| 1 |
commit: 5772cae4d5acb517532233c838d0e67621780dfc |
| 2 |
Author: Dominick Grift <dominick.grift <AT> gmail <DOT> com> |
| 3 |
AuthorDate: Wed Oct 31 18:02:16 2012 +0000 |
| 4 |
Commit: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be> |
| 5 |
CommitDate: Tue Nov 27 19:00:37 2012 +0000 |
| 6 |
URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=5772cae4 |
| 7 |
|
| 8 |
Label /var/cache/man with a private man cache type for mandb |
| 9 |
|
| 10 |
Since /var/cache/man was previously labeled man_t, make sure that the old |
| 11 |
interfaces with regard to man_t also support man_cache_t |
| 12 |
|
| 13 |
Signed-off-by: Dominick Grift <dominick.grift <AT> gmail.com> |
| 14 |
|
| 15 |
--- |
| 16 |
policy/modules/system/miscfiles.fc | 2 +- |
| 17 |
policy/modules/system/miscfiles.if | 80 +++++++++++++++++++++++++++--------- |
| 18 |
policy/modules/system/miscfiles.te | 3 + |
| 19 |
3 files changed, 64 insertions(+), 21 deletions(-) |
| 20 |
|
| 21 |
diff --git a/policy/modules/system/miscfiles.fc b/policy/modules/system/miscfiles.fc |
| 22 |
index a0b8232..1ede268 100644 |
| 23 |
--- a/policy/modules/system/miscfiles.fc |
| 24 |
+++ b/policy/modules/system/miscfiles.fc |
| 25 |
@@ -79,7 +79,7 @@ ifdef(`distro_redhat',` |
| 26 |
|
| 27 |
/var/cache/fontconfig(/.*)? gen_context(system_u:object_r:fonts_cache_t,s0) |
| 28 |
/var/cache/fonts(/.*)? gen_context(system_u:object_r:tetex_data_t,s0) |
| 29 |
-/var/cache/man(/.*)? gen_context(system_u:object_r:man_t,s0) |
| 30 |
+/var/cache/man(/.*)? gen_context(system_u:object_r:man_cache_t,s0) |
| 31 |
|
| 32 |
/var/named/chroot/etc/pki(/.*)? gen_context(system_u:object_r:cert_t,s0) |
| 33 |
|
| 34 |
|
| 35 |
diff --git a/policy/modules/system/miscfiles.if b/policy/modules/system/miscfiles.if |
| 36 |
index 7315ed0..f180d4c 100644 |
| 37 |
--- a/policy/modules/system/miscfiles.if |
| 38 |
+++ b/policy/modules/system/miscfiles.if |
| 39 |
@@ -557,10 +557,10 @@ interface(`miscfiles_legacy_read_localization',` |
| 40 |
# |
| 41 |
interface(`miscfiles_search_man_pages',` |
| 42 |
gen_require(` |
| 43 |
- type man_t; |
| 44 |
+ type man_t, man_cache_t; |
| 45 |
') |
| 46 |
|
| 47 |
- allow $1 man_t:dir search_dir_perms; |
| 48 |
+ allow $1 { man_cache_t man_t }:dir search_dir_perms; |
| 49 |
files_search_usr($1) |
| 50 |
') |
| 51 |
|
| 52 |
@@ -576,10 +576,10 @@ interface(`miscfiles_search_man_pages',` |
| 53 |
# |
| 54 |
interface(`miscfiles_dontaudit_search_man_pages',` |
| 55 |
gen_require(` |
| 56 |
- type man_t; |
| 57 |
+ type man_t, man_cache_t; |
| 58 |
') |
| 59 |
|
| 60 |
- dontaudit $1 man_t:dir search_dir_perms; |
| 61 |
+ dontaudit $1 { man_cache_t man_t }:dir search_dir_perms; |
| 62 |
') |
| 63 |
|
| 64 |
######################################## |
| 65 |
@@ -595,13 +595,13 @@ interface(`miscfiles_dontaudit_search_man_pages',` |
| 66 |
# |
| 67 |
interface(`miscfiles_read_man_pages',` |
| 68 |
gen_require(` |
| 69 |
- type man_t; |
| 70 |
+ type man_t, man_cache_t; |
| 71 |
') |
| 72 |
|
| 73 |
files_search_usr($1) |
| 74 |
- allow $1 man_t:dir list_dir_perms; |
| 75 |
- read_files_pattern($1, man_t, man_t) |
| 76 |
- read_lnk_files_pattern($1, man_t, man_t) |
| 77 |
+ allow $1 { man_cache_t man_t }:dir list_dir_perms; |
| 78 |
+ read_files_pattern($1, { man_cache_t man_t }, { man_cache_t man_t }) |
| 79 |
+ read_lnk_files_pattern($1, { man_cache_t man_t }, { man_cache_t man_t }) |
| 80 |
') |
| 81 |
|
| 82 |
######################################## |
| 83 |
@@ -617,17 +617,14 @@ interface(`miscfiles_read_man_pages',` |
| 84 |
# |
| 85 |
interface(`miscfiles_delete_man_pages',` |
| 86 |
gen_require(` |
| 87 |
- type man_t; |
| 88 |
+ type man_t, man_cache_t; |
| 89 |
') |
| 90 |
|
| 91 |
files_search_usr($1) |
| 92 |
- |
| 93 |
- allow $1 man_t:dir setattr; |
| 94 |
- # RH bug #309351 |
| 95 |
- allow $1 man_t:dir list_dir_perms; |
| 96 |
- delete_dirs_pattern($1, man_t, man_t) |
| 97 |
- delete_files_pattern($1, man_t, man_t) |
| 98 |
- delete_lnk_files_pattern($1, man_t, man_t) |
| 99 |
+ allow $1 { man_cache_t man_t }:dir { setattr_dir_perms list_dir_perms }; |
| 100 |
+ delete_dirs_pattern($1, { man_cache_t man_t }, { man_cache_t man_t }) |
| 101 |
+ delete_files_pattern($1, { man_cache_t man_t }, { man_cache_t man_t }) |
| 102 |
+ delete_lnk_files_pattern($1, { man_cache_t man_t }, { man_cache_t man_t }) |
| 103 |
') |
| 104 |
|
| 105 |
######################################## |
| 106 |
@@ -642,13 +639,56 @@ interface(`miscfiles_delete_man_pages',` |
| 107 |
# |
| 108 |
interface(`miscfiles_manage_man_pages',` |
| 109 |
gen_require(` |
| 110 |
- type man_t; |
| 111 |
+ type man_t, man_cache_t; |
| 112 |
') |
| 113 |
|
| 114 |
files_search_usr($1) |
| 115 |
- manage_dirs_pattern($1, man_t, man_t) |
| 116 |
- manage_files_pattern($1, man_t, man_t) |
| 117 |
- read_lnk_files_pattern($1, man_t, man_t) |
| 118 |
+ manage_dirs_pattern($1, { man_cache_t man_t }, { man_cache_t man_t }) |
| 119 |
+ manage_files_pattern($1, { man_cache_t man_t }, { man_cache_t man_t }) |
| 120 |
+ read_lnk_files_pattern($1, { man_cache_t man_t }, { man_cache_t man_t }) |
| 121 |
+') |
| 122 |
+ |
| 123 |
+######################################## |
| 124 |
+## <summary> |
| 125 |
+## Read man cache content. |
| 126 |
+## </summary> |
| 127 |
+## <param name="domain"> |
| 128 |
+## <summary> |
| 129 |
+## Domain allowed access. |
| 130 |
+## </summary> |
| 131 |
+## </param> |
| 132 |
+# |
| 133 |
+interface(`miscfiles_read_man_cache_content',` |
| 134 |
+ gen_require(` |
| 135 |
+ type man_cache_t; |
| 136 |
+ ') |
| 137 |
+ |
| 138 |
+ files_search_var($1) |
| 139 |
+ allow $1 man_cache_t:dir list_dir_perms; |
| 140 |
+ allow $1 man_cache_t:file read_file_perms; |
| 141 |
+ allow $1 man_cache_t:lnk_file read_lnk_file_perms; |
| 142 |
+') |
| 143 |
+ |
| 144 |
+######################################## |
| 145 |
+## <summary> |
| 146 |
+## Create, read, write, and delete |
| 147 |
+## man cache content. |
| 148 |
+## </summary> |
| 149 |
+## <param name="domain"> |
| 150 |
+## <summary> |
| 151 |
+## Domain allowed access. |
| 152 |
+## </summary> |
| 153 |
+## </param> |
| 154 |
+# |
| 155 |
+interface(`miscfiles_manage_man_cache_content',` |
| 156 |
+ gen_require(` |
| 157 |
+ type man_cache_t; |
| 158 |
+ ') |
| 159 |
+ |
| 160 |
+ files_search_var($1) |
| 161 |
+ allow $1 man_cache_t:dir manage_dir_perms; |
| 162 |
+ allow $1 man_cache_t:file manage_file_perms; |
| 163 |
+ allow $1 man_cache_t:lnk_file manage_lnk_file_perms; |
| 164 |
') |
| 165 |
|
| 166 |
######################################## |
| 167 |
|
| 168 |
diff --git a/policy/modules/system/miscfiles.te b/policy/modules/system/miscfiles.te |
| 169 |
index 00801e6..cab354a 100644 |
| 170 |
--- a/policy/modules/system/miscfiles.te |
| 171 |
+++ b/policy/modules/system/miscfiles.te |
| 172 |
@@ -48,6 +48,9 @@ files_type(locale_t) |
| 173 |
type man_t alias catman_t; |
| 174 |
files_type(man_t) |
| 175 |
|
| 176 |
+type man_cache_t; |
| 177 |
+files_type(man_cache_t) |
| 178 |
+ |
| 179 |
# |
| 180 |
# Types for public content |
| 181 |
# |
Archives