |
102 |
@@ -44,12 +40,12 @@ manage_dirs_pattern(screen_domain, screen_tmp_t, screen_tmp_t) |
103 |
manage_files_pattern(screen_domain, screen_tmp_t, screen_tmp_t) |
104 |
manage_fifo_files_pattern(screen_domain, screen_tmp_t, screen_tmp_t) |
105 |
files_tmp_filetrans(screen_domain, screen_tmp_t, { file dir }) |
106 |
-filetrans_pattern(screen_domain, screen_tmp_t, screen_var_run_t, sock_file) |
107 |
+filetrans_pattern(screen_domain, screen_tmp_t, screen_runtime_t, sock_file) |
108 |
|
109 |
-manage_fifo_files_pattern(screen_domain, screen_var_run_t, screen_var_run_t) |
110 |
-manage_dirs_pattern(screen_domain, screen_var_run_t, screen_var_run_t) |
111 |
-manage_sock_files_pattern(screen_domain, screen_var_run_t, screen_var_run_t) |
112 |
-files_pid_filetrans(screen_domain, screen_var_run_t, dir) |
113 |
+manage_fifo_files_pattern(screen_domain, screen_runtime_t, screen_runtime_t) |
114 |
+manage_dirs_pattern(screen_domain, screen_runtime_t, screen_runtime_t) |
115 |
+manage_sock_files_pattern(screen_domain, screen_runtime_t, screen_runtime_t) |
116 |
+files_pid_filetrans(screen_domain, screen_runtime_t, dir) |
117 |
|
118 |
manage_dirs_pattern(screen_domain, screen_home_t, screen_home_t) |
119 |
read_files_pattern(screen_domain, screen_home_t, screen_home_t) |
120 |
@@ -91,8 +87,7 @@ fs_getattr_all_fs(screen_domain) |
121 |
|
122 |
auth_dontaudit_read_shadow(screen_domain) |
123 |
auth_dontaudit_exec_utempter(screen_domain) |
124 |
- |
125 |
-init_rw_utmp(screen_domain) |
126 |
+auth_rw_utmp(screen_domain) |
127 |
|
128 |
logging_send_syslog_msg(screen_domain) |