1 |
commit: 5772cae4d5acb517532233c838d0e67621780dfc |
2 |
Author: Dominick Grift <dominick.grift <AT> gmail <DOT> com> |
3 |
AuthorDate: Wed Oct 31 18:02:16 2012 +0000 |
4 |
Commit: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be> |
5 |
CommitDate: Tue Nov 27 19:00:37 2012 +0000 |
6 |
URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=5772cae4 |
7 |
|
8 |
Label /var/cache/man with a private man cache type for mandb |
9 |
|
10 |
Since /var/cache/man was previously labeled man_t, make sure that the old |
11 |
interfaces with regard to man_t also support man_cache_t |
12 |
|
13 |
Signed-off-by: Dominick Grift <dominick.grift <AT> gmail.com> |
14 |
|
15 |
--- |
16 |
policy/modules/system/miscfiles.fc | 2 +- |
17 |
policy/modules/system/miscfiles.if | 80 +++++++++++++++++++++++++++--------- |
18 |
policy/modules/system/miscfiles.te | 3 + |
19 |
3 files changed, 64 insertions(+), 21 deletions(-) |
20 |
|
21 |
diff --git a/policy/modules/system/miscfiles.fc b/policy/modules/system/miscfiles.fc |
22 |
index a0b8232..1ede268 100644 |
23 |
--- a/policy/modules/system/miscfiles.fc |
24 |
+++ b/policy/modules/system/miscfiles.fc |
25 |
@@ -79,7 +79,7 @@ ifdef(`distro_redhat',` |
26 |
|
27 |
/var/cache/fontconfig(/.*)? gen_context(system_u:object_r:fonts_cache_t,s0) |
28 |
/var/cache/fonts(/.*)? gen_context(system_u:object_r:tetex_data_t,s0) |
29 |
-/var/cache/man(/.*)? gen_context(system_u:object_r:man_t,s0) |
30 |
+/var/cache/man(/.*)? gen_context(system_u:object_r:man_cache_t,s0) |
31 |
|
32 |
/var/named/chroot/etc/pki(/.*)? gen_context(system_u:object_r:cert_t,s0) |
33 |
|
34 |
|
35 |
diff --git a/policy/modules/system/miscfiles.if b/policy/modules/system/miscfiles.if |
36 |
index 7315ed0..f180d4c 100644 |
37 |
--- a/policy/modules/system/miscfiles.if |
38 |
+++ b/policy/modules/system/miscfiles.if |
39 |
@@ -557,10 +557,10 @@ interface(`miscfiles_legacy_read_localization',` |
40 |
# |
41 |
interface(`miscfiles_search_man_pages',` |
42 |
gen_require(` |
43 |
- type man_t; |
44 |
+ type man_t, man_cache_t; |
45 |
') |
46 |
|
47 |
- allow $1 man_t:dir search_dir_perms; |
48 |
+ allow $1 { man_cache_t man_t }:dir search_dir_perms; |
49 |
files_search_usr($1) |
50 |
') |
51 |
|
52 |
@@ -576,10 +576,10 @@ interface(`miscfiles_search_man_pages',` |
53 |
# |
54 |
interface(`miscfiles_dontaudit_search_man_pages',` |
55 |
gen_require(` |
56 |
- type man_t; |
57 |
+ type man_t, man_cache_t; |
58 |
') |
59 |
|
60 |
- dontaudit $1 man_t:dir search_dir_perms; |
61 |
+ dontaudit $1 { man_cache_t man_t }:dir search_dir_perms; |
62 |
') |
63 |
|
64 |
######################################## |
65 |
@@ -595,13 +595,13 @@ interface(`miscfiles_dontaudit_search_man_pages',` |
66 |
# |
67 |
interface(`miscfiles_read_man_pages',` |
68 |
gen_require(` |
69 |
- type man_t; |
70 |
+ type man_t, man_cache_t; |
71 |
') |
72 |
|
73 |
files_search_usr($1) |
74 |
- allow $1 man_t:dir list_dir_perms; |
75 |
- read_files_pattern($1, man_t, man_t) |
76 |
- read_lnk_files_pattern($1, man_t, man_t) |
77 |
+ allow $1 { man_cache_t man_t }:dir list_dir_perms; |
78 |
+ read_files_pattern($1, { man_cache_t man_t }, { man_cache_t man_t }) |
79 |
+ read_lnk_files_pattern($1, { man_cache_t man_t }, { man_cache_t man_t }) |
80 |
') |
81 |
|
82 |
######################################## |
83 |
@@ -617,17 +617,14 @@ interface(`miscfiles_read_man_pages',` |
84 |
# |
85 |
interface(`miscfiles_delete_man_pages',` |
86 |
gen_require(` |
87 |
- type man_t; |
88 |
+ type man_t, man_cache_t; |
89 |
') |
90 |
|
91 |
files_search_usr($1) |
92 |
- |
93 |
- allow $1 man_t:dir setattr; |
94 |
- # RH bug #309351 |
95 |
- allow $1 man_t:dir list_dir_perms; |
96 |
- delete_dirs_pattern($1, man_t, man_t) |
97 |
- delete_files_pattern($1, man_t, man_t) |
98 |
- delete_lnk_files_pattern($1, man_t, man_t) |
99 |
+ allow $1 { man_cache_t man_t }:dir { setattr_dir_perms list_dir_perms }; |
100 |
+ delete_dirs_pattern($1, { man_cache_t man_t }, { man_cache_t man_t }) |
101 |
+ delete_files_pattern($1, { man_cache_t man_t }, { man_cache_t man_t }) |
102 |
+ delete_lnk_files_pattern($1, { man_cache_t man_t }, { man_cache_t man_t }) |
103 |
') |
104 |
|
105 |
######################################## |
106 |
@@ -642,13 +639,56 @@ interface(`miscfiles_delete_man_pages',` |
107 |
# |
108 |
interface(`miscfiles_manage_man_pages',` |
109 |
gen_require(` |
110 |
- type man_t; |
111 |
+ type man_t, man_cache_t; |
112 |
') |
113 |
|
114 |
files_search_usr($1) |
115 |
- manage_dirs_pattern($1, man_t, man_t) |
116 |
- manage_files_pattern($1, man_t, man_t) |
117 |
- read_lnk_files_pattern($1, man_t, man_t) |
118 |
+ manage_dirs_pattern($1, { man_cache_t man_t }, { man_cache_t man_t }) |
119 |
+ manage_files_pattern($1, { man_cache_t man_t }, { man_cache_t man_t }) |
120 |
+ read_lnk_files_pattern($1, { man_cache_t man_t }, { man_cache_t man_t }) |
121 |
+') |
122 |
+ |
123 |
+######################################## |
124 |
+## <summary> |
125 |
+## Read man cache content. |
126 |
+## </summary> |
127 |
+## <param name="domain"> |
128 |
+## <summary> |
129 |
+## Domain allowed access. |
130 |
+## </summary> |
131 |
+## </param> |
132 |
+# |
133 |
+interface(`miscfiles_read_man_cache_content',` |
134 |
+ gen_require(` |
135 |
+ type man_cache_t; |
136 |
+ ') |
137 |
+ |
138 |
+ files_search_var($1) |
139 |
+ allow $1 man_cache_t:dir list_dir_perms; |
140 |
+ allow $1 man_cache_t:file read_file_perms; |
141 |
+ allow $1 man_cache_t:lnk_file read_lnk_file_perms; |
142 |
+') |
143 |
+ |
144 |
+######################################## |
145 |
+## <summary> |
146 |
+## Create, read, write, and delete |
147 |
+## man cache content. |
148 |
+## </summary> |
149 |
+## <param name="domain"> |
150 |
+## <summary> |
151 |
+## Domain allowed access. |
152 |
+## </summary> |
153 |
+## </param> |
154 |
+# |
155 |
+interface(`miscfiles_manage_man_cache_content',` |
156 |
+ gen_require(` |
157 |
+ type man_cache_t; |
158 |
+ ') |
159 |
+ |
160 |
+ files_search_var($1) |
161 |
+ allow $1 man_cache_t:dir manage_dir_perms; |
162 |
+ allow $1 man_cache_t:file manage_file_perms; |
163 |
+ allow $1 man_cache_t:lnk_file manage_lnk_file_perms; |
164 |
') |
165 |
|
166 |
######################################## |
167 |
|
168 |
diff --git a/policy/modules/system/miscfiles.te b/policy/modules/system/miscfiles.te |
169 |
index 00801e6..cab354a 100644 |
170 |
--- a/policy/modules/system/miscfiles.te |
171 |
+++ b/policy/modules/system/miscfiles.te |
172 |
@@ -48,6 +48,9 @@ files_type(locale_t) |
173 |
type man_t alias catman_t; |
174 |
files_type(man_t) |
175 |
|
176 |
+type man_cache_t; |
177 |
+files_type(man_cache_t) |
178 |
+ |
179 |
# |
180 |
# Types for public content |
181 |
# |