From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80]) by finch.gentoo.org (Postfix) with ESMTP id 2B64259CA6 for ; Wed, 23 Mar 2016 18:36:19 +0000 (UTC) Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id F377821C029; Wed, 23 Mar 2016 18:36:16 +0000 (UTC) Received: from smtp.gentoo.org (smtp.gentoo.org [140.211.166.183]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by pigeon.gentoo.org (Postfix) with ESMTPS id 58ACD21C027 for ; Wed, 23 Mar 2016 18:36:16 +0000 (UTC) Received: from oystercatcher.gentoo.org (unknown [IPv6:2a01:4f8:202:4333:225:90ff:fed9:fc84]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.gentoo.org (Postfix) with ESMTPS id 6C3EE340CBE for ; Wed, 23 Mar 2016 18:36:15 +0000 (UTC) Received: from localhost.localdomain (localhost [127.0.0.1]) by oystercatcher.gentoo.org (Postfix) with ESMTP id E78F386C for ; Wed, 23 Mar 2016 18:36:11 +0000 (UTC) From: "Jason Zaman" To: gentoo-commits@lists.gentoo.org Content-Transfer-Encoding: 8bit Content-type: text/plain; charset=UTF-8 Reply-To: gentoo-dev@lists.gentoo.org, "Jason Zaman" Message-ID: <1458755629.81028072096b64f3a06b3444311958ee9f442244.perfinion@gentoo> Subject: [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/kernel/ X-VCS-Repository: proj/hardened-refpolicy X-VCS-Files: policy/modules/kernel/corecommands.fc X-VCS-Directories: policy/modules/kernel/ X-VCS-Committer: perfinion X-VCS-Committer-Name: Jason Zaman X-VCS-Revision: 81028072096b64f3a06b3444311958ee9f442244 X-VCS-Branch: master Date: Wed, 23 Mar 2016 18:36:11 +0000 (UTC) Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-commits@lists.gentoo.org X-Archives-Salt: c5f7ceee-0acf-427d-a494-31430bdee154 X-Archives-Hash: 0d3d8657a7d972b5ef834e083e2d32b6 commit: 81028072096b64f3a06b3444311958ee9f442244 Author: Nicolas Iooss m4x org> AuthorDate: Sat Mar 19 09:30:42 2016 +0000 Commit: Jason Zaman gentoo org> CommitDate: Wed Mar 23 17:53:49 2016 +0000 URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=81028072 Do not label /usr/lib/gvfs/libgvfscommon.so as bin_t On Arch Linux, /usr/lib/gvfs directory contains both executable files (gvfsd, gvfs-udisks2-volume-monitor...) and libraries (libgvfscommon.so and libgvfsdaemon.so). As all executable files are prefixed with "gfvs", so use this to distinguish them with the libraries. This fixes the following AVC denials, reported from geoclue service using a library wrongly labelled bin_t: avc: denied { read } for pid=14872 comm="geoclue" name="libgvfscommon.so" dev="dm-0" ino=3152594 scontext=system_u:system_r:geoclue_t tcontext=system_u:object_r:bin_t tclass=file permissive=1 avc: denied { open } for pid=14872 comm="geoclue" path="/usr/lib/gvfs/libgvfscommon.so" dev="dm-0" ino=3152594 scontext=system_u:system_r:geoclue_t tcontext=system_u:object_r:bin_t tclass=file permissive=1 avc: denied { execute } for pid=14872 comm="geoclue" path="/usr/lib/gvfs/libgvfscommon.so" dev="dm-0" ino=3152594 scontext=system_u:system_r:geoclue_t tcontext=system_u:object_r:bin_t tclass=file permissive=1 policy/modules/kernel/corecommands.fc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/policy/modules/kernel/corecommands.fc b/policy/modules/kernel/corecommands.fc index 1e8e894..c228d79 100644 --- a/policy/modules/kernel/corecommands.fc +++ b/policy/modules/kernel/corecommands.fc @@ -222,7 +222,7 @@ ifdef(`distro_gentoo',` /usr/lib/git-core/git-shell -- gen_context(system_u:object_r:shell_exec_t,s0) /usr/lib/git-core(/.*) -- gen_context(system_u:object_r:bin_t,s0) /usr/lib/gnome-settings-daemon/.* -- gen_context(system_u:object_r:bin_t,s0) -/usr/lib/gvfs/.* -- gen_context(system_u:object_r:bin_t,s0) +/usr/lib/gvfs/gvfs.* -- gen_context(system_u:object_r:bin_t,s0) /usr/lib/ipsec/.* -- gen_context(system_u:object_r:bin_t,s0) /usr/lib/kde4/libexec/.* -- gen_context(system_u:object_r:bin_t,s0) /usr/lib/mailman/bin(/.*)? gen_context(system_u:object_r:bin_t,s0)