From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80]) by finch.gentoo.org (Postfix) with ESMTP id 60D721381FD for ; Sat, 28 Jul 2012 17:17:00 +0000 (UTC) Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id 564D1E087D; Sat, 28 Jul 2012 17:16:53 +0000 (UTC) Received: from smtp.gentoo.org (smtp.gentoo.org [140.211.166.183]) by pigeon.gentoo.org (Postfix) with ESMTP id 156EDE087D for ; Sat, 28 Jul 2012 17:16:52 +0000 (UTC) Received: from hornbill.gentoo.org (hornbill.gentoo.org [94.100.119.163]) (using TLSv1 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by smtp.gentoo.org (Postfix) with ESMTPS id 494121B40D7 for ; Sat, 28 Jul 2012 17:16:52 +0000 (UTC) Received: from localhost.localdomain (localhost [127.0.0.1]) by hornbill.gentoo.org (Postfix) with ESMTP id DDC3AE5440 for ; Sat, 28 Jul 2012 17:16:49 +0000 (UTC) From: "Sven Vermeulen" To: gentoo-commits@lists.gentoo.org Content-Transfer-Encoding: 8bit Content-type: text/plain; charset=UTF-8 Reply-To: gentoo-dev@lists.gentoo.org, "Sven Vermeulen" Message-ID: <1343495768.76b3291b930ec82390379af834b9dda2dbfb4e96.SwifT@gentoo> Subject: [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/, policy/modules/system/, policy/modules/kernel/, config/ X-VCS-Repository: proj/hardened-refpolicy X-VCS-Files: config/file_contexts.subs_dist policy/modules/contrib/inetd.fc policy/modules/contrib/java.fc policy/modules/contrib/java.te policy/modules/contrib/kerberos.fc policy/modules/contrib/lpd.fc policy/modules/kernel/corecommands.fc policy/modules/kernel/files.fc policy/modules/system/ipsec.fc policy/modules/system/libraries.fc policy/modules/system/miscfiles.fc policy/modules/system/unconfined.fc X-VCS-Directories: policy/modules/contrib/ policy/modules/system/ policy/modules/kernel/ config/ X-VCS-Committer: SwifT X-VCS-Committer-Name: Sven Vermeulen X-VCS-Revision: 76b3291b930ec82390379af834b9dda2dbfb4e96 X-VCS-Branch: master Date: Sat, 28 Jul 2012 17:16:49 +0000 (UTC) Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-commits@lists.gentoo.org X-Archives-Salt: 64ce7880-a7a1-4a95-a8b4-4fbbb88b092e X-Archives-Hash: f426e608c558e44041749d9c1659b5ed commit: 76b3291b930ec82390379af834b9dda2dbfb4e96 Author: Sven Vermeulen siphos be> AuthorDate: Sat Jul 28 17:16:08 2012 +0000 Commit: Sven Vermeulen siphos be> CommitDate: Sat Jul 28 17:16:08 2012 +0000 URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=76b3291b Support for /usr/local --- config/file_contexts.subs_dist | 2 + policy/modules/contrib/inetd.fc | 2 +- policy/modules/contrib/java.fc | 3 -- policy/modules/contrib/java.te | 3 +- policy/modules/contrib/kerberos.fc | 8 +++--- policy/modules/contrib/lpd.fc | 4 +- policy/modules/kernel/corecommands.fc | 9 ++++--- policy/modules/kernel/files.fc | 9 -------- policy/modules/system/ipsec.fc | 5 ---- policy/modules/system/libraries.fc | 34 +++++++++++++++----------------- policy/modules/system/miscfiles.fc | 5 ---- policy/modules/system/unconfined.fc | 2 +- 12 files changed, 33 insertions(+), 53 deletions(-) diff --git a/config/file_contexts.subs_dist b/config/file_contexts.subs_dist index d14c538..34ae155 100644 --- a/config/file_contexts.subs_dist +++ b/config/file_contexts.subs_dist @@ -5,4 +5,6 @@ /usr/lib32 /usr/lib /usr/lib64 /usr/lib /usr/local /usr +/usr/local/lib64 /usr/lib +/usr/local/lib32 /usr/lib /var/run/lock /var/lock diff --git a/policy/modules/contrib/inetd.fc b/policy/modules/contrib/inetd.fc index 39d5baa..6107467 100644 --- a/policy/modules/contrib/inetd.fc +++ b/policy/modules/contrib/inetd.fc @@ -1,7 +1,7 @@ +/usr/lib/pysieved/pysieved.*\.py -- gen_context(system_u:object_r:inetd_child_exec_t,s0) /usr/sbin/identd -- gen_context(system_u:object_r:inetd_child_exec_t,s0) /usr/sbin/in\..*d -- gen_context(system_u:object_r:inetd_child_exec_t,s0) -/usr/local/lib/pysieved/pysieved.*\.py -- gen_context(system_u:object_r:inetd_child_exec_t,s0) /usr/sbin/inetd -- gen_context(system_u:object_r:inetd_exec_t,s0) /usr/sbin/rlinetd -- gen_context(system_u:object_r:inetd_exec_t,s0) diff --git a/policy/modules/contrib/java.fc b/policy/modules/contrib/java.fc index bc1a419..2212e30 100644 --- a/policy/modules/contrib/java.fc +++ b/policy/modules/contrib/java.fc @@ -3,7 +3,6 @@ # /opt/(.*/)?bin/java[^/]* -- gen_context(system_u:object_r:java_exec_t,s0) /opt/ibm/java.*/(bin|javaws)(/.*)? -- gen_context(system_u:object_r:java_exec_t,s0) -/opt/local/matlab.*/bin.*/MATLAB.* -- gen_context(system_u:object_r:java_exec_t,s0) /opt/matlab.*/bin.*/MATLAB.* -- gen_context(system_u:object_r:java_exec_t,s0) # @@ -28,8 +27,6 @@ /usr/lib/opera(/.*)?/opera -- gen_context(system_u:object_r:java_exec_t,s0) /usr/lib/opera(/.*)?/works -- gen_context(system_u:object_r:java_exec_t,s0) -/usr/local/matlab.*/bin.*/MATLAB.* -- gen_context(system_u:object_r:java_exec_t,s0) - /usr/matlab.*/bin.*/MATLAB.* -- gen_context(system_u:object_r:java_exec_t,s0) ifdef(`distro_redhat',` diff --git a/policy/modules/contrib/java.te b/policy/modules/contrib/java.te index f59610c..20f3477 100644 --- a/policy/modules/contrib/java.te +++ b/policy/modules/contrib/java.te @@ -45,7 +45,7 @@ allow java_t self:fifo_file rw_fifo_file_perms; # For java browser plugin accessing internet resources? allow java_t self:netlink_route_socket create_netlink_socket_perms; allow java_t self:sem create_sem_perms; -allow java_t self:tcp_socket create_socket_perms; +allow java_t self:tcp_socket create_stream_socket_perms; allow java_t self:udp_socket create_socket_perms; manage_dirs_pattern(java_t, java_home_t, java_home_t) @@ -130,6 +130,7 @@ tunable_policy(`allow_java_execstack',` ') optional_policy(` + alsa_domain(java_t, java_tmpfs_t) alsa_read_rw_config(java_t) ') diff --git a/policy/modules/contrib/kerberos.fc b/policy/modules/contrib/kerberos.fc index 3525d24..0a3d05a 100644 --- a/policy/modules/contrib/kerberos.fc +++ b/policy/modules/contrib/kerberos.fc @@ -13,13 +13,13 @@ HOME_DIR/\.k5login -- gen_context(system_u:object_r:krb5_home_t,s0) /etc/rc\.d/init\.d/krb524d -- gen_context(system_u:object_r:kerberos_initrc_exec_t,s0) /etc/rc\.d/init\.d/krb5kdc -- gen_context(system_u:object_r:kerberos_initrc_exec_t,s0) -/usr/(local/)?(kerberos/)?sbin/krb5kdc -- gen_context(system_u:object_r:krb5kdc_exec_t,s0) -/usr/(local/)?(kerberos/)?sbin/kadmind -- gen_context(system_u:object_r:kadmind_exec_t,s0) +/usr/(kerberos/)?sbin/krb5kdc -- gen_context(system_u:object_r:krb5kdc_exec_t,s0) +/usr/(kerberos/)?sbin/kadmind -- gen_context(system_u:object_r:kadmind_exec_t,s0) /usr/kerberos/sbin/kadmin\.local -- gen_context(system_u:object_r:kadmind_exec_t,s0) /usr/kerberos/sbin/kpropd -- gen_context(system_u:object_r:kpropd_exec_t,s0) -/usr/local/var/krb5kdc(/.*)? gen_context(system_u:object_r:krb5kdc_conf_t,s0) -/usr/local/var/krb5kdc/principal.* gen_context(system_u:object_r:krb5kdc_principal_t,s0) +/usr/var/krb5kdc(/.*)? gen_context(system_u:object_r:krb5kdc_conf_t,s0) +/usr/var/krb5kdc/principal.* gen_context(system_u:object_r:krb5kdc_principal_t,s0) /var/kerberos/krb5kdc(/.*)? gen_context(system_u:object_r:krb5kdc_conf_t,s0) /var/kerberos/krb5kdc/from_master.* gen_context(system_u:object_r:krb5kdc_lock_t,s0) diff --git a/policy/modules/contrib/lpd.fc b/policy/modules/contrib/lpd.fc index 5c9eb68..62a8834 100644 --- a/policy/modules/contrib/lpd.fc +++ b/policy/modules/contrib/lpd.fc @@ -16,6 +16,8 @@ /usr/bin/lprm(\.cups)? -- gen_context(system_u:object_r:lpr_exec_t,s0) /usr/bin/lpstat(\.cups)? -- gen_context(system_u:object_r:lpr_exec_t,s0) +/usr/linuxprinter/bin/l?lpr -- gen_context(system_u:object_r:lpr_exec_t,s0) + /usr/sbin/accept -- gen_context(system_u:object_r:lpr_exec_t,s0) /usr/sbin/checkpc -- gen_context(system_u:object_r:checkpc_exec_t,s0) /usr/sbin/lpd -- gen_context(system_u:object_r:lpd_exec_t,s0) @@ -24,8 +26,6 @@ /usr/sbin/lpinfo -- gen_context(system_u:object_r:lpr_exec_t,s0) /usr/sbin/lpmove -- gen_context(system_u:object_r:lpr_exec_t,s0) -/usr/local/linuxprinter/bin/l?lpr -- gen_context(system_u:object_r:lpr_exec_t,s0) - /usr/share/printconf/.* -- gen_context(system_u:object_r:printconf_t,s0) # diff --git a/policy/modules/kernel/corecommands.fc b/policy/modules/kernel/corecommands.fc index ca47068..f212f4a 100644 --- a/policy/modules/kernel/corecommands.fc +++ b/policy/modules/kernel/corecommands.fc @@ -191,6 +191,8 @@ ifdef(`distro_gentoo',` /usr/bin/scponly -- gen_context(system_u:object_r:shell_exec_t,s0) /usr/bin/tcsh -- gen_context(system_u:object_r:shell_exec_t,s0) +/usr/Brother(/.*)? gen_context(system_u:object_r:bin_t,s0) + /usr/lib(.*/)?bin(/.*)? gen_context(system_u:object_r:bin_t,s0) /usr/(.*/)?sbin(/.*)? gen_context(system_u:object_r:bin_t,s0) @@ -263,10 +265,9 @@ ifdef(`distro_gentoo',` /usr/libexec/openssh/sftp-server -- gen_context(system_u:object_r:bin_t,s0) -/usr/local/lib/ipsec/.* -- gen_context(system_u:object_r:bin_t,s0) -/usr/local/Brother(/.*)? gen_context(system_u:object_r:bin_t,s0) -/usr/local/Printer(/.*)? gen_context(system_u:object_r:bin_t,s0) -/usr/local/linuxprinter/filters(/.*)? gen_context(system_u:object_r:bin_t,s0) +/usr/linuxprinter/filters(/.*)? gen_context(system_u:object_r:bin_t,s0) + +/usr/Printer(/.*)? gen_context(system_u:object_r:bin_t,s0) /usr/sbin/scponlyc -- gen_context(system_u:object_r:shell_exec_t,s0) /usr/sbin/sesh -- gen_context(system_u:object_r:shell_exec_t,s0) diff --git a/policy/modules/kernel/files.fc b/policy/modules/kernel/files.fc index 8796ca3..9f95ab2 100644 --- a/policy/modules/kernel/files.fc +++ b/policy/modules/kernel/files.fc @@ -204,13 +204,6 @@ ifdef(`distro_debian',` /usr/inclu.e(/.*)? gen_context(system_u:object_r:usr_t,s0) -/usr/local/\.journal <> - -/usr/local/etc(/.*)? gen_context(system_u:object_r:etc_t,s0) - -/usr/local/lost\+found -d gen_context(system_u:object_r:lost_found_t,mls_systemhigh) -/usr/local/lost\+found/.* <> - /usr/lost\+found -d gen_context(system_u:object_r:lost_found_t,mls_systemhigh) /usr/lost\+found/.* <> @@ -220,8 +213,6 @@ ifdef(`distro_debian',` /usr/tmp/.* <> ifndef(`distro_redhat',` -/usr/local/src(/.*)? gen_context(system_u:object_r:src_t,s0) - /usr/src(/.*)? gen_context(system_u:object_r:src_t,s0) /usr/src/kernels/.+/lib(/.*)? gen_context(system_u:object_r:usr_t,s0) ') diff --git a/policy/modules/system/ipsec.fc b/policy/modules/system/ipsec.fc index e25c6b6..74a2256 100644 --- a/policy/modules/system/ipsec.fc +++ b/policy/modules/system/ipsec.fc @@ -27,11 +27,6 @@ /usr/libexec/ipsec/spi -- gen_context(system_u:object_r:ipsec_exec_t,s0) /usr/libexec/nm-openswan-service -- gen_context(system_u:object_r:ipsec_mgmt_exec_t,s0) -/usr/local/lib/ipsec/eroute -- gen_context(system_u:object_r:ipsec_exec_t,s0) -/usr/local/lib/ipsec/klipsdebug -- gen_context(system_u:object_r:ipsec_exec_t,s0) -/usr/local/lib/ipsec/pluto -- gen_context(system_u:object_r:ipsec_exec_t,s0) -/usr/local/lib/ipsec/spi -- gen_context(system_u:object_r:ipsec_exec_t,s0) - /usr/sbin/ipsec -- gen_context(system_u:object_r:ipsec_mgmt_exec_t,s0) /usr/sbin/racoon -- gen_context(system_u:object_r:racoon_exec_t,s0) /usr/sbin/setkey -- gen_context(system_u:object_r:setkey_exec_t,s0) diff --git a/policy/modules/system/libraries.fc b/policy/modules/system/libraries.fc index 8a68e0a..4fc5af3 100644 --- a/policy/modules/system/libraries.fc +++ b/policy/modules/system/libraries.fc @@ -151,9 +151,9 @@ ifdef(`distro_redhat',` /usr/lib/nvidia/libGL(core)?\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/lib/xorg/modules/glesx\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) -/usr/(local/)?.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:lib_t,s0) -/usr/(local/)?lib/wine/.+\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) -/usr/(local/)?lib/(sse2/)?libfame-.*\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) +/usr/.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:lib_t,s0) +/usr/lib/wine/.+\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) +/usr/lib/(sse2/)?libfame-.*\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/NX/lib/libXcomp\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/NX/lib/libjpeg\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) @@ -241,14 +241,13 @@ HOME_DIR/.*/plugins/nppdf\.so.* -- gen_context(system_u:object_r:textrel_shlib_t # Livna.org packages: xmms-mp3, ffmpeg, xvidcore, xine-lib, gsm, lame /usr/lib.*/libmpg123\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) -/usr/local(/.*)?/libmpg123\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) +/usr/(/.*)?/libmpg123\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/lib/codecs/drv[1-9c]\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) -/usr/local/lib/codecs/drv[1-9c]\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) HOME_DIR/.*/plugins/nppdf\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) HOME_DIR/.mozilla/plugins/nprhapengine\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/lib/.*/nprhapengine\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) -/usr/local/(.*/)?nprhapengine\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) +/usr/(.*/)?nprhapengine\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) # Jai, Sun Microsystems (Jpackage SPRM) /usr/lib/libmlib_jai\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) @@ -270,20 +269,19 @@ HOME_DIR/.mozilla/plugins/nprhapengine\.so.* -- gen_context(system_u:object_r:te # Java, Sun Microsystems (JPackage SRPM) /usr/(.*/)?jre.*/.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) -/usr/local/(.*/)?jre.*/.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/lib/(.*/)?jre.*/.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) -/usr/(local/)?Adobe/(.*/)?intellinux/nppdf\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) -/usr/(local/)?Adobe/(.*/)?intellinux/sidecars/* -- gen_context(system_u:object_r:textrel_shlib_t,s0) - -/usr/(local/)?acroread/(.*/)?intellinux/nppdf\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) -/usr/(local/)?Adobe/(.*/)?lib/[^/]*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) -/usr/(local/)?acroread/(.*/)?lib/[^/]*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) -/usr/(local/)?Adobe/.*\.api -- gen_context(system_u:object_r:textrel_shlib_t,s0) -/usr/(local/)?lib/xchat/plugins/systray\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) -/usr/(local/)?matlab.*/bin/glnx86/libmwlapack\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) -/usr/(local/)?matlab.*/bin/glnx86/(libmw(lapack|mathutil|services)|lapack|libmkl)\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) -/usr/(local/)?matlab.*/sys/os/glnx86/libtermcap\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) +/usr/Adobe/(.*/)?intellinux/nppdf\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) +/usr/Adobe/(.*/)?intellinux/sidecars/* -- gen_context(system_u:object_r:textrel_shlib_t,s0) + +/usr/acroread/(.*/)?intellinux/nppdf\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) +/usr/Adobe/(.*/)?lib/[^/]*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) +/usr/acroread/(.*/)?lib/[^/]*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) +/usr/Adobe/.*\.api -- gen_context(system_u:object_r:textrel_shlib_t,s0) +/usr/lib/xchat/plugins/systray\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) +/usr/matlab.*/bin/glnx86/libmwlapack\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) +/usr/matlab.*/bin/glnx86/(libmw(lapack|mathutil|services)|lapack|libmkl)\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) +/usr/matlab.*/sys/os/glnx86/libtermcap\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/(.*/)?intellinux/SPPlugins/ADMPlugin\.apl -- gen_context(system_u:object_r:textrel_shlib_t,s0) diff --git a/policy/modules/system/miscfiles.fc b/policy/modules/system/miscfiles.fc index ba2b623..5820646 100644 --- a/policy/modules/system/miscfiles.fc +++ b/policy/modules/system/miscfiles.fc @@ -36,11 +36,6 @@ ifdef(`distro_redhat',` /usr/lib/perl5/man(/.*)? gen_context(system_u:object_r:man_t,s0) -/usr/local/man(/.*)? gen_context(system_u:object_r:man_t,s0) -/usr/local/share/man(/.*)? gen_context(system_u:object_r:man_t,s0) - -/usr/local/share/fonts(/.*)? gen_context(system_u:object_r:fonts_t,s0) - /usr/man(/.*)? gen_context(system_u:object_r:man_t,s0) /usr/share/fonts(/.*)? gen_context(system_u:object_r:fonts_t,s0) diff --git a/policy/modules/system/unconfined.fc b/policy/modules/system/unconfined.fc index 0abaf84..25efa00 100644 --- a/policy/modules/system/unconfined.fc +++ b/policy/modules/system/unconfined.fc @@ -8,7 +8,7 @@ /usr/lib/ia32el/ia32x_loader -- gen_context(system_u:object_r:unconfined_execmem_exec_t,s0) /usr/lib/openoffice\.org.*/program/.+\.bin -- gen_context(system_u:object_r:unconfined_execmem_exec_t,s0) -/usr/local/RealPlayer/realplay\.bin -- gen_context(system_u:object_r:unconfined_execmem_exec_t,s0) +/usr/RealPlayer/realplay\.bin -- gen_context(system_u:object_r:unconfined_execmem_exec_t,s0) ifdef(`distro_debian',` /usr/bin/gcj-dbtool-4\.1 -- gen_context(system_u:object_r:unconfined_execmem_exec_t,s0)