From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80]) by finch.gentoo.org (Postfix) with ESMTP id 4BB54138010 for ; Sun, 28 Oct 2012 18:03:16 +0000 (UTC) Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id 5858621C06A; Sun, 28 Oct 2012 18:01:43 +0000 (UTC) Received: from smtp.gentoo.org (smtp.gentoo.org [140.211.166.183]) by pigeon.gentoo.org (Postfix) with ESMTP id 6D23521C063 for ; Sun, 28 Oct 2012 18:01:42 +0000 (UTC) Received: from hornbill.gentoo.org (hornbill.gentoo.org [94.100.119.163]) (using TLSv1 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by smtp.gentoo.org (Postfix) with ESMTPS id 8249533D956 for ; Sun, 28 Oct 2012 18:01:41 +0000 (UTC) Received: from localhost.localdomain (localhost [127.0.0.1]) by hornbill.gentoo.org (Postfix) with ESMTP id 1DCA2E5436 for ; Sun, 28 Oct 2012 18:01:40 +0000 (UTC) From: "Sven Vermeulen" To: gentoo-commits@lists.gentoo.org Content-Transfer-Encoding: 8bit Content-type: text/plain; charset=UTF-8 Reply-To: gentoo-dev@lists.gentoo.org, "Sven Vermeulen" Message-ID: <1351446738.4dedda31c2025ccde5ee8ce2500648d786f28d89.SwifT@gentoo> Subject: [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/, policy/modules/kernel/ X-VCS-Repository: proj/hardened-refpolicy X-VCS-Files: policy/modules/contrib/shorewall.fc policy/modules/kernel/corecommands.fc X-VCS-Directories: policy/modules/contrib/ policy/modules/kernel/ X-VCS-Committer: SwifT X-VCS-Committer-Name: Sven Vermeulen X-VCS-Revision: 4dedda31c2025ccde5ee8ce2500648d786f28d89 X-VCS-Branch: master Date: Sun, 28 Oct 2012 18:01:40 +0000 (UTC) Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-commits@lists.gentoo.org X-Archives-Salt: eaebb724-101b-4548-8913-037905daf8f3 X-Archives-Hash: bb4ebb7700d4cb6e3ec8d5c3cbabb418 commit: 4dedda31c2025ccde5ee8ce2500648d786f28d89 Author: Sven Vermeulen siphos be> AuthorDate: Sun Oct 28 17:52:18 2012 +0000 Commit: Sven Vermeulen siphos be> CommitDate: Sun Oct 28 17:52:18 2012 +0000 URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=4dedda31 Keep file contexts local Unlike what is used in refpolicy, I think it is much cleaner if file contexts related to the application the module reflects are within the file context file. This does mean that "elsewhere" defined types must be accepted in the context, but as long as these types are part of the base install (or as a depending module without optional_policy() statement) this should be okay. One main advantage to this - beyond clarity - is that the contexts file on a users' system will not contain paths for files that are of applications he doesn't have. Doing this for a few shorewall contexts for now, will update as these come along. --- policy/modules/contrib/shorewall.fc | 5 +++++ policy/modules/kernel/corecommands.fc | 6 ------ 2 files changed, 5 insertions(+), 6 deletions(-) diff --git a/policy/modules/contrib/shorewall.fc b/policy/modules/contrib/shorewall.fc index 341bd25..daf852d 100644 --- a/policy/modules/contrib/shorewall.fc +++ b/policy/modules/contrib/shorewall.fc @@ -20,6 +20,11 @@ ifdef(`distro_gentoo',` /usr/share/shorewall/compiler\.pl -- gen_context(system_u:object_r:bin_t,s0) +/usr/share/shorewall/configpath -- gen_context(system_u:object_r:bin_t,s0) /usr/share/shorewall/getparams -- gen_context(system_u:object_r:bin_t,s0) /usr/share/shorewall/wait4ifup -- gen_context(system_u:object_r:bin_t,s0) +/usr/share/shorewall-perl(/.*)? gen_context(system_u:object_r:bin_t,s0) +/usr/share/shorewall-shell(/.*)? gen_context(system_u:object_r:bin_t,s0) +/usr/share/shorewall-lite(/.*)? gen_context(system_u:object_r:bin_t,s0) +/usr/share/shorewall6-lite(/.*)? gen_context(system_u:object_r:bin_t,s0) ') diff --git a/policy/modules/kernel/corecommands.fc b/policy/modules/kernel/corecommands.fc index 57fd2ed..de94bd0 100644 --- a/policy/modules/kernel/corecommands.fc +++ b/policy/modules/kernel/corecommands.fc @@ -309,12 +309,6 @@ ifdef(`distro_gentoo',` /usr/share/sectool/.*\.py -- gen_context(system_u:object_r:bin_t,s0) /usr/share/selinux/devel/policygentool -- gen_context(system_u:object_r:bin_t,s0) /usr/share/smolt/client(/.*)? gen_context(system_u:object_r:bin_t,s0) -/usr/share/shorewall/compiler\.pl -- gen_context(system_u:object_r:bin_t,s0) -/usr/share/shorewall/configpath -- gen_context(system_u:object_r:bin_t,s0) -/usr/share/shorewall-perl(/.*)? gen_context(system_u:object_r:bin_t,s0) -/usr/share/shorewall-shell(/.*)? gen_context(system_u:object_r:bin_t,s0) -/usr/share/shorewall-lite(/.*)? gen_context(system_u:object_r:bin_t,s0) -/usr/share/shorewall6-lite(/.*)? gen_context(system_u:object_r:bin_t,s0) /usr/share/spamassassin/sa-update\.cron gen_context(system_u:object_r:bin_t,s0) /usr/share/texmf/web2c/mktexdir -- gen_context(system_u:object_r:bin_t,s0) /usr/share/turboprint/lib(/.*)? -- gen_context(system_u:object_r:bin_t,s0)