From: "Sven Vermeulen" <sven.vermeulen@siphos.be>
To: gentoo-commits@lists.gentoo.org
Subject: [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/, policy/modules/system/, policy/modules/kernel/, config/
Date: Thu, 9 Aug 2012 16:44:19 +0000 (UTC) [thread overview]
Message-ID: <1344526550.aaa0f803d363b62e7105ef1e1cf282a08a0350e1.SwifT@gentoo> (raw)
commit: aaa0f803d363b62e7105ef1e1cf282a08a0350e1
Author: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Thu Aug 9 15:35:50 2012 +0000
Commit: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
CommitDate: Thu Aug 9 15:35:50 2012 +0000
URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=aaa0f803
Use /usr/local/lib* to /usr/lib
The translation of /usr/local to /usr is not supported upstream and might lead
to issues later, so undo those changes. Keep the /usr/local/lib* stuff in
though.
---
config/file_contexts.subs_dist | 1 -
policy/modules/contrib/java.fc | 3 +++
policy/modules/contrib/kerberos.fc | 8 ++++----
policy/modules/contrib/lpd.fc | 2 +-
policy/modules/kernel/corecommands.fc | 6 +++---
policy/modules/kernel/files.fc | 9 +++++++++
policy/modules/system/libraries.fc | 20 ++++++++++----------
policy/modules/system/miscfiles.fc | 5 +++++
policy/modules/system/unconfined.fc | 2 +-
9 files changed, 36 insertions(+), 20 deletions(-)
diff --git a/config/file_contexts.subs_dist b/config/file_contexts.subs_dist
index 34ae155..9121dce 100644
--- a/config/file_contexts.subs_dist
+++ b/config/file_contexts.subs_dist
@@ -4,7 +4,6 @@
/run/lock /var/lock
/usr/lib32 /usr/lib
/usr/lib64 /usr/lib
-/usr/local /usr
/usr/local/lib64 /usr/lib
/usr/local/lib32 /usr/lib
/var/run/lock /var/lock
diff --git a/policy/modules/contrib/java.fc b/policy/modules/contrib/java.fc
index 2212e30..ca524bd 100644
--- a/policy/modules/contrib/java.fc
+++ b/policy/modules/contrib/java.fc
@@ -4,6 +4,7 @@
/opt/(.*/)?bin/java[^/]* -- gen_context(system_u:object_r:java_exec_t,s0)
/opt/ibm/java.*/(bin|javaws)(/.*)? -- gen_context(system_u:object_r:java_exec_t,s0)
/opt/matlab.*/bin.*/MATLAB.* -- gen_context(system_u:object_r:java_exec_t,s0)
+/opt/matlab.*/bin.*/MATLAB.* -- gen_context(system_u:object_r:java_exec_t,s0)
#
# /usr
@@ -27,6 +28,8 @@
/usr/lib/opera(/.*)?/opera -- gen_context(system_u:object_r:java_exec_t,s0)
/usr/lib/opera(/.*)?/works -- gen_context(system_u:object_r:java_exec_t,s0)
+/usr/local/matlab.*/bin.*/MATLAB.* -- gen_context(system_u:object_r:java_exec_t,s0)
+
/usr/matlab.*/bin.*/MATLAB.* -- gen_context(system_u:object_r:java_exec_t,s0)
ifdef(`distro_redhat',`
diff --git a/policy/modules/contrib/kerberos.fc b/policy/modules/contrib/kerberos.fc
index 0a3d05a..3525d24 100644
--- a/policy/modules/contrib/kerberos.fc
+++ b/policy/modules/contrib/kerberos.fc
@@ -13,13 +13,13 @@ HOME_DIR/\.k5login -- gen_context(system_u:object_r:krb5_home_t,s0)
/etc/rc\.d/init\.d/krb524d -- gen_context(system_u:object_r:kerberos_initrc_exec_t,s0)
/etc/rc\.d/init\.d/krb5kdc -- gen_context(system_u:object_r:kerberos_initrc_exec_t,s0)
-/usr/(kerberos/)?sbin/krb5kdc -- gen_context(system_u:object_r:krb5kdc_exec_t,s0)
-/usr/(kerberos/)?sbin/kadmind -- gen_context(system_u:object_r:kadmind_exec_t,s0)
+/usr/(local/)?(kerberos/)?sbin/krb5kdc -- gen_context(system_u:object_r:krb5kdc_exec_t,s0)
+/usr/(local/)?(kerberos/)?sbin/kadmind -- gen_context(system_u:object_r:kadmind_exec_t,s0)
/usr/kerberos/sbin/kadmin\.local -- gen_context(system_u:object_r:kadmind_exec_t,s0)
/usr/kerberos/sbin/kpropd -- gen_context(system_u:object_r:kpropd_exec_t,s0)
-/usr/var/krb5kdc(/.*)? gen_context(system_u:object_r:krb5kdc_conf_t,s0)
-/usr/var/krb5kdc/principal.* gen_context(system_u:object_r:krb5kdc_principal_t,s0)
+/usr/local/var/krb5kdc(/.*)? gen_context(system_u:object_r:krb5kdc_conf_t,s0)
+/usr/local/var/krb5kdc/principal.* gen_context(system_u:object_r:krb5kdc_principal_t,s0)
/var/kerberos/krb5kdc(/.*)? gen_context(system_u:object_r:krb5kdc_conf_t,s0)
/var/kerberos/krb5kdc/from_master.* gen_context(system_u:object_r:krb5kdc_lock_t,s0)
diff --git a/policy/modules/contrib/lpd.fc b/policy/modules/contrib/lpd.fc
index 62a8834..dd53b37 100644
--- a/policy/modules/contrib/lpd.fc
+++ b/policy/modules/contrib/lpd.fc
@@ -16,7 +16,7 @@
/usr/bin/lprm(\.cups)? -- gen_context(system_u:object_r:lpr_exec_t,s0)
/usr/bin/lpstat(\.cups)? -- gen_context(system_u:object_r:lpr_exec_t,s0)
-/usr/linuxprinter/bin/l?lpr -- gen_context(system_u:object_r:lpr_exec_t,s0)
+/usr/local/linuxprinter/bin/l?lpr -- gen_context(system_u:object_r:lpr_exec_t,s0)
/usr/sbin/accept -- gen_context(system_u:object_r:lpr_exec_t,s0)
/usr/sbin/checkpc -- gen_context(system_u:object_r:checkpc_exec_t,s0)
diff --git a/policy/modules/kernel/corecommands.fc b/policy/modules/kernel/corecommands.fc
index defaa6d..0ec2975 100644
--- a/policy/modules/kernel/corecommands.fc
+++ b/policy/modules/kernel/corecommands.fc
@@ -196,7 +196,6 @@ ifdef(`distro_gentoo',`
/usr/bin/scponly -- gen_context(system_u:object_r:shell_exec_t,s0)
/usr/bin/tcsh -- gen_context(system_u:object_r:shell_exec_t,s0)
-/usr/Brother(/.*)? gen_context(system_u:object_r:bin_t,s0)
/usr/lib(.*/)?bin(/.*)? gen_context(system_u:object_r:bin_t,s0)
@@ -270,9 +269,10 @@ ifdef(`distro_gentoo',`
/usr/libexec/openssh/sftp-server -- gen_context(system_u:object_r:bin_t,s0)
-/usr/linuxprinter/filters(/.*)? gen_context(system_u:object_r:bin_t,s0)
+/usr/local/Brother(/.*)? gen_context(system_u:object_r:bin_t,s0)
+/usr/local/Printer(/.*)? gen_context(system_u:object_r:bin_t,s0)
+/usr/local/linuxprinter/filters(/.*)? gen_context(system_u:object_r:bin_t,s0)
-/usr/Printer(/.*)? gen_context(system_u:object_r:bin_t,s0)
/usr/sbin/scponlyc -- gen_context(system_u:object_r:shell_exec_t,s0)
/usr/sbin/sesh -- gen_context(system_u:object_r:shell_exec_t,s0)
diff --git a/policy/modules/kernel/files.fc b/policy/modules/kernel/files.fc
index 9f95ab2..8796ca3 100644
--- a/policy/modules/kernel/files.fc
+++ b/policy/modules/kernel/files.fc
@@ -204,6 +204,13 @@ ifdef(`distro_debian',`
/usr/inclu.e(/.*)? gen_context(system_u:object_r:usr_t,s0)
+/usr/local/\.journal <<none>>
+
+/usr/local/etc(/.*)? gen_context(system_u:object_r:etc_t,s0)
+
+/usr/local/lost\+found -d gen_context(system_u:object_r:lost_found_t,mls_systemhigh)
+/usr/local/lost\+found/.* <<none>>
+
/usr/lost\+found -d gen_context(system_u:object_r:lost_found_t,mls_systemhigh)
/usr/lost\+found/.* <<none>>
@@ -213,6 +220,8 @@ ifdef(`distro_debian',`
/usr/tmp/.* <<none>>
ifndef(`distro_redhat',`
+/usr/local/src(/.*)? gen_context(system_u:object_r:src_t,s0)
+
/usr/src(/.*)? gen_context(system_u:object_r:src_t,s0)
/usr/src/kernels/.+/lib(/.*)? gen_context(system_u:object_r:usr_t,s0)
')
diff --git a/policy/modules/system/libraries.fc b/policy/modules/system/libraries.fc
index 4fc5af3..6a2a3ed 100644
--- a/policy/modules/system/libraries.fc
+++ b/policy/modules/system/libraries.fc
@@ -247,7 +247,7 @@ HOME_DIR/.*/plugins/nppdf\.so.* -- gen_context(system_u:object_r:textrel_shlib_t
HOME_DIR/.*/plugins/nppdf\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
HOME_DIR/.mozilla/plugins/nprhapengine\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib/.*/nprhapengine\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-/usr/(.*/)?nprhapengine\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/local/(.*/)?nprhapengine\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
# Jai, Sun Microsystems (Jpackage SPRM)
/usr/lib/libmlib_jai\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
@@ -271,17 +271,17 @@ HOME_DIR/.mozilla/plugins/nprhapengine\.so.* -- gen_context(system_u:object_r:te
/usr/(.*/)?jre.*/.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib/(.*/)?jre.*/.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-/usr/Adobe/(.*/)?intellinux/nppdf\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-/usr/Adobe/(.*/)?intellinux/sidecars/* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/(local/)?Adobe/(.*/)?intellinux/nppdf\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/(local/)?Adobe/(.*/)?intellinux/sidecars/* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-/usr/acroread/(.*/)?intellinux/nppdf\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-/usr/Adobe/(.*/)?lib/[^/]*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-/usr/acroread/(.*/)?lib/[^/]*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-/usr/Adobe/.*\.api -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/(local/)?acroread/(.*/)?intellinux/nppdf\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/(local/)?Adobe/(.*/)?lib/[^/]*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/(local/)?acroread/(.*/)?lib/[^/]*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/(local/)?Adobe/.*\.api -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib/xchat/plugins/systray\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-/usr/matlab.*/bin/glnx86/libmwlapack\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-/usr/matlab.*/bin/glnx86/(libmw(lapack|mathutil|services)|lapack|libmkl)\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-/usr/matlab.*/sys/os/glnx86/libtermcap\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/(local/)?matlab.*/bin/glnx86/libmwlapack\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/(local/)?matlab.*/bin/glnx86/(libmw(lapack|mathutil|services)|lapack|libmkl)\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/(local/)?matlab.*/sys/os/glnx86/libtermcap\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/(.*/)?intellinux/SPPlugins/ADMPlugin\.apl -- gen_context(system_u:object_r:textrel_shlib_t,s0)
diff --git a/policy/modules/system/miscfiles.fc b/policy/modules/system/miscfiles.fc
index 5820646..f058c71 100644
--- a/policy/modules/system/miscfiles.fc
+++ b/policy/modules/system/miscfiles.fc
@@ -36,6 +36,11 @@ ifdef(`distro_redhat',`
/usr/lib/perl5/man(/.*)? gen_context(system_u:object_r:man_t,s0)
+/usr/local/man(/.*)? gen_context(system_u:object_r:man_t,s0)
+/usr/local/share/man(/.*)? gen_context(system_u:object_r:man_t,s0)
+
+/usr/local/share/fonts(/.*)? gen_context(system_u:object_r:man_t,s0)
+
/usr/man(/.*)? gen_context(system_u:object_r:man_t,s0)
/usr/share/fonts(/.*)? gen_context(system_u:object_r:fonts_t,s0)
diff --git a/policy/modules/system/unconfined.fc b/policy/modules/system/unconfined.fc
index 25efa00..0abaf84 100644
--- a/policy/modules/system/unconfined.fc
+++ b/policy/modules/system/unconfined.fc
@@ -8,7 +8,7 @@
/usr/lib/ia32el/ia32x_loader -- gen_context(system_u:object_r:unconfined_execmem_exec_t,s0)
/usr/lib/openoffice\.org.*/program/.+\.bin -- gen_context(system_u:object_r:unconfined_execmem_exec_t,s0)
-/usr/RealPlayer/realplay\.bin -- gen_context(system_u:object_r:unconfined_execmem_exec_t,s0)
+/usr/local/RealPlayer/realplay\.bin -- gen_context(system_u:object_r:unconfined_execmem_exec_t,s0)
ifdef(`distro_debian',`
/usr/bin/gcj-dbtool-4\.1 -- gen_context(system_u:object_r:unconfined_execmem_exec_t,s0)
next reply other threads:[~2012-08-09 16:44 UTC|newest]
Thread overview: 2+ messages / expand[flat|nested] mbox.gz Atom feed top
2012-08-09 16:44 Sven Vermeulen [this message]
-- strict thread matches above, loose matches on Subject: below --
2012-07-28 17:16 [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/, policy/modules/system/, policy/modules/kernel/, config/ Sven Vermeulen
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1344526550.aaa0f803d363b62e7105ef1e1cf282a08a0350e1.SwifT@gentoo \
--to=sven.vermeulen@siphos.be \
--cc=gentoo-commits@lists.gentoo.org \
--cc=gentoo-dev@lists.gentoo.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox