1 |
commit: f408383b96e3836399199bcd926d3726cc936163 |
2 |
Author: Chris PeBenito <pebenito <AT> ieee <DOT> org> |
3 |
AuthorDate: Sat Feb 4 20:19:35 2017 +0000 |
4 |
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org> |
5 |
CommitDate: Sun Feb 5 15:10:31 2017 +0000 |
6 |
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=f408383b |
7 |
|
8 |
Create / to /usr equivalence for bin, sbin, and lib, from Russell Coker. |
9 |
|
10 |
config/file_contexts.subs_dist | 8 +++- |
11 |
policy/modules/admin/bootloader.fc | 4 -- |
12 |
policy/modules/admin/bootloader.te | 2 +- |
13 |
policy/modules/admin/consoletype.fc | 3 -- |
14 |
policy/modules/admin/consoletype.te | 2 +- |
15 |
policy/modules/admin/dmesg.fc | 3 -- |
16 |
policy/modules/admin/dmesg.te | 2 +- |
17 |
policy/modules/admin/netutils.fc | 6 --- |
18 |
policy/modules/admin/netutils.te | 2 +- |
19 |
policy/modules/admin/su.fc | 3 -- |
20 |
policy/modules/admin/su.te | 2 +- |
21 |
policy/modules/admin/usermanage.fc | 4 -- |
22 |
policy/modules/admin/usermanage.te | 2 +- |
23 |
policy/modules/kernel/corecommands.fc | 70 +++++++----------------------- |
24 |
policy/modules/kernel/corecommands.te | 2 +- |
25 |
policy/modules/kernel/corenetwork.fc | 3 -- |
26 |
policy/modules/kernel/corenetwork.te.in | 2 +- |
27 |
policy/modules/kernel/devices.fc | 5 --- |
28 |
policy/modules/kernel/devices.te | 2 +- |
29 |
policy/modules/kernel/files.fc | 22 +++------- |
30 |
policy/modules/kernel/files.te | 2 +- |
31 |
policy/modules/kernel/filesystem.fc | 5 --- |
32 |
policy/modules/kernel/filesystem.te | 2 +- |
33 |
policy/modules/kernel/storage.fc | 3 -- |
34 |
policy/modules/kernel/storage.te | 2 +- |
35 |
policy/modules/kernel/terminal.fc | 2 +- |
36 |
policy/modules/kernel/terminal.te | 2 +- |
37 |
policy/modules/system/authlogin.fc | 15 ++----- |
38 |
policy/modules/system/authlogin.te | 2 +- |
39 |
policy/modules/system/clock.fc | 3 -- |
40 |
policy/modules/system/clock.te | 2 +- |
41 |
policy/modules/system/fstools.fc | 45 -------------------- |
42 |
policy/modules/system/fstools.te | 2 +- |
43 |
policy/modules/system/getty.fc | 3 -- |
44 |
policy/modules/system/getty.te | 2 +- |
45 |
policy/modules/system/hostname.fc | 3 -- |
46 |
policy/modules/system/hostname.te | 2 +- |
47 |
policy/modules/system/hotplug.fc | 3 -- |
48 |
policy/modules/system/hotplug.te | 2 +- |
49 |
policy/modules/system/init.fc | 29 ++++--------- |
50 |
policy/modules/system/init.te | 2 +- |
51 |
policy/modules/system/ipsec.fc | 2 - |
52 |
policy/modules/system/ipsec.te | 2 +- |
53 |
policy/modules/system/iptables.fc | 13 ------ |
54 |
policy/modules/system/iptables.te | 2 +- |
55 |
policy/modules/system/libraries.fc | 30 +++---------- |
56 |
policy/modules/system/libraries.te | 2 +- |
57 |
policy/modules/system/locallogin.fc | 4 -- |
58 |
policy/modules/system/locallogin.te | 2 +- |
59 |
policy/modules/system/logging.fc | 11 ----- |
60 |
policy/modules/system/logging.te | 2 +- |
61 |
policy/modules/system/lvm.fc | 75 ++------------------------------- |
62 |
policy/modules/system/lvm.te | 2 +- |
63 |
policy/modules/system/modutils.fc | 15 +------ |
64 |
policy/modules/system/modutils.te | 2 +- |
65 |
policy/modules/system/mount.fc | 8 ---- |
66 |
policy/modules/system/mount.te | 2 +- |
67 |
policy/modules/system/netlabel.fc | 2 - |
68 |
policy/modules/system/netlabel.te | 2 +- |
69 |
policy/modules/system/selinuxutil.fc | 7 --- |
70 |
policy/modules/system/selinuxutil.te | 2 +- |
71 |
policy/modules/system/setrans.fc | 2 - |
72 |
policy/modules/system/setrans.te | 2 +- |
73 |
policy/modules/system/sysnetwork.fc | 24 ----------- |
74 |
policy/modules/system/sysnetwork.te | 2 +- |
75 |
policy/modules/system/systemd.fc | 10 ----- |
76 |
policy/modules/system/systemd.te | 2 +- |
77 |
policy/modules/system/udev.fc | 23 ++++------ |
78 |
policy/modules/system/udev.te | 2 +- |
79 |
69 files changed, 93 insertions(+), 443 deletions(-) |
80 |
|
81 |
diff --git a/config/file_contexts.subs_dist b/config/file_contexts.subs_dist |
82 |
index ade78dc..96c2765 100644 |
83 |
--- a/config/file_contexts.subs_dist |
84 |
+++ b/config/file_contexts.subs_dist |
85 |
@@ -8,10 +8,14 @@ |
86 |
# It does not perform substitutions as done by sed(1), for |
87 |
# example, but aliasing. |
88 |
# |
89 |
+/bin /usr/bin |
90 |
+/lib /usr/lib |
91 |
+/lib32 /usr/lib |
92 |
+/lib64 /usr/lib |
93 |
+/libx32 /usr/libx32 |
94 |
+/sbin /usr/sbin |
95 |
/etc/init.d /etc/rc.d/init.d |
96 |
/lib/systemd /usr/lib/systemd |
97 |
-/lib32 /lib |
98 |
-/lib64 /lib |
99 |
/run/lock /var/lock |
100 |
/usr/lib32 /usr/lib |
101 |
/usr/lib64 /usr/lib |
102 |
|
103 |
diff --git a/policy/modules/admin/bootloader.fc b/policy/modules/admin/bootloader.fc |
104 |
index c43c428..d392595 100644 |
105 |
--- a/policy/modules/admin/bootloader.fc |
106 |
+++ b/policy/modules/admin/bootloader.fc |
107 |
@@ -8,10 +8,6 @@ |
108 |
/etc/yaboot\.conf.* -- gen_context(system_u:object_r:bootloader_etc_t,s0) |
109 |
/etc/grub.d(/.*)? -- gen_context(system_u:object_r:bootloader_etc_t,s0) |
110 |
|
111 |
-/sbin/grub -- gen_context(system_u:object_r:bootloader_exec_t,s0) |
112 |
-/sbin/lilo.* -- gen_context(system_u:object_r:bootloader_exec_t,s0) |
113 |
-/sbin/ybin.* -- gen_context(system_u:object_r:bootloader_exec_t,s0) |
114 |
- |
115 |
/usr/sbin/grub -- gen_context(system_u:object_r:bootloader_exec_t,s0) |
116 |
/usr/sbin/grub2?-bios-setup -- gen_context(system_u:object_r:bootloader_exec_t,s0) |
117 |
/usr/sbin/grub2?-install -- gen_context(system_u:object_r:bootloader_exec_t,s0) |
118 |
|
119 |
diff --git a/policy/modules/admin/bootloader.te b/policy/modules/admin/bootloader.te |
120 |
index 6be4f16..fd9df5c 100644 |
121 |
--- a/policy/modules/admin/bootloader.te |
122 |
+++ b/policy/modules/admin/bootloader.te |
123 |
@@ -1,4 +1,4 @@ |
124 |
-policy_module(bootloader, 1.17.0) |
125 |
+policy_module(bootloader, 1.17.1) |
126 |
|
127 |
######################################## |
128 |
# |
129 |
|
130 |
diff --git a/policy/modules/admin/consoletype.fc b/policy/modules/admin/consoletype.fc |
131 |
index 5d4fc31..c5190ee 100644 |
132 |
--- a/policy/modules/admin/consoletype.fc |
133 |
+++ b/policy/modules/admin/consoletype.fc |
134 |
@@ -1,4 +1 @@ |
135 |
- |
136 |
-/sbin/consoletype -- gen_context(system_u:object_r:consoletype_exec_t,s0) |
137 |
- |
138 |
/usr/sbin/consoletype -- gen_context(system_u:object_r:consoletype_exec_t,s0) |
139 |
|
140 |
diff --git a/policy/modules/admin/consoletype.te b/policy/modules/admin/consoletype.te |
141 |
index 9ed8760..4d295c2 100644 |
142 |
--- a/policy/modules/admin/consoletype.te |
143 |
+++ b/policy/modules/admin/consoletype.te |
144 |
@@ -1,4 +1,4 @@ |
145 |
-policy_module(consoletype, 1.11.0) |
146 |
+policy_module(consoletype, 1.11.1) |
147 |
|
148 |
######################################## |
149 |
# |
150 |
|
151 |
diff --git a/policy/modules/admin/dmesg.fc b/policy/modules/admin/dmesg.fc |
152 |
index 0685b19..e52fdfc 100644 |
153 |
--- a/policy/modules/admin/dmesg.fc |
154 |
+++ b/policy/modules/admin/dmesg.fc |
155 |
@@ -1,4 +1 @@ |
156 |
- |
157 |
-/bin/dmesg -- gen_context(system_u:object_r:dmesg_exec_t,s0) |
158 |
- |
159 |
/usr/bin/dmesg -- gen_context(system_u:object_r:dmesg_exec_t,s0) |
160 |
|
161 |
diff --git a/policy/modules/admin/dmesg.te b/policy/modules/admin/dmesg.te |
162 |
index 36eb120..4b36350 100644 |
163 |
--- a/policy/modules/admin/dmesg.te |
164 |
+++ b/policy/modules/admin/dmesg.te |
165 |
@@ -1,4 +1,4 @@ |
166 |
-policy_module(dmesg, 1.5.0) |
167 |
+policy_module(dmesg, 1.5.1) |
168 |
|
169 |
######################################## |
170 |
# |
171 |
|
172 |
diff --git a/policy/modules/admin/netutils.fc b/policy/modules/admin/netutils.fc |
173 |
index 44cde12..5041c10 100644 |
174 |
--- a/policy/modules/admin/netutils.fc |
175 |
+++ b/policy/modules/admin/netutils.fc |
176 |
@@ -1,9 +1,3 @@ |
177 |
-/bin/ping.* -- gen_context(system_u:object_r:ping_exec_t,s0) |
178 |
-/bin/tracepath.* -- gen_context(system_u:object_r:traceroute_exec_t,s0) |
179 |
-/bin/traceroute.* -- gen_context(system_u:object_r:traceroute_exec_t,s0) |
180 |
- |
181 |
-/sbin/arping -- gen_context(system_u:object_r:netutils_exec_t,s0) |
182 |
- |
183 |
/usr/bin/arping -- gen_context(system_u:object_r:netutils_exec_t,s0) |
184 |
/usr/bin/lft -- gen_context(system_u:object_r:traceroute_exec_t,s0) |
185 |
/usr/bin/nmap -- gen_context(system_u:object_r:traceroute_exec_t,s0) |
186 |
|
187 |
diff --git a/policy/modules/admin/netutils.te b/policy/modules/admin/netutils.te |
188 |
index 5525583..9eabff3 100644 |
189 |
--- a/policy/modules/admin/netutils.te |
190 |
+++ b/policy/modules/admin/netutils.te |
191 |
@@ -1,4 +1,4 @@ |
192 |
-policy_module(netutils, 1.16.0) |
193 |
+policy_module(netutils, 1.16.1) |
194 |
|
195 |
######################################## |
196 |
# |
197 |
|
198 |
diff --git a/policy/modules/admin/su.fc b/policy/modules/admin/su.fc |
199 |
index 3d89250..3375c96 100644 |
200 |
--- a/policy/modules/admin/su.fc |
201 |
+++ b/policy/modules/admin/su.fc |
202 |
@@ -1,6 +1,3 @@ |
203 |
- |
204 |
-/bin/su -- gen_context(system_u:object_r:su_exec_t,s0) |
205 |
- |
206 |
/usr/(local/)?bin/ksu -- gen_context(system_u:object_r:su_exec_t,s0) |
207 |
/usr/bin/kdesu -- gen_context(system_u:object_r:su_exec_t,s0) |
208 |
/usr/bin/su -- gen_context(system_u:object_r:su_exec_t,s0) |
209 |
|
210 |
diff --git a/policy/modules/admin/su.te b/policy/modules/admin/su.te |
211 |
index afdd022..e553769 100644 |
212 |
--- a/policy/modules/admin/su.te |
213 |
+++ b/policy/modules/admin/su.te |
214 |
@@ -1,4 +1,4 @@ |
215 |
-policy_module(su, 1.14.0) |
216 |
+policy_module(su, 1.14.1) |
217 |
|
218 |
######################################## |
219 |
# |
220 |
|
221 |
diff --git a/policy/modules/admin/usermanage.fc b/policy/modules/admin/usermanage.fc |
222 |
index 1184395..0e00005 100644 |
223 |
--- a/policy/modules/admin/usermanage.fc |
224 |
+++ b/policy/modules/admin/usermanage.fc |
225 |
@@ -1,7 +1,3 @@ |
226 |
-ifdef(`distro_gentoo',` |
227 |
-/bin/passwd -- gen_context(system_u:object_r:passwd_exec_t,s0) |
228 |
-') |
229 |
- |
230 |
ifdef(`distro_debian',` |
231 |
/etc/cron\.daily/cracklib-runtime -- gen_context(system_u:object_r:crack_exec_t,s0) |
232 |
') |
233 |
|
234 |
diff --git a/policy/modules/admin/usermanage.te b/policy/modules/admin/usermanage.te |
235 |
index e11f53a..ab0ba0a 100644 |
236 |
--- a/policy/modules/admin/usermanage.te |
237 |
+++ b/policy/modules/admin/usermanage.te |
238 |
@@ -1,4 +1,4 @@ |
239 |
-policy_module(usermanage, 1.20.0) |
240 |
+policy_module(usermanage, 1.20.1) |
241 |
|
242 |
######################################## |
243 |
# |
244 |
|
245 |
diff --git a/policy/modules/kernel/corecommands.fc b/policy/modules/kernel/corecommands.fc |
246 |
index f2a1991..d8c7389 100644 |
247 |
--- a/policy/modules/kernel/corecommands.fc |
248 |
+++ b/policy/modules/kernel/corecommands.fc |
249 |
@@ -1,21 +1,4 @@ |
250 |
# |
251 |
-# /bin |
252 |
-# |
253 |
-/bin -d gen_context(system_u:object_r:bin_t,s0) |
254 |
-/bin/.* gen_context(system_u:object_r:bin_t,s0) |
255 |
-/bin/d?ash -- gen_context(system_u:object_r:shell_exec_t,s0) |
256 |
-/bin/bash -- gen_context(system_u:object_r:shell_exec_t,s0) |
257 |
-/bin/bash2 -- gen_context(system_u:object_r:shell_exec_t,s0) |
258 |
-/bin/fish -- gen_context(system_u:object_r:shell_exec_t,s0) |
259 |
-/bin/ksh.* -- gen_context(system_u:object_r:shell_exec_t,s0) |
260 |
-/bin/mksh -- gen_context(system_u:object_r:shell_exec_t,s0) |
261 |
-/bin/mountpoint -- gen_context(system_u:object_r:bin_t,s0) |
262 |
-/bin/sash -- gen_context(system_u:object_r:shell_exec_t,s0) |
263 |
-/bin/tcsh -- gen_context(system_u:object_r:shell_exec_t,s0) |
264 |
-/bin/yash -- gen_context(system_u:object_r:shell_exec_t,s0) |
265 |
-/bin/zsh.* -- gen_context(system_u:object_r:shell_exec_t,s0) |
266 |
- |
267 |
-# |
268 |
# /dev |
269 |
# |
270 |
/dev/MAKEDEV -- gen_context(system_u:object_r:bin_t,s0) |
271 |
@@ -130,38 +113,6 @@ ifdef(`distro_debian',` |
272 |
') |
273 |
|
274 |
# |
275 |
-# /lib |
276 |
-# |
277 |
- |
278 |
-/lib/nut/.* -- gen_context(system_u:object_r:bin_t,s0) |
279 |
-/lib/readahead(/.*)? gen_context(system_u:object_r:bin_t,s0) |
280 |
-/lib/security/pam_krb5/pam_krb5_storetmp -- gen_context(system_u:object_r:bin_t,s0) |
281 |
-/lib/udev/[^/]* -- gen_context(system_u:object_r:bin_t,s0) |
282 |
-/lib/udev/scsi_id -- gen_context(system_u:object_r:bin_t,s0) |
283 |
-/lib/upstart(/.*)? gen_context(system_u:object_r:bin_t,s0) |
284 |
- |
285 |
-ifdef(`distro_gentoo',` |
286 |
-#/lib/dhcpcd/dhcpcd-run-hooks -- gen_context(system_u:object_r:bin_t,s0) |
287 |
- |
288 |
-/lib/rcscripts/addons(/.*)? gen_context(system_u:object_r:bin_t,s0) |
289 |
-/lib/rcscripts/sh(/.*)? gen_context(system_u:object_r:bin_t,s0) |
290 |
-/lib/rcscripts/net\.modules\.d/helpers\.d/dhclient-.* -- gen_context(system_u:object_r:bin_t,s0) |
291 |
-/lib/rcscripts/net\.modules\.d/helpers\.d/udhcpc-.* -- gen_context(system_u:object_r:bin_t,s0) |
292 |
-/lib/rc/bin/.* -- gen_context(system_u:object_r:bin_t,s0) |
293 |
-/lib/rc/sbin/.* -- gen_context(system_u:object_r:bin_t,s0) |
294 |
-/lib/rc/sh/.* -- gen_context(system_u:object_r:bin_t,s0) |
295 |
-') |
296 |
- |
297 |
-# |
298 |
-# /sbin |
299 |
-# |
300 |
-/sbin -d gen_context(system_u:object_r:bin_t,s0) |
301 |
-/sbin/.* gen_context(system_u:object_r:bin_t,s0) |
302 |
-/sbin/insmod_ksymoops_clean -- gen_context(system_u:object_r:bin_t,s0) |
303 |
-/sbin/mkfs\.cramfs -- gen_context(system_u:object_r:bin_t,s0) |
304 |
-/sbin/nologin -- gen_context(system_u:object_r:shell_exec_t,s0) |
305 |
- |
306 |
-# |
307 |
# /opt |
308 |
# |
309 |
/opt/(.*/)?bin(/.*)? gen_context(system_u:object_r:bin_t,s0) |
310 |
@@ -186,7 +137,7 @@ ifdef(`distro_gentoo',` |
311 |
# /usr |
312 |
# |
313 |
/usr/(.*/)?Bin(/.*)? gen_context(system_u:object_r:bin_t,s0) |
314 |
-/usr/(.*/)?bin(/.*)? gen_context(system_u:object_r:bin_t,s0) |
315 |
+/usr/bin(/.*)? gen_context(system_u:object_r:bin_t,s0) |
316 |
/usr/bin/d?ash -- gen_context(system_u:object_r:shell_exec_t,s0) |
317 |
/usr/bin/bash -- gen_context(system_u:object_r:shell_exec_t,s0) |
318 |
/usr/bin/bash2 -- gen_context(system_u:object_r:shell_exec_t,s0) |
319 |
@@ -201,10 +152,10 @@ ifdef(`distro_gentoo',` |
320 |
/usr/bin/yash -- gen_context(system_u:object_r:shell_exec_t,s0) |
321 |
/usr/bin/zsh.* -- gen_context(system_u:object_r:shell_exec_t,s0) |
322 |
|
323 |
-/usr/lib(.*/)?bin(/.*)? gen_context(system_u:object_r:bin_t,s0) |
324 |
+/usr/lib/(.*/)?bin(/.*)? gen_context(system_u:object_r:bin_t,s0) |
325 |
|
326 |
/usr/(.*/)?sbin(/.*)? gen_context(system_u:object_r:bin_t,s0) |
327 |
-/usr/lib(.*/)?sbin(/.*)? gen_context(system_u:object_r:bin_t,s0) |
328 |
+/usr/lib/(.*/)?sbin(/.*)? gen_context(system_u:object_r:bin_t,s0) |
329 |
|
330 |
/usr/lib/at-spi2-core(/.*)? gen_context(system_u:object_r:bin_t,s0) |
331 |
/usr/lib/avahi/avahi-daemon-check-dns\.sh -- gen_context(system_u:object_r:bin_t,s0) |
332 |
@@ -294,18 +245,19 @@ ifdef(`distro_gentoo',` |
333 |
/usr/lib/nspluginwrapper/i386/linux/npviewer -- gen_context(system_u:object_r:shell_exec_t,s0) |
334 |
/usr/lib/xulrunner-.*/plugin-container -- gen_context(system_u:object_r:bin_t,s0) |
335 |
|
336 |
-/usr/lib/xen/bin(/.*)? gen_context(system_u:object_r:bin_t,s0) |
337 |
- |
338 |
/usr/libexec(/.*)? gen_context(system_u:object_r:bin_t,s0) |
339 |
/usr/libexec/git-core/git-shell -- gen_context(system_u:object_r:shell_exec_t,s0) |
340 |
/usr/libexec/sesh -- gen_context(system_u:object_r:shell_exec_t,s0) |
341 |
|
342 |
/usr/libexec/openssh/sftp-server -- gen_context(system_u:object_r:bin_t,s0) |
343 |
|
344 |
+/usr/local/bin(/.*)? gen_context(system_u:object_r:bin_t,s0) |
345 |
+/usr/local/sbin(/.*)? gen_context(system_u:object_r:bin_t,s0) |
346 |
/usr/local/Brother(/.*)? gen_context(system_u:object_r:bin_t,s0) |
347 |
/usr/local/Printer(/.*)? gen_context(system_u:object_r:bin_t,s0) |
348 |
/usr/local/linuxprinter/filters(/.*)? gen_context(system_u:object_r:bin_t,s0) |
349 |
|
350 |
+/usr/sbin(/.*)? gen_context(system_u:object_r:bin_t,s0) |
351 |
/usr/sbin/insmod_ksymoops_clean -- gen_context(system_u:object_r:bin_t,s0) |
352 |
/usr/sbin/mkfs\.cramfs -- gen_context(system_u:object_r:bin_t,s0) |
353 |
/usr/sbin/nologin -- gen_context(system_u:object_r:shell_exec_t,s0) |
354 |
@@ -368,6 +320,16 @@ ifdef(`distro_gentoo', ` |
355 |
/usr/[^/]+-[^/]+-linux-gnu/binutils-bin(/.*)? gen_context(system_u:object_r:bin_t,s0) |
356 |
/usr/[^/]+-[^/]+-linux-gnu/[^/]+/gcc-bin/.*(/.*)? gen_context(system_u:object_r:bin_t,s0) |
357 |
/usr/[^/]+-[^/]+-linux-gnu/[^/]+/binutils-bin(/.*)? gen_context(system_u:object_r:bin_t,s0) |
358 |
+ |
359 |
+#/usr/lib/dhcpcd/dhcpcd-run-hooks -- gen_context(system_u:object_r:bin_t,s0) |
360 |
+ |
361 |
+/usr/lib/rcscripts/addons(/.*)? gen_context(system_u:object_r:bin_t,s0) |
362 |
+/usr/lib/rcscripts/sh(/.*)? gen_context(system_u:object_r:bin_t,s0) |
363 |
+/usr/lib/rcscripts/net\.modules\.d/helpers\.d/dhclient-.* -- gen_context(system_u:object_r:bin_t,s0) |
364 |
+/usr/lib/rcscripts/net\.modules\.d/helpers\.d/udhcpc-.* -- gen_context(system_u:object_r:bin_t,s0) |
365 |
+/usr/lib/rc/bin/.* -- gen_context(system_u:object_r:bin_t,s0) |
366 |
+/usr/lib/rc/sbin/.* -- gen_context(system_u:object_r:bin_t,s0) |
367 |
+/usr/lib/rc/sh/.* -- gen_context(system_u:object_r:bin_t,s0) |
368 |
') |
369 |
|
370 |
ifdef(`distro_redhat', ` |
371 |
|
372 |
diff --git a/policy/modules/kernel/corecommands.te b/policy/modules/kernel/corecommands.te |
373 |
index f7ca08a..ca4e75f 100644 |
374 |
--- a/policy/modules/kernel/corecommands.te |
375 |
+++ b/policy/modules/kernel/corecommands.te |
376 |
@@ -1,4 +1,4 @@ |
377 |
-policy_module(corecommands, 1.23.0) |
378 |
+policy_module(corecommands, 1.23.1) |
379 |
|
380 |
######################################## |
381 |
# |
382 |
|
383 |
diff --git a/policy/modules/kernel/corenetwork.fc b/policy/modules/kernel/corenetwork.fc |
384 |
index a717876..b8e9fb3 100644 |
385 |
--- a/policy/modules/kernel/corenetwork.fc |
386 |
+++ b/policy/modules/kernel/corenetwork.fc |
387 |
@@ -5,8 +5,5 @@ |
388 |
|
389 |
/dev/net/.* -c gen_context(system_u:object_r:tun_tap_device_t,s0) |
390 |
|
391 |
-/lib/udev/devices/ppp -c gen_context(system_u:object_r:ppp_device_t,s0) |
392 |
-/lib/udev/devices/net/.* -c gen_context(system_u:object_r:tun_tap_device_t,s0) |
393 |
- |
394 |
/usr/lib/udev/devices/ppp -c gen_context(system_u:object_r:ppp_device_t,s0) |
395 |
/usr/lib/udev/devices/net/.* -c gen_context(system_u:object_r:tun_tap_device_t,s0) |
396 |
|
397 |
diff --git a/policy/modules/kernel/corenetwork.te.in b/policy/modules/kernel/corenetwork.te.in |
398 |
index 0196dde..efae68a 100644 |
399 |
--- a/policy/modules/kernel/corenetwork.te.in |
400 |
+++ b/policy/modules/kernel/corenetwork.te.in |
401 |
@@ -1,4 +1,4 @@ |
402 |
-policy_module(corenetwork, 1.23.0) |
403 |
+policy_module(corenetwork, 1.23.1) |
404 |
|
405 |
######################################## |
406 |
# |
407 |
|
408 |
diff --git a/policy/modules/kernel/devices.fc b/policy/modules/kernel/devices.fc |
409 |
index 6a2e601..19cd972 100644 |
410 |
--- a/policy/modules/kernel/devices.fc |
411 |
+++ b/policy/modules/kernel/devices.fc |
412 |
@@ -194,11 +194,6 @@ ifdef(`distro_debian',` |
413 |
/etc/udev/devices -d gen_context(system_u:object_r:device_t,s0) |
414 |
|
415 |
# used by init scripts to initally populate udev /dev |
416 |
-/lib/udev/devices(/.*)? gen_context(system_u:object_r:device_t,s0) |
417 |
-/lib/udev/devices/lp.* -c gen_context(system_u:object_r:printer_device_t,s0) |
418 |
-/lib/udev/devices/null -c gen_context(system_u:object_r:null_device_t,s0) |
419 |
-/lib/udev/devices/zero -c gen_context(system_u:object_r:zero_device_t,s0) |
420 |
- |
421 |
/usr/lib/udev/devices(/.*)? gen_context(system_u:object_r:device_t,s0) |
422 |
/usr/lib/udev/devices/lp.* -c gen_context(system_u:object_r:printer_device_t,s0) |
423 |
/usr/lib/udev/devices/null -c gen_context(system_u:object_r:null_device_t,s0) |
424 |
|
425 |
diff --git a/policy/modules/kernel/devices.te b/policy/modules/kernel/devices.te |
426 |
index 37dceb4..767da24 100644 |
427 |
--- a/policy/modules/kernel/devices.te |
428 |
+++ b/policy/modules/kernel/devices.te |
429 |
@@ -1,4 +1,4 @@ |
430 |
-policy_module(devices, 1.20.0) |
431 |
+policy_module(devices, 1.20.1) |
432 |
|
433 |
######################################## |
434 |
# |
435 |
|
436 |
diff --git a/policy/modules/kernel/files.fc b/policy/modules/kernel/files.fc |
437 |
index f506f56..39491e9 100644 |
438 |
--- a/policy/modules/kernel/files.fc |
439 |
+++ b/policy/modules/kernel/files.fc |
440 |
@@ -104,17 +104,6 @@ HOME_ROOT/lost\+found/.* <<none>> |
441 |
/initrd -d gen_context(system_u:object_r:root_t,s0) |
442 |
|
443 |
# |
444 |
-# /lib(64)? |
445 |
-# |
446 |
-/lib/modules(/.*)? gen_context(system_u:object_r:modules_object_t,s0) |
447 |
- |
448 |
-ifdef(`distro_debian',` |
449 |
-# on Debian /lib/init/rw is a tmpfs used like /var/run but |
450 |
-# before /var is mounted |
451 |
-/lib/init/rw(/.*)? gen_context(system_u:object_r:var_run_t,s0-mls_systemhigh) |
452 |
-') |
453 |
- |
454 |
-# |
455 |
# /lost+found |
456 |
# |
457 |
/lost\+found -d gen_context(system_u:object_r:lost_found_t,mls_systemhigh) |
458 |
@@ -185,11 +174,6 @@ ifdef(`distro_debian',` |
459 |
/srv/.* gen_context(system_u:object_r:var_t,s0) |
460 |
|
461 |
# |
462 |
-# /usr/lib(64)? |
463 |
-# |
464 |
-/usr/lib/modules(/.*)? gen_context(system_u:object_r:modules_object_t,s0) |
465 |
- |
466 |
-# |
467 |
# /tmp |
468 |
# |
469 |
/tmp -d gen_context(system_u:object_r:tmp_t,s0-mls_systemhigh) |
470 |
@@ -231,6 +215,12 @@ ifdef(`distro_debian',` |
471 |
/usr/tmp -d gen_context(system_u:object_r:tmp_t,s0-mls_systemhigh) |
472 |
/usr/tmp/.* <<none>> |
473 |
|
474 |
+ifdef(`distro_debian',` |
475 |
+# on Debian /lib/init/rw is a tmpfs used like /var/run but |
476 |
+# before /var is mounted |
477 |
+/usr/lib/init/rw(/.*)? gen_context(system_u:object_r:var_run_t,s0-mls_systemhigh) |
478 |
+') |
479 |
+ |
480 |
ifndef(`distro_redhat',` |
481 |
/usr/local/src(/.*)? gen_context(system_u:object_r:src_t,s0) |
482 |
|
483 |
|
484 |
diff --git a/policy/modules/kernel/files.te b/policy/modules/kernel/files.te |
485 |
index 3f4fdad..2d8fa23 100644 |
486 |
--- a/policy/modules/kernel/files.te |
487 |
+++ b/policy/modules/kernel/files.te |
488 |
@@ -1,4 +1,4 @@ |
489 |
-policy_module(files, 1.23.0) |
490 |
+policy_module(files, 1.23.1) |
491 |
|
492 |
######################################## |
493 |
# |
494 |
|
495 |
diff --git a/policy/modules/kernel/filesystem.fc b/policy/modules/kernel/filesystem.fc |
496 |
index 2029784..f46a280 100644 |
497 |
--- a/policy/modules/kernel/filesystem.fc |
498 |
+++ b/policy/modules/kernel/filesystem.fc |
499 |
@@ -6,11 +6,6 @@ |
500 |
/dev/shm -d gen_context(system_u:object_r:tmpfs_t,s0) |
501 |
/dev/shm/.* <<none>> |
502 |
|
503 |
-/lib/udev/devices/hugepages -d gen_context(system_u:object_r:hugetlbfs_t,s0) |
504 |
-/lib/udev/devices/hugepages/.* <<none>> |
505 |
-/lib/udev/devices/shm -d gen_context(system_u:object_r:tmpfs_t,s0) |
506 |
-/lib/udev/devices/shm/.* <<none>> |
507 |
- |
508 |
/usr/lib/udev/devices/hugepages -d gen_context(system_u:object_r:hugetlbfs_t,s0) |
509 |
/usr/lib/udev/devices/hugepages/.* <<none>> |
510 |
/usr/lib/udev/devices/shm -d gen_context(system_u:object_r:tmpfs_t,s0) |
511 |
|
512 |
diff --git a/policy/modules/kernel/filesystem.te b/policy/modules/kernel/filesystem.te |
513 |
index 50a59ac..e6a6930 100644 |
514 |
--- a/policy/modules/kernel/filesystem.te |
515 |
+++ b/policy/modules/kernel/filesystem.te |
516 |
@@ -1,4 +1,4 @@ |
517 |
-policy_module(filesystem, 1.22.0) |
518 |
+policy_module(filesystem, 1.22.1) |
519 |
|
520 |
######################################## |
521 |
# |
522 |
|
523 |
diff --git a/policy/modules/kernel/storage.fc b/policy/modules/kernel/storage.fc |
524 |
index cd1b439..375b10b 100644 |
525 |
--- a/policy/modules/kernel/storage.fc |
526 |
+++ b/policy/modules/kernel/storage.fc |
527 |
@@ -83,8 +83,5 @@ ifdef(`distro_redhat', ` |
528 |
|
529 |
/dev/usb/rio500 -c gen_context(system_u:object_r:removable_device_t,s0) |
530 |
|
531 |
-/lib/udev/devices/loop.* -b gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh) |
532 |
-/lib/udev/devices/fuse -c gen_context(system_u:object_r:fuse_device_t,s0) |
533 |
- |
534 |
/usr/lib/udev/devices/loop.* -b gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh) |
535 |
/usr/lib/udev/devices/fuse -c gen_context(system_u:object_r:fuse_device_t,s0) |
536 |
|
537 |
diff --git a/policy/modules/kernel/storage.te b/policy/modules/kernel/storage.te |
538 |
index a049e30..59329dc 100644 |
539 |
--- a/policy/modules/kernel/storage.te |
540 |
+++ b/policy/modules/kernel/storage.te |
541 |
@@ -1,4 +1,4 @@ |
542 |
-policy_module(storage, 1.14.0) |
543 |
+policy_module(storage, 1.14.1) |
544 |
|
545 |
######################################## |
546 |
# |
547 |
|
548 |
diff --git a/policy/modules/kernel/terminal.fc b/policy/modules/kernel/terminal.fc |
549 |
index 256ad29..6657b04 100644 |
550 |
--- a/policy/modules/kernel/terminal.fc |
551 |
+++ b/policy/modules/kernel/terminal.fc |
552 |
@@ -41,5 +41,5 @@ ifdef(`distro_gentoo',` |
553 |
/dev/tts/[0-9]+ -c gen_context(system_u:object_r:tty_device_t,s0) |
554 |
|
555 |
# used by init scripts to initally populate udev /dev |
556 |
-/lib/udev/devices/console -c gen_context(system_u:object_r:console_device_t,s0) |
557 |
+/usr/lib/udev/devices/console -c gen_context(system_u:object_r:console_device_t,s0) |
558 |
') |
559 |
|
560 |
diff --git a/policy/modules/kernel/terminal.te b/policy/modules/kernel/terminal.te |
561 |
index d9415fc..b77752b 100644 |
562 |
--- a/policy/modules/kernel/terminal.te |
563 |
+++ b/policy/modules/kernel/terminal.te |
564 |
@@ -1,4 +1,4 @@ |
565 |
-policy_module(terminal, 1.16.0) |
566 |
+policy_module(terminal, 1.16.1) |
567 |
|
568 |
######################################## |
569 |
# |
570 |
|
571 |
diff --git a/policy/modules/system/authlogin.fc b/policy/modules/system/authlogin.fc |
572 |
index fe15c99..d68f6bb 100644 |
573 |
--- a/policy/modules/system/authlogin.fc |
574 |
+++ b/policy/modules/system/authlogin.fc |
575 |
@@ -1,21 +1,9 @@ |
576 |
- |
577 |
-/bin/login -- gen_context(system_u:object_r:login_exec_t,s0) |
578 |
- |
579 |
/etc/\.pwd\.lock -- gen_context(system_u:object_r:shadow_t,s0) |
580 |
/etc/group\.lock -- gen_context(system_u:object_r:shadow_t,s0) |
581 |
/etc/gshadow.* -- gen_context(system_u:object_r:shadow_t,s0) |
582 |
/etc/passwd\.lock -- gen_context(system_u:object_r:shadow_t,s0) |
583 |
/etc/shadow.* -- gen_context(system_u:object_r:shadow_t,s0) |
584 |
|
585 |
-/sbin/pam_console_apply -- gen_context(system_u:object_r:pam_console_exec_t,s0) |
586 |
-/sbin/pam_timestamp_check -- gen_context(system_u:object_r:pam_exec_t,s0) |
587 |
-/sbin/unix_chkpwd -- gen_context(system_u:object_r:chkpwd_exec_t,s0) |
588 |
-/sbin/unix_update -- gen_context(system_u:object_r:updpwd_exec_t,s0) |
589 |
-/sbin/unix_verify -- gen_context(system_u:object_r:chkpwd_exec_t,s0) |
590 |
-ifdef(`distro_suse', ` |
591 |
-/sbin/unix2_chkpwd -- gen_context(system_u:object_r:chkpwd_exec_t,s0) |
592 |
-') |
593 |
- |
594 |
/usr/bin/login -- gen_context(system_u:object_r:login_exec_t,s0) |
595 |
|
596 |
/usr/kerberos/sbin/login\.krb5 -- gen_context(system_u:object_r:login_exec_t,s0) |
597 |
@@ -29,6 +17,9 @@ ifdef(`distro_suse', ` |
598 |
/usr/sbin/unix_verify -- gen_context(system_u:object_r:chkpwd_exec_t,s0) |
599 |
/usr/sbin/utempter -- gen_context(system_u:object_r:utempter_exec_t,s0) |
600 |
/usr/sbin/validate -- gen_context(system_u:object_r:chkpwd_exec_t,s0) |
601 |
+ifdef(`distro_suse', ` |
602 |
+/usr/sbin/unix2_chkpwd -- gen_context(system_u:object_r:chkpwd_exec_t,s0) |
603 |
+') |
604 |
|
605 |
/var/cache/coolkey(/.*)? gen_context(system_u:object_r:auth_cache_t,s0) |
606 |
|
607 |
|
608 |
diff --git a/policy/modules/system/authlogin.te b/policy/modules/system/authlogin.te |
609 |
index afc873d..b427368 100644 |
610 |
--- a/policy/modules/system/authlogin.te |
611 |
+++ b/policy/modules/system/authlogin.te |
612 |
@@ -1,4 +1,4 @@ |
613 |
-policy_module(authlogin, 2.10.0) |
614 |
+policy_module(authlogin, 2.10.1) |
615 |
|
616 |
######################################## |
617 |
# |
618 |
|
619 |
diff --git a/policy/modules/system/clock.fc b/policy/modules/system/clock.fc |
620 |
index 2ec76e2..61e6fe5 100644 |
621 |
--- a/policy/modules/system/clock.fc |
622 |
+++ b/policy/modules/system/clock.fc |
623 |
@@ -1,6 +1,3 @@ |
624 |
- |
625 |
/etc/adjtime -- gen_context(system_u:object_r:adjtime_t,s0) |
626 |
|
627 |
-/sbin/hwclock -- gen_context(system_u:object_r:hwclock_exec_t,s0) |
628 |
- |
629 |
/usr/sbin/hwclock -- gen_context(system_u:object_r:hwclock_exec_t,s0) |
630 |
|
631 |
diff --git a/policy/modules/system/clock.te b/policy/modules/system/clock.te |
632 |
index 6a54f6e..288422b 100644 |
633 |
--- a/policy/modules/system/clock.te |
634 |
+++ b/policy/modules/system/clock.te |
635 |
@@ -1,4 +1,4 @@ |
636 |
-policy_module(clock, 1.9.0) |
637 |
+policy_module(clock, 1.9.1) |
638 |
|
639 |
######################################## |
640 |
# |
641 |
|
642 |
diff --git a/policy/modules/system/fstools.fc b/policy/modules/system/fstools.fc |
643 |
index 1f6f5f7..5249a70 100644 |
644 |
--- a/policy/modules/system/fstools.fc |
645 |
+++ b/policy/modules/system/fstools.fc |
646 |
@@ -1,48 +1,3 @@ |
647 |
-/sbin/badblocks -- gen_context(system_u:object_r:fsadm_exec_t,s0) |
648 |
-/sbin/blkid -- gen_context(system_u:object_r:fsadm_exec_t,s0) |
649 |
-/sbin/blockdev -- gen_context(system_u:object_r:fsadm_exec_t,s0) |
650 |
-/sbin/cfdisk -- gen_context(system_u:object_r:fsadm_exec_t,s0) |
651 |
-/sbin/dosfsck -- gen_context(system_u:object_r:fsadm_exec_t,s0) |
652 |
-/sbin/dump -- gen_context(system_u:object_r:fsadm_exec_t,s0) |
653 |
-/sbin/dumpe2fs -- gen_context(system_u:object_r:fsadm_exec_t,s0) |
654 |
-/sbin/e2fsck -- gen_context(system_u:object_r:fsadm_exec_t,s0) |
655 |
-/sbin/e4fsck -- gen_context(system_u:object_r:fsadm_exec_t,s0) |
656 |
-/sbin/e2label -- gen_context(system_u:object_r:fsadm_exec_t,s0) |
657 |
-/sbin/fdisk -- gen_context(system_u:object_r:fsadm_exec_t,s0) |
658 |
-/sbin/findfs -- gen_context(system_u:object_r:fsadm_exec_t,s0) |
659 |
-/sbin/fsck.* -- gen_context(system_u:object_r:fsadm_exec_t,s0) |
660 |
-/sbin/hdparm -- gen_context(system_u:object_r:fsadm_exec_t,s0) |
661 |
-/sbin/install-mbr -- gen_context(system_u:object_r:fsadm_exec_t,s0) |
662 |
-/sbin/jfs_.* -- gen_context(system_u:object_r:fsadm_exec_t,s0) |
663 |
-/sbin/losetup.* -- gen_context(system_u:object_r:fsadm_exec_t,s0) |
664 |
-/sbin/lsraid -- gen_context(system_u:object_r:fsadm_exec_t,s0) |
665 |
-/sbin/make_reiser4 -- gen_context(system_u:object_r:fsadm_exec_t,s0) |
666 |
-/sbin/mkdosfs -- gen_context(system_u:object_r:fsadm_exec_t,s0) |
667 |
-/sbin/mke2fs -- gen_context(system_u:object_r:fsadm_exec_t,s0) |
668 |
-/sbin/mke4fs -- gen_context(system_u:object_r:fsadm_exec_t,s0) |
669 |
-/sbin/mkfs.* -- gen_context(system_u:object_r:fsadm_exec_t,s0) |
670 |
-/sbin/mkraid -- gen_context(system_u:object_r:fsadm_exec_t,s0) |
671 |
-/sbin/mkreiserfs -- gen_context(system_u:object_r:fsadm_exec_t,s0) |
672 |
-/sbin/mkswap -- gen_context(system_u:object_r:fsadm_exec_t,s0) |
673 |
-/sbin/parted -- gen_context(system_u:object_r:fsadm_exec_t,s0) |
674 |
-/sbin/partprobe -- gen_context(system_u:object_r:fsadm_exec_t,s0) |
675 |
-/sbin/partx -- gen_context(system_u:object_r:fsadm_exec_t,s0) |
676 |
-/sbin/raidautorun -- gen_context(system_u:object_r:fsadm_exec_t,s0) |
677 |
-/sbin/raidstart -- gen_context(system_u:object_r:fsadm_exec_t,s0) |
678 |
-/sbin/reiserfs(ck|tune) -- gen_context(system_u:object_r:fsadm_exec_t,s0) |
679 |
-/sbin/resize.*fs -- gen_context(system_u:object_r:fsadm_exec_t,s0) |
680 |
-/sbin/scsi_info -- gen_context(system_u:object_r:fsadm_exec_t,s0) |
681 |
-/sbin/sfdisk -- gen_context(system_u:object_r:fsadm_exec_t,s0) |
682 |
-/sbin/swapoff -- gen_context(system_u:object_r:fsadm_exec_t,s0) |
683 |
-/sbin/swapon.* -- gen_context(system_u:object_r:fsadm_exec_t,s0) |
684 |
-/sbin/tune2fs -- gen_context(system_u:object_r:fsadm_exec_t,s0) |
685 |
-/sbin/zdb -- gen_context(system_u:object_r:fsadm_exec_t,s0) |
686 |
-/sbin/zhack -- gen_context(system_u:object_r:fsadm_exec_t,s0) |
687 |
-/sbin/zinject -- gen_context(system_u:object_r:fsadm_exec_t,s0) |
688 |
-/sbin/zpios -- gen_context(system_u:object_r:fsadm_exec_t,s0) |
689 |
-/sbin/zstreamdump -- gen_context(system_u:object_r:fsadm_exec_t,s0) |
690 |
-/sbin/ztest -- gen_context(system_u:object_r:fsadm_exec_t,s0) |
691 |
- |
692 |
/usr/bin/partition_uuid -- gen_context(system_u:object_r:fsadm_exec_t,s0) |
693 |
/usr/bin/raw -- gen_context(system_u:object_r:fsadm_exec_t,s0) |
694 |
/usr/bin/scsi_unique_id -- gen_context(system_u:object_r:fsadm_exec_t,s0) |
695 |
|
696 |
diff --git a/policy/modules/system/fstools.te b/policy/modules/system/fstools.te |
697 |
index b2c7f9a..16bd067 100644 |
698 |
--- a/policy/modules/system/fstools.te |
699 |
+++ b/policy/modules/system/fstools.te |
700 |
@@ -1,4 +1,4 @@ |
701 |
-policy_module(fstools, 1.20.0) |
702 |
+policy_module(fstools, 1.20.1) |
703 |
|
704 |
######################################## |
705 |
# |
706 |
|
707 |
diff --git a/policy/modules/system/getty.fc b/policy/modules/system/getty.fc |
708 |
index 77dc825..07d2ada 100644 |
709 |
--- a/policy/modules/system/getty.fc |
710 |
+++ b/policy/modules/system/getty.fc |
711 |
@@ -1,8 +1,5 @@ |
712 |
- |
713 |
/etc/mgetty(/.*)? gen_context(system_u:object_r:getty_etc_t,s0) |
714 |
|
715 |
-/sbin/.*getty -- gen_context(system_u:object_r:getty_exec_t,s0) |
716 |
- |
717 |
/usr/sbin/.*getty -- gen_context(system_u:object_r:getty_exec_t,s0) |
718 |
|
719 |
/var/log/mgetty\.log.* -- gen_context(system_u:object_r:getty_log_t,s0) |
720 |
|
721 |
diff --git a/policy/modules/system/getty.te b/policy/modules/system/getty.te |
722 |
index 3b849cb..af89899 100644 |
723 |
--- a/policy/modules/system/getty.te |
724 |
+++ b/policy/modules/system/getty.te |
725 |
@@ -1,4 +1,4 @@ |
726 |
-policy_module(getty, 1.12.0) |
727 |
+policy_module(getty, 1.12.1) |
728 |
|
729 |
######################################## |
730 |
# |
731 |
|
732 |
diff --git a/policy/modules/system/hostname.fc b/policy/modules/system/hostname.fc |
733 |
index 6d00f5c..83ddeb5 100644 |
734 |
--- a/policy/modules/system/hostname.fc |
735 |
+++ b/policy/modules/system/hostname.fc |
736 |
@@ -1,4 +1 @@ |
737 |
- |
738 |
-/bin/hostname -- gen_context(system_u:object_r:hostname_exec_t,s0) |
739 |
- |
740 |
/usr/bin/hostname -- gen_context(system_u:object_r:hostname_exec_t,s0) |
741 |
|
742 |
diff --git a/policy/modules/system/hostname.te b/policy/modules/system/hostname.te |
743 |
index a25fdf2..f4036d8 100644 |
744 |
--- a/policy/modules/system/hostname.te |
745 |
+++ b/policy/modules/system/hostname.te |
746 |
@@ -1,4 +1,4 @@ |
747 |
-policy_module(hostname, 1.10.0) |
748 |
+policy_module(hostname, 1.10.1) |
749 |
|
750 |
######################################## |
751 |
# |
752 |
|
753 |
diff --git a/policy/modules/system/hotplug.fc b/policy/modules/system/hotplug.fc |
754 |
index 9ef3e9f..05e1d78 100644 |
755 |
--- a/policy/modules/system/hotplug.fc |
756 |
+++ b/policy/modules/system/hotplug.fc |
757 |
@@ -7,8 +7,5 @@ |
758 |
/run/usb(/.*)? gen_context(system_u:object_r:hotplug_var_run_t,s0) |
759 |
/run/hotplug(/.*)? gen_context(system_u:object_r:hotplug_var_run_t,s0) |
760 |
|
761 |
-/sbin/hotplug -- gen_context(system_u:object_r:hotplug_exec_t,s0) |
762 |
-/sbin/netplugd -- gen_context(system_u:object_r:hotplug_exec_t,s0) |
763 |
- |
764 |
/usr/sbin/hotplug -- gen_context(system_u:object_r:hotplug_exec_t,s0) |
765 |
/usr/sbin/netplugd -- gen_context(system_u:object_r:hotplug_exec_t,s0) |
766 |
|
767 |
diff --git a/policy/modules/system/hotplug.te b/policy/modules/system/hotplug.te |
768 |
index 11a5bce..4572650 100644 |
769 |
--- a/policy/modules/system/hotplug.te |
770 |
+++ b/policy/modules/system/hotplug.te |
771 |
@@ -1,4 +1,4 @@ |
772 |
-policy_module(hotplug, 1.18.0) |
773 |
+policy_module(hotplug, 1.18.1) |
774 |
|
775 |
######################################## |
776 |
# |
777 |
|
778 |
diff --git a/policy/modules/system/init.fc b/policy/modules/system/init.fc |
779 |
index a5c9bfa..3e1365c 100644 |
780 |
--- a/policy/modules/system/init.fc |
781 |
+++ b/policy/modules/system/init.fc |
782 |
@@ -20,26 +20,6 @@ ifdef(`distro_gentoo',` |
783 |
/dev/initctl -p gen_context(system_u:object_r:initctl_t,s0) |
784 |
|
785 |
# |
786 |
-# /lib |
787 |
-# |
788 |
-/lib/systemd/systemd -- gen_context(system_u:object_r:init_exec_t,s0) |
789 |
- |
790 |
-ifdef(`distro_gentoo', ` |
791 |
-/lib/rc/init\.d(/.*)? gen_context(system_u:object_r:initrc_state_t,s0) |
792 |
-') |
793 |
- |
794 |
-# |
795 |
-# /sbin |
796 |
-# |
797 |
-/sbin/init(ng)? -- gen_context(system_u:object_r:init_exec_t,s0) |
798 |
-# because nowadays, /sbin/init is often a symlink to /sbin/upstart |
799 |
-/sbin/upstart -- gen_context(system_u:object_r:init_exec_t,s0) |
800 |
- |
801 |
-ifdef(`distro_gentoo', ` |
802 |
-/sbin/rc -- gen_context(system_u:object_r:rc_exec_t,s0) |
803 |
-') |
804 |
- |
805 |
-# |
806 |
# /usr |
807 |
# |
808 |
/usr/bin/sepg_ctl -- gen_context(system_u:object_r:initrc_exec_t,s0) |
809 |
@@ -50,6 +30,11 @@ ifdef(`distro_gentoo', ` |
810 |
/usr/lib/systemd/ntp-units\.d -d gen_context(system_u:object_r:systemd_unit_t,s0) |
811 |
/usr/lib/systemd/system(/.*)? gen_context(system_u:object_r:systemd_unit_t,s0) |
812 |
|
813 |
+ifdef(`distro_gentoo', ` |
814 |
+/usr/lib/rc/init\.d(/.*)? gen_context(system_u:object_r:initrc_state_t,s0) |
815 |
+') |
816 |
+ |
817 |
+ |
818 |
/usr/libexec/dcc/start-.* -- gen_context(system_u:object_r:initrc_exec_t,s0) |
819 |
/usr/libexec/dcc/stop-.* -- gen_context(system_u:object_r:initrc_exec_t,s0) |
820 |
|
821 |
@@ -58,6 +43,10 @@ ifdef(`distro_gentoo', ` |
822 |
/usr/sbin/open_init_pty -- gen_context(system_u:object_r:initrc_exec_t,s0) |
823 |
/usr/sbin/upstart -- gen_context(system_u:object_r:init_exec_t,s0) |
824 |
|
825 |
+ifdef(`distro_gentoo', ` |
826 |
+/usr/sbin/rc -- gen_context(system_u:object_r:rc_exec_t,s0) |
827 |
+') |
828 |
+ |
829 |
# |
830 |
# /var |
831 |
# |
832 |
|
833 |
diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te |
834 |
index 3b7eea2..c688c89 100644 |
835 |
--- a/policy/modules/system/init.te |
836 |
+++ b/policy/modules/system/init.te |
837 |
@@ -1,4 +1,4 @@ |
838 |
-policy_module(init, 2.2.0) |
839 |
+policy_module(init, 2.2.1) |
840 |
|
841 |
gen_require(` |
842 |
class passwd rootok; |
843 |
|
844 |
diff --git a/policy/modules/system/ipsec.fc b/policy/modules/system/ipsec.fc |
845 |
index d741318..a1fb308 100644 |
846 |
--- a/policy/modules/system/ipsec.fc |
847 |
+++ b/policy/modules/system/ipsec.fc |
848 |
@@ -18,8 +18,6 @@ |
849 |
/etc/swanctl -d gen_context(system_u:object_r:ipsec_conf_file_t,s0) |
850 |
/etc/swanctl/swanctl.conf -- gen_context(system_u:object_r:ipsec_conf_file_t,s0) |
851 |
|
852 |
-/sbin/setkey -- gen_context(system_u:object_r:setkey_exec_t,s0) |
853 |
- |
854 |
/usr/lib/ipsec/_plutoload -- gen_context(system_u:object_r:ipsec_mgmt_exec_t,s0) |
855 |
/usr/lib/ipsec/_plutorun -- gen_context(system_u:object_r:ipsec_mgmt_exec_t,s0) |
856 |
/usr/lib/ipsec/eroute -- gen_context(system_u:object_r:ipsec_exec_t,s0) |
857 |
|
858 |
diff --git a/policy/modules/system/ipsec.te b/policy/modules/system/ipsec.te |
859 |
index 012d463..6801811 100644 |
860 |
--- a/policy/modules/system/ipsec.te |
861 |
+++ b/policy/modules/system/ipsec.te |
862 |
@@ -1,4 +1,4 @@ |
863 |
-policy_module(ipsec, 1.17.0) |
864 |
+policy_module(ipsec, 1.17.1) |
865 |
|
866 |
######################################## |
867 |
# |
868 |
|
869 |
diff --git a/policy/modules/system/iptables.fc b/policy/modules/system/iptables.fc |
870 |
index 70790fc..01b404f 100644 |
871 |
--- a/policy/modules/system/iptables.fc |
872 |
+++ b/policy/modules/system/iptables.fc |
873 |
@@ -4,19 +4,6 @@ |
874 |
/etc/sysconfig/ip6?tables.* -- gen_context(system_u:object_r:iptables_conf_t,s0) |
875 |
/etc/sysconfig/system-config-firewall.* -- gen_context(system_u:object_r:iptables_conf_t,s0) |
876 |
|
877 |
-/sbin/ebtables -- gen_context(system_u:object_r:iptables_exec_t,s0) |
878 |
-/sbin/ebtables-restore -- gen_context(system_u:object_r:iptables_exec_t,s0) |
879 |
-/sbin/ipchains.* -- gen_context(system_u:object_r:iptables_exec_t,s0) |
880 |
-/sbin/ipset -- gen_context(system_u:object_r:iptables_exec_t,s0) |
881 |
-/sbin/ip6?tables -- gen_context(system_u:object_r:iptables_exec_t,s0) |
882 |
-/sbin/ip6?tables-restore -- gen_context(system_u:object_r:iptables_exec_t,s0) |
883 |
-/sbin/ip6?tables-multi -- gen_context(system_u:object_r:iptables_exec_t,s0) |
884 |
-/sbin/ipvsadm -- gen_context(system_u:object_r:iptables_exec_t,s0) |
885 |
-/sbin/ipvsadm-restore -- gen_context(system_u:object_r:iptables_exec_t,s0) |
886 |
-/sbin/ipvsadm-save -- gen_context(system_u:object_r:iptables_exec_t,s0) |
887 |
-/sbin/nft -- gen_context(system_u:object_r:iptables_exec_t,s0) |
888 |
-/sbin/xtables-multi -- gen_context(system_u:object_r:iptables_exec_t,s0) |
889 |
- |
890 |
/usr/lib/systemd/system/[^/]*arptables.* -- gen_context(system_u:object_r:iptables_unit_t,s0) |
891 |
/usr/lib/systemd/system/[^/]*ebtables.* -- gen_context(system_u:object_r:iptables_unit_t,s0) |
892 |
/usr/lib/systemd/system/[^/]*ip6tables.* -- gen_context(system_u:object_r:iptables_unit_t,s0) |
893 |
|
894 |
diff --git a/policy/modules/system/iptables.te b/policy/modules/system/iptables.te |
895 |
index 6ad95f4..e062e44 100644 |
896 |
--- a/policy/modules/system/iptables.te |
897 |
+++ b/policy/modules/system/iptables.te |
898 |
@@ -1,4 +1,4 @@ |
899 |
-policy_module(iptables, 1.18.0) |
900 |
+policy_module(iptables, 1.18.1) |
901 |
|
902 |
######################################## |
903 |
# |
904 |
|
905 |
diff --git a/policy/modules/system/libraries.fc b/policy/modules/system/libraries.fc |
906 |
index 126e120..1bac965 100644 |
907 |
--- a/policy/modules/system/libraries.fc |
908 |
+++ b/policy/modules/system/libraries.fc |
909 |
@@ -33,16 +33,6 @@ ifdef(`distro_redhat',` |
910 |
/etc/ppp/plugins/rp-pppoe\.so -- gen_context(system_u:object_r:lib_t,s0) |
911 |
|
912 |
# |
913 |
-# /lib(64)? |
914 |
-# |
915 |
-/lib -d gen_context(system_u:object_r:lib_t,s0) |
916 |
-/lib -l gen_context(system_u:object_r:lib_t,s0) |
917 |
-/lib/.* gen_context(system_u:object_r:lib_t,s0) |
918 |
-/lib/ld-[^/]*\.so(\.[^/]*)* -- gen_context(system_u:object_r:ld_so_t,s0) |
919 |
- |
920 |
-/lib/security/pam_poldi\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) |
921 |
- |
922 |
-# |
923 |
# /opt |
924 |
# |
925 |
/opt/.*\.so gen_context(system_u:object_r:lib_t,s0) |
926 |
@@ -91,13 +81,11 @@ ifdef(`distro_redhat',` |
927 |
') |
928 |
|
929 |
# |
930 |
-# /sbin |
931 |
-# |
932 |
-/sbin/ldconfig -- gen_context(system_u:object_r:ldconfig_exec_t,s0) |
933 |
- |
934 |
-# |
935 |
# /usr |
936 |
# |
937 |
+/usr/lib gen_context(system_u:object_r:lib_t,s0) |
938 |
+/usr/lib/.* gen_context(system_u:object_r:lib_t,s0) |
939 |
+ |
940 |
/usr/(.*/)?/HelixPlayer/.+\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) |
941 |
/usr/(.*/)?/RealPlayer/.+\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) |
942 |
|
943 |
@@ -108,8 +96,8 @@ ifdef(`distro_redhat',` |
944 |
/usr/(.*/)?lib(/.*)? gen_context(system_u:object_r:lib_t,s0) |
945 |
/usr/(.*/)?lib64(/.*)? gen_context(system_u:object_r:lib_t,s0) |
946 |
|
947 |
-/usr/(.*/)?lib(/.*)?/ld-[^/]*\.so(\.[^/]*)* gen_context(system_u:object_r:ld_so_t,s0) |
948 |
-/usr/(.*/)?lib64(/.*)?/ld-[^/]*\.so(\.[^/]*)* gen_context(system_u:object_r:ld_so_t,s0) |
949 |
+/usr/lib/ld-[^/]*\.so(\.[^/]*)* -- gen_context(system_u:object_r:ld_so_t,s0) |
950 |
+/usr/lib/(.*/)?ld-[^/]*\.so(\.[^/]*)? -- gen_context(system_u:object_r:ld_so_t,s0) |
951 |
|
952 |
/usr/(.*/)?nvidia/.+\.so(\..*)? -- gen_context(system_u:object_r:textrel_shlib_t,s0) |
953 |
|
954 |
@@ -167,14 +155,6 @@ ifdef(`distro_debian',` |
955 |
/usr/lib/xorg/modules/extensions/libglx\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) |
956 |
/usr/x11R6/lib/modules/extensions/libglx\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) |
957 |
|
958 |
-ifdef(`distro_debian',` |
959 |
-/usr/lib -l gen_context(system_u:object_r:lib_t,s0) |
960 |
-') |
961 |
- |
962 |
-ifdef(`distro_gentoo',` |
963 |
-/usr/lib -l gen_context(system_u:object_r:lib_t,s0) |
964 |
-') |
965 |
- |
966 |
/usr/sbin/ldconfig -- gen_context(system_u:object_r:ldconfig_exec_t,s0) |
967 |
|
968 |
ifdef(`distro_redhat',` |
969 |
|
970 |
diff --git a/policy/modules/system/libraries.te b/policy/modules/system/libraries.te |
971 |
index ef8780c..bf5a9b6 100644 |
972 |
--- a/policy/modules/system/libraries.te |
973 |
+++ b/policy/modules/system/libraries.te |
974 |
@@ -1,4 +1,4 @@ |
975 |
-policy_module(libraries, 2.14.0) |
976 |
+policy_module(libraries, 2.14.1) |
977 |
|
978 |
######################################## |
979 |
# |
980 |
|
981 |
diff --git a/policy/modules/system/locallogin.fc b/policy/modules/system/locallogin.fc |
982 |
index 06b5de6..755e304 100644 |
983 |
--- a/policy/modules/system/locallogin.fc |
984 |
+++ b/policy/modules/system/locallogin.fc |
985 |
@@ -1,6 +1,2 @@ |
986 |
- |
987 |
-/sbin/sulogin -- gen_context(system_u:object_r:sulogin_exec_t,s0) |
988 |
-/sbin/sushell -- gen_context(system_u:object_r:sulogin_exec_t,s0) |
989 |
- |
990 |
/usr/sbin/sulogin -- gen_context(system_u:object_r:sulogin_exec_t,s0) |
991 |
/usr/sbin/sushell -- gen_context(system_u:object_r:sulogin_exec_t,s0) |
992 |
|
993 |
diff --git a/policy/modules/system/locallogin.te b/policy/modules/system/locallogin.te |
994 |
index eb645f4..8748ca8 100644 |
995 |
--- a/policy/modules/system/locallogin.te |
996 |
+++ b/policy/modules/system/locallogin.te |
997 |
@@ -1,4 +1,4 @@ |
998 |
-policy_module(locallogin, 1.15.0) |
999 |
+policy_module(locallogin, 1.15.1) |
1000 |
|
1001 |
######################################## |
1002 |
# |
1003 |
|
1004 |
diff --git a/policy/modules/system/logging.fc b/policy/modules/system/logging.fc |
1005 |
index c5b20f7..6258954 100644 |
1006 |
--- a/policy/modules/system/logging.fc |
1007 |
+++ b/policy/modules/system/logging.fc |
1008 |
@@ -6,17 +6,6 @@ |
1009 |
/etc/rc\.d/init\.d/auditd -- gen_context(system_u:object_r:auditd_initrc_exec_t,s0) |
1010 |
/etc/rc\.d/init\.d/rsyslog -- gen_context(system_u:object_r:syslogd_initrc_exec_t,s0) |
1011 |
|
1012 |
-/sbin/audispd -- gen_context(system_u:object_r:audisp_exec_t,s0) |
1013 |
-/sbin/audisp-remote -- gen_context(system_u:object_r:audisp_remote_exec_t,s0) |
1014 |
-/sbin/auditctl -- gen_context(system_u:object_r:auditctl_exec_t,s0) |
1015 |
-/sbin/auditd -- gen_context(system_u:object_r:auditd_exec_t,s0) |
1016 |
-/sbin/klogd -- gen_context(system_u:object_r:klogd_exec_t,s0) |
1017 |
-/sbin/minilogd -- gen_context(system_u:object_r:syslogd_exec_t,s0) |
1018 |
-/sbin/rklogd -- gen_context(system_u:object_r:klogd_exec_t,s0) |
1019 |
-/sbin/rsyslogd -- gen_context(system_u:object_r:syslogd_exec_t,s0) |
1020 |
-/sbin/syslogd -- gen_context(system_u:object_r:syslogd_exec_t,s0) |
1021 |
-/sbin/syslog-ng -- gen_context(system_u:object_r:syslogd_exec_t,s0) |
1022 |
- |
1023 |
/usr/lib/systemd/system/auditd.* -- gen_context(system_u:object_r:auditd_unit_t,s0) |
1024 |
/usr/lib/systemd/system/[^/]*systemd-journal.* -- gen_context(system_u:object_r:syslogd_unit_t,s0) |
1025 |
/usr/lib/systemd/systemd-journald -- gen_context(system_u:object_r:syslogd_exec_t,s0) |
1026 |
|
1027 |
diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te |
1028 |
index 311d0a0..9232f26 100644 |
1029 |
--- a/policy/modules/system/logging.te |
1030 |
+++ b/policy/modules/system/logging.te |
1031 |
@@ -1,4 +1,4 @@ |
1032 |
-policy_module(logging, 1.25.0) |
1033 |
+policy_module(logging, 1.25.1) |
1034 |
|
1035 |
######################################## |
1036 |
# |
1037 |
|
1038 |
diff --git a/policy/modules/system/lvm.fc b/policy/modules/system/lvm.fc |
1039 |
index 48c2df1..8f4988e 100644 |
1040 |
--- a/policy/modules/system/lvm.fc |
1041 |
+++ b/policy/modules/system/lvm.fc |
1042 |
@@ -1,16 +1,8 @@ |
1043 |
- |
1044 |
# LVM creates lock files in /var before /var is mounted |
1045 |
# configure LVM to put lockfiles in /etc/lvm/lock instead |
1046 |
# for this policy to work (unless you have no separate /var) |
1047 |
|
1048 |
# |
1049 |
-# /bin |
1050 |
-# |
1051 |
-ifdef(`distro_gentoo',` |
1052 |
-/bin/cryptsetup -- gen_context(system_u:object_r:lvm_exec_t,s0) |
1053 |
-') |
1054 |
- |
1055 |
-# |
1056 |
# /dev |
1057 |
# |
1058 |
/dev/.lvm(/.*)? gen_context(system_u:object_r:lvm_lock_t,s0) |
1059 |
@@ -29,71 +21,12 @@ ifdef(`distro_gentoo',` |
1060 |
/etc/lvmtab\.d(/.*)? gen_context(system_u:object_r:lvm_metadata_t,s0) |
1061 |
|
1062 |
# |
1063 |
-# /lib |
1064 |
-# |
1065 |
-/lib/lvm-10/.* -- gen_context(system_u:object_r:lvm_exec_t,s0) |
1066 |
-/lib/lvm-200/.* -- gen_context(system_u:object_r:lvm_exec_t,s0) |
1067 |
-/lib/udev/udisks-lvm-pv-export -- gen_context(system_u:object_r:lvm_exec_t,s0) |
1068 |
- |
1069 |
-# |
1070 |
-# /sbin |
1071 |
-# |
1072 |
-/sbin/cryptsetup -- gen_context(system_u:object_r:lvm_exec_t,s0) |
1073 |
-/sbin/dmraid -- gen_context(system_u:object_r:lvm_exec_t,s0) |
1074 |
-/sbin/dmsetup -- gen_context(system_u:object_r:lvm_exec_t,s0) |
1075 |
-/sbin/dmsetup\.static -- gen_context(system_u:object_r:lvm_exec_t,s0) |
1076 |
-/sbin/e2fsadm -- gen_context(system_u:object_r:lvm_exec_t,s0) |
1077 |
-/sbin/lvchange -- gen_context(system_u:object_r:lvm_exec_t,s0) |
1078 |
-/sbin/lvcreate -- gen_context(system_u:object_r:lvm_exec_t,s0) |
1079 |
-/sbin/lvdisplay -- gen_context(system_u:object_r:lvm_exec_t,s0) |
1080 |
-/sbin/lvextend -- gen_context(system_u:object_r:lvm_exec_t,s0) |
1081 |
-/sbin/lvm -- gen_context(system_u:object_r:lvm_exec_t,s0) |
1082 |
-/sbin/lvm\.static -- gen_context(system_u:object_r:lvm_exec_t,s0) |
1083 |
-/sbin/lvmchange -- gen_context(system_u:object_r:lvm_exec_t,s0) |
1084 |
-/sbin/lvmdiskscan -- gen_context(system_u:object_r:lvm_exec_t,s0) |
1085 |
-/sbin/lvmiopversion -- gen_context(system_u:object_r:lvm_exec_t,s0) |
1086 |
-/sbin/lvmsadc -- gen_context(system_u:object_r:lvm_exec_t,s0) |
1087 |
-/sbin/lvmsar -- gen_context(system_u:object_r:lvm_exec_t,s0) |
1088 |
-/sbin/lvreduce -- gen_context(system_u:object_r:lvm_exec_t,s0) |
1089 |
-/sbin/lvremove -- gen_context(system_u:object_r:lvm_exec_t,s0) |
1090 |
-/sbin/lvrename -- gen_context(system_u:object_r:lvm_exec_t,s0) |
1091 |
-/sbin/lvresize -- gen_context(system_u:object_r:lvm_exec_t,s0) |
1092 |
-/sbin/lvs -- gen_context(system_u:object_r:lvm_exec_t,s0) |
1093 |
-/sbin/lvscan -- gen_context(system_u:object_r:lvm_exec_t,s0) |
1094 |
-/sbin/multipathd -- gen_context(system_u:object_r:lvm_exec_t,s0) |
1095 |
-/sbin/multipath\.static -- gen_context(system_u:object_r:lvm_exec_t,s0) |
1096 |
-/sbin/pvchange -- gen_context(system_u:object_r:lvm_exec_t,s0) |
1097 |
-/sbin/pvcreate -- gen_context(system_u:object_r:lvm_exec_t,s0) |
1098 |
-/sbin/pvdata -- gen_context(system_u:object_r:lvm_exec_t,s0) |
1099 |
-/sbin/pvdisplay -- gen_context(system_u:object_r:lvm_exec_t,s0) |
1100 |
-/sbin/pvmove -- gen_context(system_u:object_r:lvm_exec_t,s0) |
1101 |
-/sbin/pvremove -- gen_context(system_u:object_r:lvm_exec_t,s0) |
1102 |
-/sbin/pvs -- gen_context(system_u:object_r:lvm_exec_t,s0) |
1103 |
-/sbin/pvscan -- gen_context(system_u:object_r:lvm_exec_t,s0) |
1104 |
-/sbin/vgcfgbackup -- gen_context(system_u:object_r:lvm_exec_t,s0) |
1105 |
-/sbin/vgcfgrestore -- gen_context(system_u:object_r:lvm_exec_t,s0) |
1106 |
-/sbin/vgchange -- gen_context(system_u:object_r:lvm_exec_t,s0) |
1107 |
-/sbin/vgchange\.static -- gen_context(system_u:object_r:lvm_exec_t,s0) |
1108 |
-/sbin/vgck -- gen_context(system_u:object_r:lvm_exec_t,s0) |
1109 |
-/sbin/vgcreate -- gen_context(system_u:object_r:lvm_exec_t,s0) |
1110 |
-/sbin/vgdisplay -- gen_context(system_u:object_r:lvm_exec_t,s0) |
1111 |
-/sbin/vgexport -- gen_context(system_u:object_r:lvm_exec_t,s0) |
1112 |
-/sbin/vgextend -- gen_context(system_u:object_r:lvm_exec_t,s0) |
1113 |
-/sbin/vgimport -- gen_context(system_u:object_r:lvm_exec_t,s0) |
1114 |
-/sbin/vgmerge -- gen_context(system_u:object_r:lvm_exec_t,s0) |
1115 |
-/sbin/vgmknodes -- gen_context(system_u:object_r:lvm_exec_t,s0) |
1116 |
-/sbin/vgreduce -- gen_context(system_u:object_r:lvm_exec_t,s0) |
1117 |
-/sbin/vgremove -- gen_context(system_u:object_r:lvm_exec_t,s0) |
1118 |
-/sbin/vgrename -- gen_context(system_u:object_r:lvm_exec_t,s0) |
1119 |
-/sbin/vgs -- gen_context(system_u:object_r:lvm_exec_t,s0) |
1120 |
-/sbin/vgscan -- gen_context(system_u:object_r:lvm_exec_t,s0) |
1121 |
-/sbin/vgscan\.static -- gen_context(system_u:object_r:lvm_exec_t,s0) |
1122 |
-/sbin/vgsplit -- gen_context(system_u:object_r:lvm_exec_t,s0) |
1123 |
-/sbin/vgwrapper -- gen_context(system_u:object_r:lvm_exec_t,s0) |
1124 |
- |
1125 |
-# |
1126 |
# /usr |
1127 |
# |
1128 |
+ifdef(`distro_gentoo',` |
1129 |
+/usr/bin/cryptsetup -- gen_context(system_u:object_r:lvm_exec_t,s0) |
1130 |
+') |
1131 |
+ |
1132 |
/usr/lib/lvm-10/.* -- gen_context(system_u:object_r:lvm_exec_t,s0) |
1133 |
/usr/lib/lvm-200/.* -- gen_context(system_u:object_r:lvm_exec_t,s0) |
1134 |
/usr/lib/systemd/system/blk-availability.* -- gen_context(system_u:object_r:lvm_unit_t,s0) |
1135 |
|
1136 |
diff --git a/policy/modules/system/lvm.te b/policy/modules/system/lvm.te |
1137 |
index a179b18..3dc2dca 100644 |
1138 |
--- a/policy/modules/system/lvm.te |
1139 |
+++ b/policy/modules/system/lvm.te |
1140 |
@@ -1,4 +1,4 @@ |
1141 |
-policy_module(lvm, 1.19.0) |
1142 |
+policy_module(lvm, 1.19.1) |
1143 |
|
1144 |
######################################## |
1145 |
# |
1146 |
|
1147 |
diff --git a/policy/modules/system/modutils.fc b/policy/modules/system/modutils.fc |
1148 |
index 410e4b7..b12547a 100644 |
1149 |
--- a/policy/modules/system/modutils.fc |
1150 |
+++ b/policy/modules/system/modutils.fc |
1151 |
@@ -1,5 +1,3 @@ |
1152 |
-/bin/kmod -- gen_context(system_u:object_r:kmod_exec_t,s0) |
1153 |
- |
1154 |
/etc/modules\.conf.* -- gen_context(system_u:object_r:modules_conf_t,s0) |
1155 |
/etc/modprobe\.conf.* -- gen_context(system_u:object_r:modules_conf_t,s0) |
1156 |
/etc/modprobe\.d(/.*)? gen_context(system_u:object_r:modules_conf_t,s0) |
1157 |
@@ -10,22 +8,11 @@ ifdef(`distro_gentoo',` |
1158 |
/etc/modprobe.devfs.* -- gen_context(system_u:object_r:modules_conf_t,s0) |
1159 |
') |
1160 |
|
1161 |
-/lib/modules/[^/]+/modules\..+ -- gen_context(system_u:object_r:modules_dep_t,s0) |
1162 |
- |
1163 |
-/lib/modules/modprobe\.conf -- gen_context(system_u:object_r:modules_conf_t,s0) |
1164 |
- |
1165 |
/run/tmpfiles\.d/kmod\.conf -- gen_context(system_u:object_r:kmod_var_run_t,s0) |
1166 |
|
1167 |
-/sbin/depmod.* -- gen_context(system_u:object_r:kmod_exec_t,s0) |
1168 |
-/sbin/generate-modprobe\.conf -- gen_context(system_u:object_r:kmod_exec_t,s0) |
1169 |
-/sbin/insmod.* -- gen_context(system_u:object_r:kmod_exec_t,s0) |
1170 |
-/sbin/modprobe.* -- gen_context(system_u:object_r:kmod_exec_t,s0) |
1171 |
-/sbin/modules-update -- gen_context(system_u:object_r:kmod_exec_t,s0) |
1172 |
-/sbin/rmmod.* -- gen_context(system_u:object_r:kmod_exec_t,s0) |
1173 |
-/sbin/update-modules -- gen_context(system_u:object_r:kmod_exec_t,s0) |
1174 |
- |
1175 |
/usr/bin/kmod -- gen_context(system_u:object_r:kmod_exec_t,s0) |
1176 |
|
1177 |
+/usr/lib/modules(/.*)? gen_context(system_u:object_r:modules_object_t,s0) |
1178 |
/usr/lib/modules/[^/]+/modules\..+ -- gen_context(system_u:object_r:modules_dep_t,s0) |
1179 |
/usr/lib/modules/modprobe\.conf -- gen_context(system_u:object_r:modules_conf_t,s0) |
1180 |
|
1181 |
|
1182 |
diff --git a/policy/modules/system/modutils.te b/policy/modules/system/modutils.te |
1183 |
index a76339b..901cdea 100644 |
1184 |
--- a/policy/modules/system/modutils.te |
1185 |
+++ b/policy/modules/system/modutils.te |
1186 |
@@ -1,4 +1,4 @@ |
1187 |
-policy_module(modutils, 1.17.0) |
1188 |
+policy_module(modutils, 1.17.1) |
1189 |
|
1190 |
######################################## |
1191 |
# |
1192 |
|
1193 |
diff --git a/policy/modules/system/mount.fc b/policy/modules/system/mount.fc |
1194 |
index 182d0fd..39ea6f5 100644 |
1195 |
--- a/policy/modules/system/mount.fc |
1196 |
+++ b/policy/modules/system/mount.fc |
1197 |
@@ -1,11 +1,3 @@ |
1198 |
-/bin/fusermount -- gen_context(system_u:object_r:mount_exec_t,s0) |
1199 |
-/bin/mount.* -- gen_context(system_u:object_r:mount_exec_t,s0) |
1200 |
-/bin/umount.* -- gen_context(system_u:object_r:mount_exec_t,s0) |
1201 |
- |
1202 |
-/sbin/mount\.zfs -- gen_context(system_u:object_r:mount_exec_t,s0) |
1203 |
-/sbin/zfs -- gen_context(system_u:object_r:mount_exec_t,s0) |
1204 |
-/sbin/zpool -- gen_context(system_u:object_r:mount_exec_t,s0) |
1205 |
- |
1206 |
/usr/bin/fusermount -- gen_context(system_u:object_r:mount_exec_t,s0) |
1207 |
/usr/bin/mount.* -- gen_context(system_u:object_r:mount_exec_t,s0) |
1208 |
/usr/bin/umount.* -- gen_context(system_u:object_r:mount_exec_t,s0) |
1209 |
|
1210 |
diff --git a/policy/modules/system/mount.te b/policy/modules/system/mount.te |
1211 |
index 0d20a69..fc25ee0 100644 |
1212 |
--- a/policy/modules/system/mount.te |
1213 |
+++ b/policy/modules/system/mount.te |
1214 |
@@ -1,4 +1,4 @@ |
1215 |
-policy_module(mount, 1.19.0) |
1216 |
+policy_module(mount, 1.19.1) |
1217 |
|
1218 |
######################################## |
1219 |
# |
1220 |
|
1221 |
diff --git a/policy/modules/system/netlabel.fc b/policy/modules/system/netlabel.fc |
1222 |
index 9348c8c..f44bf7a 100644 |
1223 |
--- a/policy/modules/system/netlabel.fc |
1224 |
+++ b/policy/modules/system/netlabel.fc |
1225 |
@@ -1,3 +1 @@ |
1226 |
-/sbin/netlabelctl -- gen_context(system_u:object_r:netlabel_mgmt_exec_t,s0) |
1227 |
- |
1228 |
/usr/sbin/netlabelctl -- gen_context(system_u:object_r:netlabel_mgmt_exec_t,s0) |
1229 |
|
1230 |
diff --git a/policy/modules/system/netlabel.te b/policy/modules/system/netlabel.te |
1231 |
index c0a73af..bff50bd 100644 |
1232 |
--- a/policy/modules/system/netlabel.te |
1233 |
+++ b/policy/modules/system/netlabel.te |
1234 |
@@ -1,4 +1,4 @@ |
1235 |
-policy_module(netlabel, 1.5.0) |
1236 |
+policy_module(netlabel, 1.5.1) |
1237 |
|
1238 |
######################################## |
1239 |
# |
1240 |
|
1241 |
diff --git a/policy/modules/system/selinuxutil.fc b/policy/modules/system/selinuxutil.fc |
1242 |
index 1c5d836..8159897 100644 |
1243 |
--- a/policy/modules/system/selinuxutil.fc |
1244 |
+++ b/policy/modules/system/selinuxutil.fc |
1245 |
@@ -20,13 +20,6 @@ |
1246 |
/root/\.default_contexts -- gen_context(system_u:object_r:default_context_t,s0) |
1247 |
|
1248 |
# |
1249 |
-# /sbin |
1250 |
-# |
1251 |
-/sbin/load_policy -- gen_context(system_u:object_r:load_policy_exec_t,s0) |
1252 |
-/sbin/restorecon -- gen_context(system_u:object_r:setfiles_exec_t,s0) |
1253 |
-/sbin/setfiles.* -- gen_context(system_u:object_r:setfiles_exec_t,s0) |
1254 |
- |
1255 |
-# |
1256 |
# /usr |
1257 |
# |
1258 |
/usr/bin/checkpolicy -- gen_context(system_u:object_r:checkpolicy_exec_t,s0) |
1259 |
|
1260 |
diff --git a/policy/modules/system/selinuxutil.te b/policy/modules/system/selinuxutil.te |
1261 |
index 1117206..ed15375 100644 |
1262 |
--- a/policy/modules/system/selinuxutil.te |
1263 |
+++ b/policy/modules/system/selinuxutil.te |
1264 |
@@ -1,4 +1,4 @@ |
1265 |
-policy_module(selinuxutil, 1.22.0) |
1266 |
+policy_module(selinuxutil, 1.22.1) |
1267 |
|
1268 |
gen_require(` |
1269 |
bool secure_mode; |
1270 |
|
1271 |
diff --git a/policy/modules/system/setrans.fc b/policy/modules/system/setrans.fc |
1272 |
index 2ed445d..6e60bbe 100644 |
1273 |
--- a/policy/modules/system/setrans.fc |
1274 |
+++ b/policy/modules/system/setrans.fc |
1275 |
@@ -2,8 +2,6 @@ |
1276 |
|
1277 |
/run/setrans(/.*)? gen_context(system_u:object_r:setrans_var_run_t,mls_systemhigh) |
1278 |
|
1279 |
-/sbin/mcstransd -- gen_context(system_u:object_r:setrans_exec_t,s0) |
1280 |
- |
1281 |
/usr/lib/systemd/system/mcstrans.*\.service -- gen_context(system_u:object_r:setrans_unit_t,s0) |
1282 |
|
1283 |
/usr/sbin/mcstransd -- gen_context(system_u:object_r:setrans_exec_t,s0) |
1284 |
|
1285 |
diff --git a/policy/modules/system/setrans.te b/policy/modules/system/setrans.te |
1286 |
index ffd287c..c68f97e 100644 |
1287 |
--- a/policy/modules/system/setrans.te |
1288 |
+++ b/policy/modules/system/setrans.te |
1289 |
@@ -1,4 +1,4 @@ |
1290 |
-policy_module(setrans, 1.13.0) |
1291 |
+policy_module(setrans, 1.13.1) |
1292 |
|
1293 |
gen_require(` |
1294 |
class context contains; |
1295 |
|
1296 |
diff --git a/policy/modules/system/sysnetwork.fc b/policy/modules/system/sysnetwork.fc |
1297 |
index 1847cc5..a295f46 100644 |
1298 |
--- a/policy/modules/system/sysnetwork.fc |
1299 |
+++ b/policy/modules/system/sysnetwork.fc |
1300 |
@@ -1,11 +1,5 @@ |
1301 |
|
1302 |
# |
1303 |
-# /bin |
1304 |
-# |
1305 |
-/bin/ifconfig -- gen_context(system_u:object_r:ifconfig_exec_t,s0) |
1306 |
-/bin/ip -- gen_context(system_u:object_r:ifconfig_exec_t,s0) |
1307 |
- |
1308 |
-# |
1309 |
# /dev |
1310 |
# |
1311 |
ifdef(`distro_debian',` |
1312 |
@@ -37,24 +31,6 @@ ifdef(`distro_redhat',` |
1313 |
') |
1314 |
|
1315 |
# |
1316 |
-# /sbin |
1317 |
-# |
1318 |
-/sbin/dhclient.* -- gen_context(system_u:object_r:dhcpc_exec_t,s0) |
1319 |
-/sbin/dhcdbd -- gen_context(system_u:object_r:dhcpc_exec_t,s0) |
1320 |
-/sbin/dhcpcd -- gen_context(system_u:object_r:dhcpc_exec_t,s0) |
1321 |
-/sbin/ethtool -- gen_context(system_u:object_r:ifconfig_exec_t,s0) |
1322 |
-/sbin/ifconfig -- gen_context(system_u:object_r:ifconfig_exec_t,s0) |
1323 |
-/sbin/ip -- gen_context(system_u:object_r:ifconfig_exec_t,s0) |
1324 |
-/sbin/ipx_configure -- gen_context(system_u:object_r:ifconfig_exec_t,s0) |
1325 |
-/sbin/ipx_interface -- gen_context(system_u:object_r:ifconfig_exec_t,s0) |
1326 |
-/sbin/ipx_internal_net -- gen_context(system_u:object_r:ifconfig_exec_t,s0) |
1327 |
-/sbin/iw -- gen_context(system_u:object_r:ifconfig_exec_t,s0) |
1328 |
-/sbin/iwconfig -- gen_context(system_u:object_r:ifconfig_exec_t,s0) |
1329 |
-/sbin/mii-tool -- gen_context(system_u:object_r:ifconfig_exec_t,s0) |
1330 |
-/sbin/pump -- gen_context(system_u:object_r:dhcpc_exec_t,s0) |
1331 |
-/sbin/tc -- gen_context(system_u:object_r:ifconfig_exec_t,s0) |
1332 |
- |
1333 |
-# |
1334 |
# /usr |
1335 |
# |
1336 |
/usr/bin/ifconfig -- gen_context(system_u:object_r:ifconfig_exec_t,s0) |
1337 |
|
1338 |
diff --git a/policy/modules/system/sysnetwork.te b/policy/modules/system/sysnetwork.te |
1339 |
index eb01183..fffa6ab 100644 |
1340 |
--- a/policy/modules/system/sysnetwork.te |
1341 |
+++ b/policy/modules/system/sysnetwork.te |
1342 |
@@ -1,4 +1,4 @@ |
1343 |
-policy_module(sysnetwork, 1.20.0) |
1344 |
+policy_module(sysnetwork, 1.20.1) |
1345 |
|
1346 |
######################################## |
1347 |
# |
1348 |
|
1349 |
diff --git a/policy/modules/system/systemd.fc b/policy/modules/system/systemd.fc |
1350 |
index b6a8656..a3b3767 100644 |
1351 |
--- a/policy/modules/system/systemd.fc |
1352 |
+++ b/policy/modules/system/systemd.fc |
1353 |
@@ -1,13 +1,3 @@ |
1354 |
-/bin/systemd-analyze -- gen_context(system_u:object_r:systemd_analyze_exec_t,s0) |
1355 |
-/bin/systemd-cgtop -- gen_context(system_u:object_r:systemd_cgtop_exec_t,s0) |
1356 |
-/bin/systemd-coredump -- gen_context(system_u:object_r:systemd_coredump_exec_t,s0) |
1357 |
-/bin/systemd-detect-virt -- gen_context(system_u:object_r:systemd_detect_virt_exec_t,s0) |
1358 |
-/bin/systemd-nspawn -- gen_context(system_u:object_r:systemd_nspawn_exec_t,s0) |
1359 |
-/bin/systemd-run -- gen_context(system_u:object_r:systemd_run_exec_t,s0) |
1360 |
-/bin/systemd-stdio-bridge -- gen_context(system_u:object_r:systemd_stdio_bridge_exec_t,s0) |
1361 |
-/bin/systemd-tmpfiles -- gen_context(system_u:object_r:systemd_tmpfiles_exec_t,s0) |
1362 |
-/bin/systemd-tty-ask-password-agent -- gen_context(system_u:object_r:systemd_passwd_agent_exec_t,s0) |
1363 |
- |
1364 |
/usr/bin/systemd-analyze -- gen_context(system_u:object_r:systemd_analyze_exec_t,s0) |
1365 |
/usr/bin/systemd-cgtop -- gen_context(system_u:object_r:systemd_cgtop_exec_t,s0) |
1366 |
/usr/bin/systemd-coredump -- gen_context(system_u:object_r:systemd_coredump_exec_t,s0) |
1367 |
|
1368 |
diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te |
1369 |
index 17afc50..48e9ee1 100644 |
1370 |
--- a/policy/modules/system/systemd.te |
1371 |
+++ b/policy/modules/system/systemd.te |
1372 |
@@ -1,4 +1,4 @@ |
1373 |
-policy_module(systemd, 1.3.0) |
1374 |
+policy_module(systemd, 1.3.1) |
1375 |
|
1376 |
######################################### |
1377 |
# |
1378 |
|
1379 |
diff --git a/policy/modules/system/udev.fc b/policy/modules/system/udev.fc |
1380 |
index 698d1dd..6801d63 100644 |
1381 |
--- a/policy/modules/system/udev.fc |
1382 |
+++ b/policy/modules/system/udev.fc |
1383 |
@@ -9,26 +9,16 @@ |
1384 |
/etc/udev/rules.d(/.*)? gen_context(system_u:object_r:udev_rules_t,s0) |
1385 |
/etc/udev/scripts/.+ -- gen_context(system_u:object_r:udev_helper_exec_t,s0) |
1386 |
|
1387 |
-/lib/udev/udev-acl -- gen_context(system_u:object_r:udev_exec_t,s0) |
1388 |
+/usr/bin/udevinfo -- gen_context(system_u:object_r:udev_exec_t,s0) |
1389 |
|
1390 |
ifdef(`distro_debian',` |
1391 |
-/bin/udevadm -- gen_context(system_u:object_r:udev_exec_t,s0) |
1392 |
-/lib/udev/create_static_nodes -- gen_context(system_u:object_r:udev_exec_t,s0) |
1393 |
+/usr/bin/udevadm -- gen_context(system_u:object_r:udev_exec_t,s0) |
1394 |
') |
1395 |
|
1396 |
-/sbin/udev -- gen_context(system_u:object_r:udev_exec_t,s0) |
1397 |
-/sbin/udevadm -- gen_context(system_u:object_r:udev_exec_t,s0) |
1398 |
-/sbin/udevd -- gen_context(system_u:object_r:udev_exec_t,s0) |
1399 |
-/sbin/udevsend -- gen_context(system_u:object_r:udev_exec_t,s0) |
1400 |
-/sbin/udevstart -- gen_context(system_u:object_r:udev_exec_t,s0) |
1401 |
-/sbin/wait_for_sysfs -- gen_context(system_u:object_r:udev_exec_t,s0) |
1402 |
- |
1403 |
-ifdef(`distro_redhat',` |
1404 |
-/sbin/start_udev -- gen_context(system_u:object_r:udev_exec_t,s0) |
1405 |
+ifdef(`distro_debian',` |
1406 |
+/usr/lib/udev/create_static_nodes -- gen_context(system_u:object_r:udev_exec_t,s0) |
1407 |
') |
1408 |
|
1409 |
-/usr/bin/udevinfo -- gen_context(system_u:object_r:udev_exec_t,s0) |
1410 |
- |
1411 |
/usr/sbin/udev -- gen_context(system_u:object_r:udev_exec_t,s0) |
1412 |
/usr/sbin/udevadm -- gen_context(system_u:object_r:udev_exec_t,s0) |
1413 |
/usr/sbin/udevd -- gen_context(system_u:object_r:udev_exec_t,s0) |
1414 |
@@ -36,6 +26,10 @@ ifdef(`distro_redhat',` |
1415 |
/usr/sbin/udevstart -- gen_context(system_u:object_r:udev_exec_t,s0) |
1416 |
/usr/sbin/wait_for_sysfs -- gen_context(system_u:object_r:udev_exec_t,s0) |
1417 |
|
1418 |
+ifdef(`distro_redhat',` |
1419 |
+/usr/sbin/start_udev -- gen_context(system_u:object_r:udev_exec_t,s0) |
1420 |
+') |
1421 |
+ |
1422 |
/usr/lib/systemd/systemd-udevd -- gen_context(system_u:object_r:udev_exec_t,s0) |
1423 |
/usr/lib/udev/udev-acl -- gen_context(system_u:object_r:udev_exec_t,s0) |
1424 |
|
1425 |
@@ -44,7 +38,6 @@ ifdef(`distro_redhat',` |
1426 |
/run/udev(/.*)? gen_context(system_u:object_r:udev_var_run_t,s0) |
1427 |
|
1428 |
ifdef(`distro_debian',` |
1429 |
-/lib/systemd/systemd-udevd -- gen_context(system_u:object_r:udev_exec_t,s0) |
1430 |
/run/xen-hotplug -d gen_context(system_u:object_r:udev_var_run_t,s0) |
1431 |
') |
1432 |
|
1433 |
|
1434 |
diff --git a/policy/modules/system/udev.te b/policy/modules/system/udev.te |
1435 |
index 44f674f..d42ac73 100644 |
1436 |
--- a/policy/modules/system/udev.te |
1437 |
+++ b/policy/modules/system/udev.te |
1438 |
@@ -1,4 +1,4 @@ |
1439 |
-policy_module(udev, 1.21.0) |
1440 |
+policy_module(udev, 1.21.1) |
1441 |
|
1442 |
######################################## |
1443 |
# |