* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/, policy/modules/apps/, policy/modules/kernel/, ...
@ 2020-10-13 3:02 Jason Zaman
0 siblings, 0 replies; only message in thread
From: Jason Zaman @ 2020-10-13 3:02 UTC (permalink / raw
To: gentoo-commits
commit: 0b43c7867705de4ae377de61aefe59fe43e4486d
Author: Jason Zaman <perfinion <AT> gentoo <DOT> org>
AuthorDate: Mon Oct 12 00:58:21 2020 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Mon Oct 12 01:57:46 2020 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=0b43c786
Fix selint issues
Signed-off-by: Jason Zaman <perfinion <AT> gentoo.org>
policy/modules/admin/portage.fc | 3 ---
policy/modules/admin/puppet.te | 2 +-
policy/modules/admin/shorewall.fc | 11 -----------
policy/modules/apps/java.fc | 5 -----
policy/modules/apps/mozilla.fc | 1 -
policy/modules/contrib/ceph.if | 2 +-
policy/modules/contrib/ceph.te | 2 +-
policy/modules/contrib/dirsrv.if | 4 ++--
policy/modules/contrib/dirsrv.te | 4 ++--
policy/modules/contrib/dropbox.fc | 4 ----
policy/modules/contrib/dropbox.if | 1 +
policy/modules/contrib/gorg.te | 4 ++--
policy/modules/contrib/links.if | 6 +++---
policy/modules/contrib/logsentry.te | 4 ++--
policy/modules/contrib/mutt.if | 4 ++--
policy/modules/contrib/nginx.if | 2 +-
policy/modules/contrib/pan.te | 2 +-
policy/modules/contrib/resolvconf.fc | 2 --
policy/modules/contrib/skype.if | 8 ++++----
policy/modules/contrib/uwsgi.if | 4 ++--
policy/modules/contrib/vde.if | 5 ++---
policy/modules/kernel/corecommands.fc | 18 ++++++++++++++++++
policy/modules/kernel/corenetwork.if.in | 18 ++++++------------
policy/modules/kernel/devices.if | 2 +-
policy/modules/kernel/files.fc | 5 +++++
policy/modules/services/mysql.fc | 5 -----
policy/modules/services/networkmanager.if | 2 +-
policy/modules/services/postgresql.if | 2 +-
policy/modules/services/snmp.if | 4 ++--
policy/modules/system/init.te | 2 +-
policy/modules/system/libraries.fc | 6 +++++-
policy/modules/system/logging.if | 2 +-
policy/modules/system/modutils.te | 2 +-
33 files changed, 69 insertions(+), 79 deletions(-)
diff --git a/policy/modules/admin/portage.fc b/policy/modules/admin/portage.fc
index 6a7e4582..5757deaa 100644
--- a/policy/modules/admin/portage.fc
+++ b/policy/modules/admin/portage.fc
@@ -2,7 +2,6 @@
/etc/make\.globals -- gen_context(system_u:object_r:portage_conf_t,s0)
/etc/make\.profile -l gen_context(system_u:object_r:portage_conf_t,s0)
/etc/portage(/.*)? gen_context(system_u:object_r:portage_conf_t,s0)
-/etc/portage/bin(/.*)? -- gen_context(system_u:object_r:bin_t,s0)
/etc/portage/gpg(/.*)? gen_context(system_u:object_r:portage_gpg_t,s0)
/usr/bin/emerge -- gen_context(system_u:object_r:portage_exec_t,s0)
@@ -11,11 +10,9 @@
/usr/bin/layman -- gen_context(system_u:object_r:portage_fetch_exec_t,s0)
/usr/bin/sandbox -- gen_context(system_u:object_r:portage_exec_t,s0)
-/usr/lib/portage/bin/ebuild -- gen_context(system_u:object_r:bin_t,s0)
/usr/lib/portage/bin/emerge -- gen_context(system_u:object_r:portage_exec_t,s0)
/usr/lib/portage/bin/emerge-webrsync -- gen_context(system_u:object_r:portage_fetch_exec_t,s0)
/usr/lib/portage/bin/quickpkg -- gen_context(system_u:object_r:portage_exec_t,s0)
-/usr/lib/portage/bin/ebuild\.sh -- gen_context(system_u:object_r:bin_t,s0)
/usr/lib/portage/bin/regenworld -- gen_context(system_u:object_r:portage_exec_t,s0)
/usr/lib/portage/bin/sandbox -- gen_context(system_u:object_r:portage_exec_t,s0)
diff --git a/policy/modules/admin/puppet.te b/policy/modules/admin/puppet.te
index fdb2640b..e0e7127e 100644
--- a/policy/modules/admin/puppet.te
+++ b/policy/modules/admin/puppet.te
@@ -376,7 +376,7 @@ ifdef(`distro_gentoo',`
# So, we duplicate the content of files_relabel_all_files except for
# the policy configuration stuff and hope users do that through Portage
- gen_require(`
+ gen_require(` #selint-disable:S-001
attribute file_type;
attribute security_file_type;
type policy_config_t;
diff --git a/policy/modules/admin/shorewall.fc b/policy/modules/admin/shorewall.fc
index aae46ecb..b18aab7e 100644
--- a/policy/modules/admin/shorewall.fc
+++ b/policy/modules/admin/shorewall.fc
@@ -16,14 +16,3 @@
/var/lock/subsys/shorewall -- gen_context(system_u:object_r:shorewall_lock_t,s0)
/var/log/shorewall.* gen_context(system_u:object_r:shorewall_log_t,s0)
-
-ifdef(`distro_gentoo',`
-/usr/share/shorewall/compiler\.pl -- gen_context(system_u:object_r:bin_t,s0)
-/usr/share/shorewall/configpath -- gen_context(system_u:object_r:bin_t,s0)
-/usr/share/shorewall/getparams -- gen_context(system_u:object_r:bin_t,s0)
-/usr/share/shorewall/wait4ifup -- gen_context(system_u:object_r:bin_t,s0)
-/usr/share/shorewall-perl(/.*)? gen_context(system_u:object_r:bin_t,s0)
-/usr/share/shorewall-shell(/.*)? gen_context(system_u:object_r:bin_t,s0)
-/usr/share/shorewall-lite(/.*)? gen_context(system_u:object_r:bin_t,s0)
-/usr/share/shorewall6-lite(/.*)? gen_context(system_u:object_r:bin_t,s0)
-')
diff --git a/policy/modules/apps/java.fc b/policy/modules/apps/java.fc
index d0476be2..8b34cace 100644
--- a/policy/modules/apps/java.fc
+++ b/policy/modules/apps/java.fc
@@ -31,8 +31,3 @@ HOME_DIR/\.java(/.*)? gen_context(system_u:object_r:java_home_t,s0)
/usr/local/matlab.*/bin.*/MATLAB.* -- gen_context(system_u:object_r:java_exec_t,s0)
/usr/matlab.*/bin.*/MATLAB.* -- gen_context(system_u:object_r:java_exec_t,s0)
-
-ifdef(`distro_gentoo',`
-# Running maven (mvn) command needs read access to this, yet the file is marked as bin_t otherwise
-/usr/share/maven-bin-[^/]*/bin/m2\.conf -- gen_context(system_u:object_r:usr_t,s0)
-')
diff --git a/policy/modules/apps/mozilla.fc b/policy/modules/apps/mozilla.fc
index 3a16e166..87bdab59 100644
--- a/policy/modules/apps/mozilla.fc
+++ b/policy/modules/apps/mozilla.fc
@@ -43,7 +43,6 @@ HOME_DIR/zimbrauserdata(/.*)? gen_context(system_u:object_r:mozilla_plugin_home_
/usr/lib/xulrunner[^/]*/plugin-container -- gen_context(system_u:object_r:mozilla_plugin_exec_t,s0)
/usr/lib/[^/]*firefox[^/]*/plugin-container -- gen_context(system_u:object_r:mozilla_plugin_exec_t,s0)
-/opt/firefox/libxul\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/opt/firefox/firefox -- gen_context(system_u:object_r:mozilla_exec_t,s0)
/opt/firefox/run-mozilla\.sh -- gen_context(system_u:object_r:mozilla_exec_t,s0)
/opt/firefox/firefox-bin -- gen_context(system_u:object_r:mozilla_exec_t,s0)
diff --git a/policy/modules/contrib/ceph.if b/policy/modules/contrib/ceph.if
index b1e3208b..010c6b11 100644
--- a/policy/modules/contrib/ceph.if
+++ b/policy/modules/contrib/ceph.if
@@ -39,7 +39,7 @@ template(`ceph_domain_template',`
# Rules which cannot be made part of the domain
allow ceph_$1_t ceph_$1_runtime_t:file manage_file_perms;
- allow ceph_$1_t ceph_$1_runtime_t:sock_file manage_file_perms;
+ allow ceph_$1_t ceph_$1_runtime_t:sock_file manage_sock_file_perms;
allow ceph_$1_t ceph_$1_data_t:dir manage_dir_perms;
allow ceph_$1_t ceph_$1_data_t:file manage_file_perms;
diff --git a/policy/modules/contrib/ceph.te b/policy/modules/contrib/ceph.te
index 99a0b193..b1994a53 100644
--- a/policy/modules/contrib/ceph.te
+++ b/policy/modules/contrib/ceph.te
@@ -40,7 +40,7 @@ ceph_domain_template(osd)
ceph_domain_template(mds)
ceph_domain_template(mon)
-allow cephdomain self:fifo_file rw_file_perms;
+allow cephdomain self:fifo_file rw_fifo_file_perms;
read_files_pattern(cephdomain, ceph_conf_t, { ceph_conf_t ceph_key_t })
allow cephdomain ceph_log_t:dir manage_dir_perms;
diff --git a/policy/modules/contrib/dirsrv.if b/policy/modules/contrib/dirsrv.if
index 332bf2f5..ac56f143 100644
--- a/policy/modules/contrib/dirsrv.if
+++ b/policy/modules/contrib/dirsrv.if
@@ -20,7 +20,7 @@ interface(`dirsrv_domtrans',`
domain_auto_transition_pattern($1, dirsrv_exec_t, dirsrv_t)
allow dirsrv_t $1:fd use;
- allow dirsrv_t $1:fifo_file rw_file_perms;
+ allow dirsrv_t $1:fifo_file rw_fifo_file_perms;
allow dirsrv_t $1:process sigchld;
')
@@ -116,7 +116,7 @@ interface(`dirsrv_manage_var_run',`
')
allow $1 dirsrv_runtime_t:dir manage_dir_perms;
allow $1 dirsrv_runtime_t:file manage_file_perms;
- allow $1 dirsrv_runtime_t:sock_file manage_file_perms;
+ allow $1 dirsrv_runtime_t:sock_file manage_sock_file_perms;
')
######################################
diff --git a/policy/modules/contrib/dirsrv.te b/policy/modules/contrib/dirsrv.te
index 36e2203b..80a24f24 100644
--- a/policy/modules/contrib/dirsrv.te
+++ b/policy/modules/contrib/dirsrv.te
@@ -57,7 +57,7 @@ files_tmpfs_file(dirsrv_tmpfs_t)
# shared files
type dirsrv_share_t;
-files_type(dirsrv_share_t);
+files_type(dirsrv_share_t)
########################################
#
@@ -188,7 +188,7 @@ files_runtime_filetrans(dirsrv_snmp_t, dirsrv_snmp_runtime_t, { file sock_file }
search_dirs_pattern(dirsrv_snmp_t, dirsrv_runtime_t, dirsrv_runtime_t)
# log file
-manage_files_pattern(dirsrv_snmp_t, dirsrv_var_log_t, dirsrv_snmp_var_log_t);
+manage_files_pattern(dirsrv_snmp_t, dirsrv_var_log_t, dirsrv_snmp_var_log_t)
filetrans_pattern(dirsrv_snmp_t, dirsrv_var_log_t, dirsrv_snmp_var_log_t, file)
# Init script handling
diff --git a/policy/modules/contrib/dropbox.fc b/policy/modules/contrib/dropbox.fc
index bcd85a60..1a9fdff7 100644
--- a/policy/modules/contrib/dropbox.fc
+++ b/policy/modules/contrib/dropbox.fc
@@ -7,8 +7,4 @@ HOME_DIR/\.dropbox-master(/.*)? gen_context(system_u:object_r:dropbo
HOME_DIR/\.dropbox-dist(/.*)?/dropboxd? -- gen_context(system_u:object_r:dropbox_exec_t,s0)
/opt/bin/dropbox -l gen_context(system_u:object_r:dropbox_exec_t,s0)
-/opt/dropbox/.*py?\.?.*egg(/.*)? gen_context(system_u:object_r:lib_t,s0)
-/opt/dropbox/lib.*\.so\.[0-9]+ -- gen_context(system_u:object_r:lib_t,s0)
/opt/dropbox/dropboxd? -- gen_context(system_u:object_r:dropbox_exec_t,s0)
-/opt/dropbox/library\.zip -l gen_context(system_u:object_r:lib_t,s0)
-
diff --git a/policy/modules/contrib/dropbox.if b/policy/modules/contrib/dropbox.if
index 51e9f88c..a010d912 100644
--- a/policy/modules/contrib/dropbox.if
+++ b/policy/modules/contrib/dropbox.if
@@ -18,6 +18,7 @@
interface(`dropbox_role',`
gen_require(`
type dropbox_t;
+ type dropbox_content_t;
type dropbox_exec_t;
type dropbox_home_t;
type dropbox_tmp_t;
diff --git a/policy/modules/contrib/gorg.te b/policy/modules/contrib/gorg.te
index b0c8ae33..59befaaa 100644
--- a/policy/modules/contrib/gorg.te
+++ b/policy/modules/contrib/gorg.te
@@ -5,10 +5,10 @@ type gorg_exec_t;
application_domain(gorg_t, gorg_exec_t)
type gorg_cache_t;
-files_type(gorg_cache_t);
+files_type(gorg_cache_t)
type gorg_config_t;
-files_type(gorg_config_t);
+files_type(gorg_config_t)
###################################
#
diff --git a/policy/modules/contrib/links.if b/policy/modules/contrib/links.if
index 61254fc3..b3ad618e 100644
--- a/policy/modules/contrib/links.if
+++ b/policy/modules/contrib/links.if
@@ -17,14 +17,14 @@
#
interface(`links_role',`
gen_require(`
- type links_t, links_exec_t, links_tmpfs_t, links_home_t;
+ type links_t, links_exec_t, links_home_t;
')
#######################################
#
# Declarations
#
-
+
role $1 types links_t;
############################
@@ -43,4 +43,4 @@ interface(`links_role',`
domtrans_pattern($2, links_exec_t, links_t)
ps_process_pattern($2, links_t)
-')
+')
diff --git a/policy/modules/contrib/logsentry.te b/policy/modules/contrib/logsentry.te
index d80cdc8b..5863369b 100644
--- a/policy/modules/contrib/logsentry.te
+++ b/policy/modules/contrib/logsentry.te
@@ -11,10 +11,10 @@ application_domain(logsentry_t, logsentry_exec_t)
role system_r types logsentry_t;
type logsentry_etc_t;
-files_type(logsentry_etc_t);
+files_type(logsentry_etc_t)
type logsentry_tmp_t;
-files_tmp_file(logsentry_tmp_t);
+files_tmp_file(logsentry_tmp_t)
type logsentry_filter_t;
files_type(logsentry_filter_t)
diff --git a/policy/modules/contrib/mutt.if b/policy/modules/contrib/mutt.if
index eabe82e9..596b0fd1 100644
--- a/policy/modules/contrib/mutt.if
+++ b/policy/modules/contrib/mutt.if
@@ -17,7 +17,7 @@
#
interface(`mutt_role',`
gen_require(`
- type mutt_t, mutt_exec_t, mutt_home_t, mutt_conf_t, mutt_etc_t;
+ type mutt_t, mutt_exec_t, mutt_home_t, mutt_conf_t;
type mutt_tmp_t;
')
@@ -99,6 +99,6 @@ interface(`mutt_rw_tmp_files',`
# The use of rw_files_pattern here is not needed, since this incurs the open privilege as well
allow $1 mutt_tmp_t:dir search_dir_perms;
- allow $1 mutt_tmp_t:file { read write };
+ allow $1 mutt_tmp_t:file rw_inherited_file_perms;
files_search_tmp($1)
')
diff --git a/policy/modules/contrib/nginx.if b/policy/modules/contrib/nginx.if
index b9066d97..d39b0964 100644
--- a/policy/modules/contrib/nginx.if
+++ b/policy/modules/contrib/nginx.if
@@ -57,7 +57,7 @@ interface(`nginx_domtrans',`
type nginx_t, nginx_exec_t;
')
allow nginx_t $1:fd use;
- allow nginx_t $1:fifo_file rw_file_perms;
+ allow nginx_t $1:fifo_file rw_fifo_file_perms;
allow nginx_t $1:process sigchld;
domain_auto_transition_pattern($1, nginx_exec_t, nginx_t)
diff --git a/policy/modules/contrib/pan.te b/policy/modules/contrib/pan.te
index 48b07b85..ad60d29d 100644
--- a/policy/modules/contrib/pan.te
+++ b/policy/modules/contrib/pan.te
@@ -33,7 +33,7 @@ ubac_constrained(pan_tmpfs_t)
#
allow pan_t self:process { getsched signal };
allow pan_t self:fifo_file rw_fifo_file_perms;
-allow pan_t pan_tmpfs_t:file { read write };
+allow pan_t pan_tmpfs_t:file rw_inherited_file_perms;
# Allow pan to work with its ~/.pan2 location
manage_dirs_pattern(pan_t, pan_home_t, pan_home_t)
diff --git a/policy/modules/contrib/resolvconf.fc b/policy/modules/contrib/resolvconf.fc
index 51383c24..fcfa9b7d 100644
--- a/policy/modules/contrib/resolvconf.fc
+++ b/policy/modules/contrib/resolvconf.fc
@@ -1,7 +1,5 @@
/etc/resolvconf\.conf -- gen_context(system_u:object_r:resolvconf_conf_t,s0)
-/usr/lib/resolvconf(/.*)? gen_context(system_u:object_r:bin_t,s0)
-
/usr/sbin/resolvconf -- gen_context(system_u:object_r:resolvconf_exec_t,s0)
/run/resolvconf(/.*)? gen_context(system_u:object_r:resolvconf_runtime_t,s0)
diff --git a/policy/modules/contrib/skype.if b/policy/modules/contrib/skype.if
index 789b8f8a..88c9849c 100644
--- a/policy/modules/contrib/skype.if
+++ b/policy/modules/contrib/skype.if
@@ -17,11 +17,11 @@
#
interface(`skype_role',`
gen_require(`
- type skype_t, skype_exec_t, skype_tmpfs_t, skype_home_t;
+ type skype_t, skype_exec_t, skype_home_t;
')
-
+
role $1 types skype_t;
-
+
domtrans_pattern($2, skype_exec_t, skype_t)
allow $2 skype_t:process { ptrace signal_perms };
@@ -36,4 +36,4 @@ interface(`skype_role',`
relabel_lnk_files_pattern($2, skype_home_t, skype_home_t)
ps_process_pattern($2, skype_t)
-')
+')
diff --git a/policy/modules/contrib/uwsgi.if b/policy/modules/contrib/uwsgi.if
index c6b39de5..f5a54aa7 100644
--- a/policy/modules/contrib/uwsgi.if
+++ b/policy/modules/contrib/uwsgi.if
@@ -33,7 +33,7 @@ interface(`uwsgi_stream_connect',`
#
interface(`uwsgi_manage_content',`
gen_require(`
- type uwsgi_content_t;
+ type uwsgi_content_t, uwsgi_content_exec_t;
')
files_search_runtime($1)
@@ -81,7 +81,7 @@ interface(`uwsgi_domtrans',`
#
interface(`uwsgi_content_exec',`
gen_require(`
- type uwsgi_t, uwsgi_exec_t, uwsgi_content_exec_t;
+ type uwsgi_content_exec_t;
')
corecmd_search_bin($1)
diff --git a/policy/modules/contrib/vde.if b/policy/modules/contrib/vde.if
index 01579707..437b65ed 100644
--- a/policy/modules/contrib/vde.if
+++ b/policy/modules/contrib/vde.if
@@ -18,9 +18,8 @@
#
interface(`vde_role',`
gen_require(`
- type vde_t, vde_tmp_t;
- type vde_runtime_t;
- type vde_initrc_exec_t, vde_exec_t;
+ type vde_t;
+ type vde_exec_t;
')
role $1 types vde_t;
diff --git a/policy/modules/kernel/corecommands.fc b/policy/modules/kernel/corecommands.fc
index 07a09873..48540ef9 100644
--- a/policy/modules/kernel/corecommands.fc
+++ b/policy/modules/kernel/corecommands.fc
@@ -115,6 +115,10 @@ ifdef(`distro_debian',`
/etc/mysql/debian-start -- gen_context(system_u:object_r:bin_t,s0)
')
+ifdef(`distro_gentoo',`
+/etc/portage/bin(/.*)? -- gen_context(system_u:object_r:bin_t,s0)
+')
+
#
# /opt
#
@@ -391,6 +395,20 @@ ifdef(`distro_gentoo', `
/usr/lib/rc/bin/.* -- gen_context(system_u:object_r:bin_t,s0)
/usr/lib/rc/sbin/.* -- gen_context(system_u:object_r:bin_t,s0)
/usr/lib/rc/sh/.* -- gen_context(system_u:object_r:bin_t,s0)
+
+/usr/lib/portage/bin/ebuild -- gen_context(system_u:object_r:bin_t,s0)
+/usr/lib/portage/bin/ebuild\.sh -- gen_context(system_u:object_r:bin_t,s0)
+/usr/lib/resolvconf(/.*)? gen_context(system_u:object_r:bin_t,s0)
+
+/usr/share/mysql/scripts(/.*)? gen_context(system_u:object_r:bin_t,s0)
+/usr/share/shorewall/compiler\.pl -- gen_context(system_u:object_r:bin_t,s0)
+/usr/share/shorewall/configpath -- gen_context(system_u:object_r:bin_t,s0)
+/usr/share/shorewall/getparams -- gen_context(system_u:object_r:bin_t,s0)
+/usr/share/shorewall/wait4ifup -- gen_context(system_u:object_r:bin_t,s0)
+/usr/share/shorewall-perl(/.*)? gen_context(system_u:object_r:bin_t,s0)
+/usr/share/shorewall-shell(/.*)? gen_context(system_u:object_r:bin_t,s0)
+/usr/share/shorewall-lite(/.*)? gen_context(system_u:object_r:bin_t,s0)
+/usr/share/shorewall6-lite(/.*)? gen_context(system_u:object_r:bin_t,s0)
')
ifdef(`distro_redhat', `
diff --git a/policy/modules/kernel/corenetwork.if.in b/policy/modules/kernel/corenetwork.if.in
index 7b77d8d8..65e54854 100644
--- a/policy/modules/kernel/corenetwork.if.in
+++ b/policy/modules/kernel/corenetwork.if.in
@@ -1494,11 +1494,11 @@ interface(`corenet_udp_send_all_ports',`
#
interface(`corenet_sctp_bind_generic_port',`
gen_require(`
- type port_t, unreserved_port_t, ephemeral_port_t;
+ type port_t, unreserved_port_t;
attribute defined_port_type;
')
- allow $1 { port_t unreserved_port_t ephemeral_port_t }:sctp_socket name_bind;
+ allow $1 { port_t unreserved_port_t }:sctp_socket name_bind;
dontaudit $1 defined_port_type:sctp_socket name_bind;
')
@@ -1567,10 +1567,10 @@ interface(`corenet_udp_sendrecv_all_ports',`
#
interface(`corenet_dontaudit_sctp_bind_generic_port',`
gen_require(`
- type port_t, unreserved_port_t, ephemeral_port_t;
+ type port_t, unreserved_port_t;
')
- dontaudit $1 { port_t unreserved_port_t ephemeral_port_t }:sctp_socket name_bind;
+ dontaudit $1 { port_t unreserved_port_t }:sctp_socket name_bind;
')
########################################
@@ -1641,10 +1641,10 @@ interface(`corenet_udp_bind_all_ports',`
#
interface(`corenet_sctp_connect_generic_port',`
gen_require(`
- type port_t, unreserved_port_t,ephemeral_port_t;
+ type port_t, unreserved_port_t;
')
- allow $1 { port_t unreserved_port_t ephemeral_port_t }:sctp_socket name_connect;
+ allow $1 { port_t unreserved_port_t }:sctp_socket name_connect;
')
########################################
@@ -3335,13 +3335,7 @@ interface(`corenet_relabelto_all_server_packets',`
## </param>
#
interface(`corenet_sctp_recvfrom_unlabeled',`
- gen_require(`
- attribute corenet_unlabeled_type;
- ')
-
kernel_recvfrom_unlabeled_peer($1)
-
- typeattribute $1 corenet_unlabeled_type;
kernel_sendrecv_unlabeled_association($1)
')
diff --git a/policy/modules/kernel/devices.if b/policy/modules/kernel/devices.if
index 1fae36ed..474b4035 100644
--- a/policy/modules/kernel/devices.if
+++ b/policy/modules/kernel/devices.if
@@ -5630,6 +5630,6 @@ interface(`dev_dontaudit_read_usbmon_dev',`
type usbmon_device_t;
')
- dontaudit $1 usbmon_device_t:chr_file read_file_perms;
+ dontaudit $1 usbmon_device_t:chr_file read_chr_file_perms;
')
diff --git a/policy/modules/kernel/files.fc b/policy/modules/kernel/files.fc
index 1bec89a0..d7b46a3d 100644
--- a/policy/modules/kernel/files.fc
+++ b/policy/modules/kernel/files.fc
@@ -215,6 +215,11 @@ HOME_ROOT/lost\+found/.* <<none>>
/usr/share/doc(/.*)?/README.* gen_context(system_u:object_r:usr_t,s0)
/usr/share/docbook2X/xslt/man(/.*)? gen_context(system_u:object_r:usr_t,s0)
+ifdef(`distro_gentoo',`
+# Running maven (mvn) command needs read access to this, yet the file is marked as bin_t otherwise
+/usr/share/maven-bin-[^/]*/bin/m2\.conf -- gen_context(system_u:object_r:usr_t,s0)
+')
+
/usr/tmp -d gen_context(system_u:object_r:tmp_t,s0-mls_systemhigh)
/usr/tmp/.* <<none>>
diff --git a/policy/modules/services/mysql.fc b/policy/modules/services/mysql.fc
index e1f090fa..7739d36d 100644
--- a/policy/modules/services/mysql.fc
+++ b/policy/modules/services/mysql.fc
@@ -30,8 +30,3 @@ HOME_DIR/\.my\.cnf -- gen_context(system_u:object_r:mysqld_home_t,s0)
/run/mysqld.* gen_context(system_u:object_r:mysqld_runtime_t,s0)
/run/mysqlmanager.* -- gen_context(system_u:object_r:mysqlmanagerd_runtime_t,s0)
/run/mysqld/mysqlmanager.* -- gen_context(system_u:object_r:mysqlmanagerd_runtime_t,s0)
-
-
-ifdef(`distro_gentoo',`
-/usr/share/mysql/scripts(/.*)? gen_context(system_u:object_r:bin_t,s0)
-')
diff --git a/policy/modules/services/networkmanager.if b/policy/modules/services/networkmanager.if
index 2897a484..de48cdbe 100644
--- a/policy/modules/services/networkmanager.if
+++ b/policy/modules/services/networkmanager.if
@@ -485,7 +485,7 @@ interface(`networkmanager_domtrans_wpa_cli',`
#
interface(`networkmanager_run_wpa_cli',`
gen_require(`
- type wpa_cli_exec_t;
+ type wpa_cli_t;
')
networkmanager_domtrans_wpa_cli($1)
diff --git a/policy/modules/services/postgresql.if b/policy/modules/services/postgresql.if
index 6089d18d..c8b31909 100644
--- a/policy/modules/services/postgresql.if
+++ b/policy/modules/services/postgresql.if
@@ -349,7 +349,7 @@ interface(`postgresql_exec',`
type postgresql_exec_t;
')
- can_exec($1, postgresql_exec_t);
+ can_exec($1, postgresql_exec_t)
')
########################################
diff --git a/policy/modules/services/snmp.if b/policy/modules/services/snmp.if
index a945c50e..4d4bf888 100644
--- a/policy/modules/services/snmp.if
+++ b/policy/modules/services/snmp.if
@@ -193,8 +193,8 @@ interface(`snmp_admin',`
#
interface(`snmp_append_var_lib_files',`
gen_require(`
- type snmp_var_lib_t;
+ type snmpd_var_lib_t;
')
- allow $1 snmp_var_lib_t:file append_file_perms;
+ allow $1 snmpd_var_lib_t:file append_file_perms;
')
diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
index eb78df9a..b52eaddb 100644
--- a/policy/modules/system/init.te
+++ b/policy/modules/system/init.te
@@ -1003,7 +1003,7 @@ ifdef(`enabled_mls',`
# Allow initrc_su_t, now defined, to transition to postgresql_t
postgresql_domtrans(initrc_su_t)
# Allow initrc_su_t to use the initrc_devpts_t (needed for init script failure output)
- allow initrc_su_t initrc_devpts_t:chr_file { read write };
+ allow initrc_su_t initrc_devpts_t:chr_file rw_inherited_term_perms;
')
')
diff --git a/policy/modules/system/libraries.fc b/policy/modules/system/libraries.fc
index 3cdc22f9..757b18bc 100644
--- a/policy/modules/system/libraries.fc
+++ b/policy/modules/system/libraries.fc
@@ -60,10 +60,14 @@ ifdef(`distro_gentoo',`
/opt/Acrobat[5-9]/Reader/intellinux/plug_ins/.*\.api -- gen_context(system_u:object_r:lib_t,s0)
/opt/Acrobat[5-9]/Reader/intellinux/plug_ins3d/.*\.x3d -- gen_context(system_u:object_r:lib_t,s0)
/opt/Acrobat[5-9]/Reader/intellinux/SPPlugins/.*\.ap[il] -- gen_context(system_u:object_r:lib_t,s0)
+/opt/dropbox/.*py?\.?.*egg(/.*)? gen_context(system_u:object_r:lib_t,s0)
+/opt/dropbox/lib.*\.so\.[0-9]+ -- gen_context(system_u:object_r:lib_t,s0)
+/opt/dropbox/library\.zip -l gen_context(system_u:object_r:lib_t,s0)
+/opt/firefox/libxul\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/opt/netscape/plugins(/.*)? gen_context(system_u:object_r:lib_t,s0)
/opt/netscape/plugins/libflashplayer\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-/opt/netscape/plugins/nppdf\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/opt/netscape/plugins/nppdf\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/opt/RealPlayer/codecs(/.*)? gen_context(system_u:object_r:lib_t,s0)
/opt/RealPlayer/common(/.*)? gen_context(system_u:object_r:lib_t,s0)
/opt/RealPlayer/lib(/.*)? gen_context(system_u:object_r:lib_t,s0)
diff --git a/policy/modules/system/logging.if b/policy/modules/system/logging.if
index ae993536..0f6efef8 100644
--- a/policy/modules/system/logging.if
+++ b/policy/modules/system/logging.if
@@ -1068,7 +1068,7 @@ interface(`logging_append_all_inherited_logs',`
attribute logfile;
')
- allow $1 logfile:file { getattr append ioctl lock };
+ allow $1 logfile:file append_inherited_file_perms;
')
########################################
diff --git a/policy/modules/system/modutils.te b/policy/modules/system/modutils.te
index 9e7fd769..e002e6e3 100644
--- a/policy/modules/system/modutils.te
+++ b/policy/modules/system/modutils.te
@@ -213,5 +213,5 @@ ifdef(`distro_gentoo',`
# for /run/tmpfiles.d/kmod.conf
tmpfiles_create_runtime_files(kmod_t)
- filetrans_add_pattern(kmod_t, tmpfiles_runtime_t, kmod_tmpfiles_conf_t, file)
+ filetrans_add_pattern(kmod_t, tmpfiles_runtime_t, kmod_tmpfiles_conf_t, file) #selint-disable:W-001
')
^ permalink raw reply related [flat|nested] only message in thread
only message in thread, other threads:[~2020-10-13 3:02 UTC | newest]
Thread overview: (only message) (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2020-10-13 3:02 [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/, policy/modules/apps/, policy/modules/kernel/, Jason Zaman
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox