From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80]) by finch.gentoo.org (Postfix) with ESMTP id 49F16138202 for ; Tue, 27 Nov 2012 19:27:01 +0000 (UTC) Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id 9B87D21C0AA; Tue, 27 Nov 2012 19:26:13 +0000 (UTC) Received: from smtp.gentoo.org (smtp.gentoo.org [140.211.166.183]) (using TLSv1 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by pigeon.gentoo.org (Postfix) with ESMTPS id E2CEE21C0A8 for ; Tue, 27 Nov 2012 19:26:12 +0000 (UTC) Received: from hornbill.gentoo.org (hornbill.gentoo.org [94.100.119.163]) (using TLSv1 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by smtp.gentoo.org (Postfix) with ESMTPS id A52CC33D9C4 for ; Tue, 27 Nov 2012 19:26:11 +0000 (UTC) Received: from localhost.localdomain (localhost [127.0.0.1]) by hornbill.gentoo.org (Postfix) with ESMTP id B2DB1E5436 for ; Tue, 27 Nov 2012 19:14:12 +0000 (UTC) From: "Sven Vermeulen" To: gentoo-commits@lists.gentoo.org Content-Transfer-Encoding: 8bit Content-type: text/plain; charset=UTF-8 Reply-To: gentoo-dev@lists.gentoo.org, "Sven Vermeulen" Message-ID: <1354042837.5772cae4d5acb517532233c838d0e67621780dfc.SwifT@gentoo> Subject: [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/ X-VCS-Repository: proj/hardened-refpolicy X-VCS-Files: policy/modules/system/miscfiles.fc policy/modules/system/miscfiles.if policy/modules/system/miscfiles.te X-VCS-Directories: policy/modules/system/ X-VCS-Committer: SwifT X-VCS-Committer-Name: Sven Vermeulen X-VCS-Revision: 5772cae4d5acb517532233c838d0e67621780dfc X-VCS-Branch: master Date: Tue, 27 Nov 2012 19:14:12 +0000 (UTC) Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-commits@lists.gentoo.org X-Archives-Salt: 91e050a0-c8ed-4f48-9a3e-5b1f2f72fb7d X-Archives-Hash: f7bbaf4c18a5f4f4c7d5fc9eb080e98e commit: 5772cae4d5acb517532233c838d0e67621780dfc Author: Dominick Grift gmail com> AuthorDate: Wed Oct 31 18:02:16 2012 +0000 Commit: Sven Vermeulen siphos be> CommitDate: Tue Nov 27 19:00:37 2012 +0000 URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=5772cae4 Label /var/cache/man with a private man cache type for mandb Since /var/cache/man was previously labeled man_t, make sure that the old interfaces with regard to man_t also support man_cache_t Signed-off-by: Dominick Grift gmail.com> --- policy/modules/system/miscfiles.fc | 2 +- policy/modules/system/miscfiles.if | 80 +++++++++++++++++++++++++++--------- policy/modules/system/miscfiles.te | 3 + 3 files changed, 64 insertions(+), 21 deletions(-) diff --git a/policy/modules/system/miscfiles.fc b/policy/modules/system/miscfiles.fc index a0b8232..1ede268 100644 --- a/policy/modules/system/miscfiles.fc +++ b/policy/modules/system/miscfiles.fc @@ -79,7 +79,7 @@ ifdef(`distro_redhat',` /var/cache/fontconfig(/.*)? gen_context(system_u:object_r:fonts_cache_t,s0) /var/cache/fonts(/.*)? gen_context(system_u:object_r:tetex_data_t,s0) -/var/cache/man(/.*)? gen_context(system_u:object_r:man_t,s0) +/var/cache/man(/.*)? gen_context(system_u:object_r:man_cache_t,s0) /var/named/chroot/etc/pki(/.*)? gen_context(system_u:object_r:cert_t,s0) diff --git a/policy/modules/system/miscfiles.if b/policy/modules/system/miscfiles.if index 7315ed0..f180d4c 100644 --- a/policy/modules/system/miscfiles.if +++ b/policy/modules/system/miscfiles.if @@ -557,10 +557,10 @@ interface(`miscfiles_legacy_read_localization',` # interface(`miscfiles_search_man_pages',` gen_require(` - type man_t; + type man_t, man_cache_t; ') - allow $1 man_t:dir search_dir_perms; + allow $1 { man_cache_t man_t }:dir search_dir_perms; files_search_usr($1) ') @@ -576,10 +576,10 @@ interface(`miscfiles_search_man_pages',` # interface(`miscfiles_dontaudit_search_man_pages',` gen_require(` - type man_t; + type man_t, man_cache_t; ') - dontaudit $1 man_t:dir search_dir_perms; + dontaudit $1 { man_cache_t man_t }:dir search_dir_perms; ') ######################################## @@ -595,13 +595,13 @@ interface(`miscfiles_dontaudit_search_man_pages',` # interface(`miscfiles_read_man_pages',` gen_require(` - type man_t; + type man_t, man_cache_t; ') files_search_usr($1) - allow $1 man_t:dir list_dir_perms; - read_files_pattern($1, man_t, man_t) - read_lnk_files_pattern($1, man_t, man_t) + allow $1 { man_cache_t man_t }:dir list_dir_perms; + read_files_pattern($1, { man_cache_t man_t }, { man_cache_t man_t }) + read_lnk_files_pattern($1, { man_cache_t man_t }, { man_cache_t man_t }) ') ######################################## @@ -617,17 +617,14 @@ interface(`miscfiles_read_man_pages',` # interface(`miscfiles_delete_man_pages',` gen_require(` - type man_t; + type man_t, man_cache_t; ') files_search_usr($1) - - allow $1 man_t:dir setattr; - # RH bug #309351 - allow $1 man_t:dir list_dir_perms; - delete_dirs_pattern($1, man_t, man_t) - delete_files_pattern($1, man_t, man_t) - delete_lnk_files_pattern($1, man_t, man_t) + allow $1 { man_cache_t man_t }:dir { setattr_dir_perms list_dir_perms }; + delete_dirs_pattern($1, { man_cache_t man_t }, { man_cache_t man_t }) + delete_files_pattern($1, { man_cache_t man_t }, { man_cache_t man_t }) + delete_lnk_files_pattern($1, { man_cache_t man_t }, { man_cache_t man_t }) ') ######################################## @@ -642,13 +639,56 @@ interface(`miscfiles_delete_man_pages',` # interface(`miscfiles_manage_man_pages',` gen_require(` - type man_t; + type man_t, man_cache_t; ') files_search_usr($1) - manage_dirs_pattern($1, man_t, man_t) - manage_files_pattern($1, man_t, man_t) - read_lnk_files_pattern($1, man_t, man_t) + manage_dirs_pattern($1, { man_cache_t man_t }, { man_cache_t man_t }) + manage_files_pattern($1, { man_cache_t man_t }, { man_cache_t man_t }) + read_lnk_files_pattern($1, { man_cache_t man_t }, { man_cache_t man_t }) +') + +######################################## +## +## Read man cache content. +## +## +## +## Domain allowed access. +## +## +# +interface(`miscfiles_read_man_cache_content',` + gen_require(` + type man_cache_t; + ') + + files_search_var($1) + allow $1 man_cache_t:dir list_dir_perms; + allow $1 man_cache_t:file read_file_perms; + allow $1 man_cache_t:lnk_file read_lnk_file_perms; +') + +######################################## +## +## Create, read, write, and delete +## man cache content. +## +## +## +## Domain allowed access. +## +## +# +interface(`miscfiles_manage_man_cache_content',` + gen_require(` + type man_cache_t; + ') + + files_search_var($1) + allow $1 man_cache_t:dir manage_dir_perms; + allow $1 man_cache_t:file manage_file_perms; + allow $1 man_cache_t:lnk_file manage_lnk_file_perms; ') ######################################## diff --git a/policy/modules/system/miscfiles.te b/policy/modules/system/miscfiles.te index 00801e6..cab354a 100644 --- a/policy/modules/system/miscfiles.te +++ b/policy/modules/system/miscfiles.te @@ -48,6 +48,9 @@ files_type(locale_t) type man_t alias catman_t; files_type(man_t) +type man_cache_t; +files_type(man_cache_t) + # # Types for public content #