From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by finch.gentoo.org (Postfix) with ESMTPS id 53D8F138359 for ; Tue, 13 Oct 2020 03:02:16 +0000 (UTC) Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id 8D490E0874; Tue, 13 Oct 2020 03:02:11 +0000 (UTC) Received: from smtp.gentoo.org (smtp.gentoo.org [140.211.166.183]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by pigeon.gentoo.org (Postfix) with ESMTPS id 649B3E0874 for ; Tue, 13 Oct 2020 03:02:11 +0000 (UTC) Received: from oystercatcher.gentoo.org (oystercatcher.gentoo.org [148.251.78.52]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.gentoo.org (Postfix) with ESMTPS id 3E1C6340B23 for ; Tue, 13 Oct 2020 03:02:10 +0000 (UTC) Received: from localhost.localdomain (localhost [IPv6:::1]) by oystercatcher.gentoo.org (Postfix) with ESMTP id D0B49354 for ; Tue, 13 Oct 2020 03:02:06 +0000 (UTC) From: "Jason Zaman" To: gentoo-commits@lists.gentoo.org Content-Transfer-Encoding: 8bit Content-type: text/plain; charset=UTF-8 Reply-To: gentoo-dev@lists.gentoo.org, "Jason Zaman" Message-ID: <1602467866.0b43c7867705de4ae377de61aefe59fe43e4486d.perfinion@gentoo> Subject: [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/, policy/modules/apps/, policy/modules/kernel/, ... X-VCS-Repository: proj/hardened-refpolicy X-VCS-Files: policy/modules/admin/portage.fc policy/modules/admin/puppet.te policy/modules/admin/shorewall.fc policy/modules/apps/java.fc policy/modules/apps/mozilla.fc policy/modules/contrib/ceph.if policy/modules/contrib/ceph.te policy/modules/contrib/dirsrv.if policy/modules/contrib/dirsrv.te policy/modules/contrib/dropbox.fc policy/modules/contrib/dropbox.if policy/modules/contrib/gorg.te policy/modules/contrib/links.if policy/modules/contrib/logsentry.te policy/modules/contrib/mutt.if policy/modules/contrib/nginx.if policy/modules/contrib/pan.te policy/modules/contrib/resolvconf.fc policy/modules/contrib/skype.if policy/modules/contrib/uwsgi.if policy/modules/contrib/vde.if policy/modules/kernel/corecommands.fc policy/modules/kernel/corenetwork.if.in policy/modules/kernel/devices.if policy/modules/kernel/files.fc policy/modules/services/mysql.fc policy/modules/services/networkmanager.if policy/modules/services/postgresql.if policy/modules/services/snmp.if policy/modules/system/i nit.te policy/modules/system/libraries.fc policy/modules/system/logging.if policy/modules/system/modutils.te X-VCS-Directories: policy/modules/services/ policy/modules/admin/ policy/modules/apps/ policy/modules/kernel/ policy/modules/system/ policy/modules/contrib/ X-VCS-Committer: perfinion X-VCS-Committer-Name: Jason Zaman X-VCS-Revision: 0b43c7867705de4ae377de61aefe59fe43e4486d X-VCS-Branch: master Date: Tue, 13 Oct 2020 03:02:06 +0000 (UTC) Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-commits@lists.gentoo.org X-Auto-Response-Suppress: DR, RN, NRN, OOF, AutoReply X-Archives-Salt: 7b29c890-4d30-4247-8459-032239469de8 X-Archives-Hash: 1828af5afd5fc1f1174106942b18689b commit: 0b43c7867705de4ae377de61aefe59fe43e4486d Author: Jason Zaman gentoo org> AuthorDate: Mon Oct 12 00:58:21 2020 +0000 Commit: Jason Zaman gentoo org> CommitDate: Mon Oct 12 01:57:46 2020 +0000 URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=0b43c786 Fix selint issues Signed-off-by: Jason Zaman gentoo.org> policy/modules/admin/portage.fc | 3 --- policy/modules/admin/puppet.te | 2 +- policy/modules/admin/shorewall.fc | 11 ----------- policy/modules/apps/java.fc | 5 ----- policy/modules/apps/mozilla.fc | 1 - policy/modules/contrib/ceph.if | 2 +- policy/modules/contrib/ceph.te | 2 +- policy/modules/contrib/dirsrv.if | 4 ++-- policy/modules/contrib/dirsrv.te | 4 ++-- policy/modules/contrib/dropbox.fc | 4 ---- policy/modules/contrib/dropbox.if | 1 + policy/modules/contrib/gorg.te | 4 ++-- policy/modules/contrib/links.if | 6 +++--- policy/modules/contrib/logsentry.te | 4 ++-- policy/modules/contrib/mutt.if | 4 ++-- policy/modules/contrib/nginx.if | 2 +- policy/modules/contrib/pan.te | 2 +- policy/modules/contrib/resolvconf.fc | 2 -- policy/modules/contrib/skype.if | 8 ++++---- policy/modules/contrib/uwsgi.if | 4 ++-- policy/modules/contrib/vde.if | 5 ++--- policy/modules/kernel/corecommands.fc | 18 ++++++++++++++++++ policy/modules/kernel/corenetwork.if.in | 18 ++++++------------ policy/modules/kernel/devices.if | 2 +- policy/modules/kernel/files.fc | 5 +++++ policy/modules/services/mysql.fc | 5 ----- policy/modules/services/networkmanager.if | 2 +- policy/modules/services/postgresql.if | 2 +- policy/modules/services/snmp.if | 4 ++-- policy/modules/system/init.te | 2 +- policy/modules/system/libraries.fc | 6 +++++- policy/modules/system/logging.if | 2 +- policy/modules/system/modutils.te | 2 +- 33 files changed, 69 insertions(+), 79 deletions(-) diff --git a/policy/modules/admin/portage.fc b/policy/modules/admin/portage.fc index 6a7e4582..5757deaa 100644 --- a/policy/modules/admin/portage.fc +++ b/policy/modules/admin/portage.fc @@ -2,7 +2,6 @@ /etc/make\.globals -- gen_context(system_u:object_r:portage_conf_t,s0) /etc/make\.profile -l gen_context(system_u:object_r:portage_conf_t,s0) /etc/portage(/.*)? gen_context(system_u:object_r:portage_conf_t,s0) -/etc/portage/bin(/.*)? -- gen_context(system_u:object_r:bin_t,s0) /etc/portage/gpg(/.*)? gen_context(system_u:object_r:portage_gpg_t,s0) /usr/bin/emerge -- gen_context(system_u:object_r:portage_exec_t,s0) @@ -11,11 +10,9 @@ /usr/bin/layman -- gen_context(system_u:object_r:portage_fetch_exec_t,s0) /usr/bin/sandbox -- gen_context(system_u:object_r:portage_exec_t,s0) -/usr/lib/portage/bin/ebuild -- gen_context(system_u:object_r:bin_t,s0) /usr/lib/portage/bin/emerge -- gen_context(system_u:object_r:portage_exec_t,s0) /usr/lib/portage/bin/emerge-webrsync -- gen_context(system_u:object_r:portage_fetch_exec_t,s0) /usr/lib/portage/bin/quickpkg -- gen_context(system_u:object_r:portage_exec_t,s0) -/usr/lib/portage/bin/ebuild\.sh -- gen_context(system_u:object_r:bin_t,s0) /usr/lib/portage/bin/regenworld -- gen_context(system_u:object_r:portage_exec_t,s0) /usr/lib/portage/bin/sandbox -- gen_context(system_u:object_r:portage_exec_t,s0) diff --git a/policy/modules/admin/puppet.te b/policy/modules/admin/puppet.te index fdb2640b..e0e7127e 100644 --- a/policy/modules/admin/puppet.te +++ b/policy/modules/admin/puppet.te @@ -376,7 +376,7 @@ ifdef(`distro_gentoo',` # So, we duplicate the content of files_relabel_all_files except for # the policy configuration stuff and hope users do that through Portage - gen_require(` + gen_require(` #selint-disable:S-001 attribute file_type; attribute security_file_type; type policy_config_t; diff --git a/policy/modules/admin/shorewall.fc b/policy/modules/admin/shorewall.fc index aae46ecb..b18aab7e 100644 --- a/policy/modules/admin/shorewall.fc +++ b/policy/modules/admin/shorewall.fc @@ -16,14 +16,3 @@ /var/lock/subsys/shorewall -- gen_context(system_u:object_r:shorewall_lock_t,s0) /var/log/shorewall.* gen_context(system_u:object_r:shorewall_log_t,s0) - -ifdef(`distro_gentoo',` -/usr/share/shorewall/compiler\.pl -- gen_context(system_u:object_r:bin_t,s0) -/usr/share/shorewall/configpath -- gen_context(system_u:object_r:bin_t,s0) -/usr/share/shorewall/getparams -- gen_context(system_u:object_r:bin_t,s0) -/usr/share/shorewall/wait4ifup -- gen_context(system_u:object_r:bin_t,s0) -/usr/share/shorewall-perl(/.*)? gen_context(system_u:object_r:bin_t,s0) -/usr/share/shorewall-shell(/.*)? gen_context(system_u:object_r:bin_t,s0) -/usr/share/shorewall-lite(/.*)? gen_context(system_u:object_r:bin_t,s0) -/usr/share/shorewall6-lite(/.*)? gen_context(system_u:object_r:bin_t,s0) -') diff --git a/policy/modules/apps/java.fc b/policy/modules/apps/java.fc index d0476be2..8b34cace 100644 --- a/policy/modules/apps/java.fc +++ b/policy/modules/apps/java.fc @@ -31,8 +31,3 @@ HOME_DIR/\.java(/.*)? gen_context(system_u:object_r:java_home_t,s0) /usr/local/matlab.*/bin.*/MATLAB.* -- gen_context(system_u:object_r:java_exec_t,s0) /usr/matlab.*/bin.*/MATLAB.* -- gen_context(system_u:object_r:java_exec_t,s0) - -ifdef(`distro_gentoo',` -# Running maven (mvn) command needs read access to this, yet the file is marked as bin_t otherwise -/usr/share/maven-bin-[^/]*/bin/m2\.conf -- gen_context(system_u:object_r:usr_t,s0) -') diff --git a/policy/modules/apps/mozilla.fc b/policy/modules/apps/mozilla.fc index 3a16e166..87bdab59 100644 --- a/policy/modules/apps/mozilla.fc +++ b/policy/modules/apps/mozilla.fc @@ -43,7 +43,6 @@ HOME_DIR/zimbrauserdata(/.*)? gen_context(system_u:object_r:mozilla_plugin_home_ /usr/lib/xulrunner[^/]*/plugin-container -- gen_context(system_u:object_r:mozilla_plugin_exec_t,s0) /usr/lib/[^/]*firefox[^/]*/plugin-container -- gen_context(system_u:object_r:mozilla_plugin_exec_t,s0) -/opt/firefox/libxul\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) /opt/firefox/firefox -- gen_context(system_u:object_r:mozilla_exec_t,s0) /opt/firefox/run-mozilla\.sh -- gen_context(system_u:object_r:mozilla_exec_t,s0) /opt/firefox/firefox-bin -- gen_context(system_u:object_r:mozilla_exec_t,s0) diff --git a/policy/modules/contrib/ceph.if b/policy/modules/contrib/ceph.if index b1e3208b..010c6b11 100644 --- a/policy/modules/contrib/ceph.if +++ b/policy/modules/contrib/ceph.if @@ -39,7 +39,7 @@ template(`ceph_domain_template',` # Rules which cannot be made part of the domain allow ceph_$1_t ceph_$1_runtime_t:file manage_file_perms; - allow ceph_$1_t ceph_$1_runtime_t:sock_file manage_file_perms; + allow ceph_$1_t ceph_$1_runtime_t:sock_file manage_sock_file_perms; allow ceph_$1_t ceph_$1_data_t:dir manage_dir_perms; allow ceph_$1_t ceph_$1_data_t:file manage_file_perms; diff --git a/policy/modules/contrib/ceph.te b/policy/modules/contrib/ceph.te index 99a0b193..b1994a53 100644 --- a/policy/modules/contrib/ceph.te +++ b/policy/modules/contrib/ceph.te @@ -40,7 +40,7 @@ ceph_domain_template(osd) ceph_domain_template(mds) ceph_domain_template(mon) -allow cephdomain self:fifo_file rw_file_perms; +allow cephdomain self:fifo_file rw_fifo_file_perms; read_files_pattern(cephdomain, ceph_conf_t, { ceph_conf_t ceph_key_t }) allow cephdomain ceph_log_t:dir manage_dir_perms; diff --git a/policy/modules/contrib/dirsrv.if b/policy/modules/contrib/dirsrv.if index 332bf2f5..ac56f143 100644 --- a/policy/modules/contrib/dirsrv.if +++ b/policy/modules/contrib/dirsrv.if @@ -20,7 +20,7 @@ interface(`dirsrv_domtrans',` domain_auto_transition_pattern($1, dirsrv_exec_t, dirsrv_t) allow dirsrv_t $1:fd use; - allow dirsrv_t $1:fifo_file rw_file_perms; + allow dirsrv_t $1:fifo_file rw_fifo_file_perms; allow dirsrv_t $1:process sigchld; ') @@ -116,7 +116,7 @@ interface(`dirsrv_manage_var_run',` ') allow $1 dirsrv_runtime_t:dir manage_dir_perms; allow $1 dirsrv_runtime_t:file manage_file_perms; - allow $1 dirsrv_runtime_t:sock_file manage_file_perms; + allow $1 dirsrv_runtime_t:sock_file manage_sock_file_perms; ') ###################################### diff --git a/policy/modules/contrib/dirsrv.te b/policy/modules/contrib/dirsrv.te index 36e2203b..80a24f24 100644 --- a/policy/modules/contrib/dirsrv.te +++ b/policy/modules/contrib/dirsrv.te @@ -57,7 +57,7 @@ files_tmpfs_file(dirsrv_tmpfs_t) # shared files type dirsrv_share_t; -files_type(dirsrv_share_t); +files_type(dirsrv_share_t) ######################################## # @@ -188,7 +188,7 @@ files_runtime_filetrans(dirsrv_snmp_t, dirsrv_snmp_runtime_t, { file sock_file } search_dirs_pattern(dirsrv_snmp_t, dirsrv_runtime_t, dirsrv_runtime_t) # log file -manage_files_pattern(dirsrv_snmp_t, dirsrv_var_log_t, dirsrv_snmp_var_log_t); +manage_files_pattern(dirsrv_snmp_t, dirsrv_var_log_t, dirsrv_snmp_var_log_t) filetrans_pattern(dirsrv_snmp_t, dirsrv_var_log_t, dirsrv_snmp_var_log_t, file) # Init script handling diff --git a/policy/modules/contrib/dropbox.fc b/policy/modules/contrib/dropbox.fc index bcd85a60..1a9fdff7 100644 --- a/policy/modules/contrib/dropbox.fc +++ b/policy/modules/contrib/dropbox.fc @@ -7,8 +7,4 @@ HOME_DIR/\.dropbox-master(/.*)? gen_context(system_u:object_r:dropbo HOME_DIR/\.dropbox-dist(/.*)?/dropboxd? -- gen_context(system_u:object_r:dropbox_exec_t,s0) /opt/bin/dropbox -l gen_context(system_u:object_r:dropbox_exec_t,s0) -/opt/dropbox/.*py?\.?.*egg(/.*)? gen_context(system_u:object_r:lib_t,s0) -/opt/dropbox/lib.*\.so\.[0-9]+ -- gen_context(system_u:object_r:lib_t,s0) /opt/dropbox/dropboxd? -- gen_context(system_u:object_r:dropbox_exec_t,s0) -/opt/dropbox/library\.zip -l gen_context(system_u:object_r:lib_t,s0) - diff --git a/policy/modules/contrib/dropbox.if b/policy/modules/contrib/dropbox.if index 51e9f88c..a010d912 100644 --- a/policy/modules/contrib/dropbox.if +++ b/policy/modules/contrib/dropbox.if @@ -18,6 +18,7 @@ interface(`dropbox_role',` gen_require(` type dropbox_t; + type dropbox_content_t; type dropbox_exec_t; type dropbox_home_t; type dropbox_tmp_t; diff --git a/policy/modules/contrib/gorg.te b/policy/modules/contrib/gorg.te index b0c8ae33..59befaaa 100644 --- a/policy/modules/contrib/gorg.te +++ b/policy/modules/contrib/gorg.te @@ -5,10 +5,10 @@ type gorg_exec_t; application_domain(gorg_t, gorg_exec_t) type gorg_cache_t; -files_type(gorg_cache_t); +files_type(gorg_cache_t) type gorg_config_t; -files_type(gorg_config_t); +files_type(gorg_config_t) ################################### # diff --git a/policy/modules/contrib/links.if b/policy/modules/contrib/links.if index 61254fc3..b3ad618e 100644 --- a/policy/modules/contrib/links.if +++ b/policy/modules/contrib/links.if @@ -17,14 +17,14 @@ # interface(`links_role',` gen_require(` - type links_t, links_exec_t, links_tmpfs_t, links_home_t; + type links_t, links_exec_t, links_home_t; ') ####################################### # # Declarations # - + role $1 types links_t; ############################ @@ -43,4 +43,4 @@ interface(`links_role',` domtrans_pattern($2, links_exec_t, links_t) ps_process_pattern($2, links_t) -') +') diff --git a/policy/modules/contrib/logsentry.te b/policy/modules/contrib/logsentry.te index d80cdc8b..5863369b 100644 --- a/policy/modules/contrib/logsentry.te +++ b/policy/modules/contrib/logsentry.te @@ -11,10 +11,10 @@ application_domain(logsentry_t, logsentry_exec_t) role system_r types logsentry_t; type logsentry_etc_t; -files_type(logsentry_etc_t); +files_type(logsentry_etc_t) type logsentry_tmp_t; -files_tmp_file(logsentry_tmp_t); +files_tmp_file(logsentry_tmp_t) type logsentry_filter_t; files_type(logsentry_filter_t) diff --git a/policy/modules/contrib/mutt.if b/policy/modules/contrib/mutt.if index eabe82e9..596b0fd1 100644 --- a/policy/modules/contrib/mutt.if +++ b/policy/modules/contrib/mutt.if @@ -17,7 +17,7 @@ # interface(`mutt_role',` gen_require(` - type mutt_t, mutt_exec_t, mutt_home_t, mutt_conf_t, mutt_etc_t; + type mutt_t, mutt_exec_t, mutt_home_t, mutt_conf_t; type mutt_tmp_t; ') @@ -99,6 +99,6 @@ interface(`mutt_rw_tmp_files',` # The use of rw_files_pattern here is not needed, since this incurs the open privilege as well allow $1 mutt_tmp_t:dir search_dir_perms; - allow $1 mutt_tmp_t:file { read write }; + allow $1 mutt_tmp_t:file rw_inherited_file_perms; files_search_tmp($1) ') diff --git a/policy/modules/contrib/nginx.if b/policy/modules/contrib/nginx.if index b9066d97..d39b0964 100644 --- a/policy/modules/contrib/nginx.if +++ b/policy/modules/contrib/nginx.if @@ -57,7 +57,7 @@ interface(`nginx_domtrans',` type nginx_t, nginx_exec_t; ') allow nginx_t $1:fd use; - allow nginx_t $1:fifo_file rw_file_perms; + allow nginx_t $1:fifo_file rw_fifo_file_perms; allow nginx_t $1:process sigchld; domain_auto_transition_pattern($1, nginx_exec_t, nginx_t) diff --git a/policy/modules/contrib/pan.te b/policy/modules/contrib/pan.te index 48b07b85..ad60d29d 100644 --- a/policy/modules/contrib/pan.te +++ b/policy/modules/contrib/pan.te @@ -33,7 +33,7 @@ ubac_constrained(pan_tmpfs_t) # allow pan_t self:process { getsched signal }; allow pan_t self:fifo_file rw_fifo_file_perms; -allow pan_t pan_tmpfs_t:file { read write }; +allow pan_t pan_tmpfs_t:file rw_inherited_file_perms; # Allow pan to work with its ~/.pan2 location manage_dirs_pattern(pan_t, pan_home_t, pan_home_t) diff --git a/policy/modules/contrib/resolvconf.fc b/policy/modules/contrib/resolvconf.fc index 51383c24..fcfa9b7d 100644 --- a/policy/modules/contrib/resolvconf.fc +++ b/policy/modules/contrib/resolvconf.fc @@ -1,7 +1,5 @@ /etc/resolvconf\.conf -- gen_context(system_u:object_r:resolvconf_conf_t,s0) -/usr/lib/resolvconf(/.*)? gen_context(system_u:object_r:bin_t,s0) - /usr/sbin/resolvconf -- gen_context(system_u:object_r:resolvconf_exec_t,s0) /run/resolvconf(/.*)? gen_context(system_u:object_r:resolvconf_runtime_t,s0) diff --git a/policy/modules/contrib/skype.if b/policy/modules/contrib/skype.if index 789b8f8a..88c9849c 100644 --- a/policy/modules/contrib/skype.if +++ b/policy/modules/contrib/skype.if @@ -17,11 +17,11 @@ # interface(`skype_role',` gen_require(` - type skype_t, skype_exec_t, skype_tmpfs_t, skype_home_t; + type skype_t, skype_exec_t, skype_home_t; ') - + role $1 types skype_t; - + domtrans_pattern($2, skype_exec_t, skype_t) allow $2 skype_t:process { ptrace signal_perms }; @@ -36,4 +36,4 @@ interface(`skype_role',` relabel_lnk_files_pattern($2, skype_home_t, skype_home_t) ps_process_pattern($2, skype_t) -') +') diff --git a/policy/modules/contrib/uwsgi.if b/policy/modules/contrib/uwsgi.if index c6b39de5..f5a54aa7 100644 --- a/policy/modules/contrib/uwsgi.if +++ b/policy/modules/contrib/uwsgi.if @@ -33,7 +33,7 @@ interface(`uwsgi_stream_connect',` # interface(`uwsgi_manage_content',` gen_require(` - type uwsgi_content_t; + type uwsgi_content_t, uwsgi_content_exec_t; ') files_search_runtime($1) @@ -81,7 +81,7 @@ interface(`uwsgi_domtrans',` # interface(`uwsgi_content_exec',` gen_require(` - type uwsgi_t, uwsgi_exec_t, uwsgi_content_exec_t; + type uwsgi_content_exec_t; ') corecmd_search_bin($1) diff --git a/policy/modules/contrib/vde.if b/policy/modules/contrib/vde.if index 01579707..437b65ed 100644 --- a/policy/modules/contrib/vde.if +++ b/policy/modules/contrib/vde.if @@ -18,9 +18,8 @@ # interface(`vde_role',` gen_require(` - type vde_t, vde_tmp_t; - type vde_runtime_t; - type vde_initrc_exec_t, vde_exec_t; + type vde_t; + type vde_exec_t; ') role $1 types vde_t; diff --git a/policy/modules/kernel/corecommands.fc b/policy/modules/kernel/corecommands.fc index 07a09873..48540ef9 100644 --- a/policy/modules/kernel/corecommands.fc +++ b/policy/modules/kernel/corecommands.fc @@ -115,6 +115,10 @@ ifdef(`distro_debian',` /etc/mysql/debian-start -- gen_context(system_u:object_r:bin_t,s0) ') +ifdef(`distro_gentoo',` +/etc/portage/bin(/.*)? -- gen_context(system_u:object_r:bin_t,s0) +') + # # /opt # @@ -391,6 +395,20 @@ ifdef(`distro_gentoo', ` /usr/lib/rc/bin/.* -- gen_context(system_u:object_r:bin_t,s0) /usr/lib/rc/sbin/.* -- gen_context(system_u:object_r:bin_t,s0) /usr/lib/rc/sh/.* -- gen_context(system_u:object_r:bin_t,s0) + +/usr/lib/portage/bin/ebuild -- gen_context(system_u:object_r:bin_t,s0) +/usr/lib/portage/bin/ebuild\.sh -- gen_context(system_u:object_r:bin_t,s0) +/usr/lib/resolvconf(/.*)? gen_context(system_u:object_r:bin_t,s0) + +/usr/share/mysql/scripts(/.*)? gen_context(system_u:object_r:bin_t,s0) +/usr/share/shorewall/compiler\.pl -- gen_context(system_u:object_r:bin_t,s0) +/usr/share/shorewall/configpath -- gen_context(system_u:object_r:bin_t,s0) +/usr/share/shorewall/getparams -- gen_context(system_u:object_r:bin_t,s0) +/usr/share/shorewall/wait4ifup -- gen_context(system_u:object_r:bin_t,s0) +/usr/share/shorewall-perl(/.*)? gen_context(system_u:object_r:bin_t,s0) +/usr/share/shorewall-shell(/.*)? gen_context(system_u:object_r:bin_t,s0) +/usr/share/shorewall-lite(/.*)? gen_context(system_u:object_r:bin_t,s0) +/usr/share/shorewall6-lite(/.*)? gen_context(system_u:object_r:bin_t,s0) ') ifdef(`distro_redhat', ` diff --git a/policy/modules/kernel/corenetwork.if.in b/policy/modules/kernel/corenetwork.if.in index 7b77d8d8..65e54854 100644 --- a/policy/modules/kernel/corenetwork.if.in +++ b/policy/modules/kernel/corenetwork.if.in @@ -1494,11 +1494,11 @@ interface(`corenet_udp_send_all_ports',` # interface(`corenet_sctp_bind_generic_port',` gen_require(` - type port_t, unreserved_port_t, ephemeral_port_t; + type port_t, unreserved_port_t; attribute defined_port_type; ') - allow $1 { port_t unreserved_port_t ephemeral_port_t }:sctp_socket name_bind; + allow $1 { port_t unreserved_port_t }:sctp_socket name_bind; dontaudit $1 defined_port_type:sctp_socket name_bind; ') @@ -1567,10 +1567,10 @@ interface(`corenet_udp_sendrecv_all_ports',` # interface(`corenet_dontaudit_sctp_bind_generic_port',` gen_require(` - type port_t, unreserved_port_t, ephemeral_port_t; + type port_t, unreserved_port_t; ') - dontaudit $1 { port_t unreserved_port_t ephemeral_port_t }:sctp_socket name_bind; + dontaudit $1 { port_t unreserved_port_t }:sctp_socket name_bind; ') ######################################## @@ -1641,10 +1641,10 @@ interface(`corenet_udp_bind_all_ports',` # interface(`corenet_sctp_connect_generic_port',` gen_require(` - type port_t, unreserved_port_t,ephemeral_port_t; + type port_t, unreserved_port_t; ') - allow $1 { port_t unreserved_port_t ephemeral_port_t }:sctp_socket name_connect; + allow $1 { port_t unreserved_port_t }:sctp_socket name_connect; ') ######################################## @@ -3335,13 +3335,7 @@ interface(`corenet_relabelto_all_server_packets',` ## # interface(`corenet_sctp_recvfrom_unlabeled',` - gen_require(` - attribute corenet_unlabeled_type; - ') - kernel_recvfrom_unlabeled_peer($1) - - typeattribute $1 corenet_unlabeled_type; kernel_sendrecv_unlabeled_association($1) ') diff --git a/policy/modules/kernel/devices.if b/policy/modules/kernel/devices.if index 1fae36ed..474b4035 100644 --- a/policy/modules/kernel/devices.if +++ b/policy/modules/kernel/devices.if @@ -5630,6 +5630,6 @@ interface(`dev_dontaudit_read_usbmon_dev',` type usbmon_device_t; ') - dontaudit $1 usbmon_device_t:chr_file read_file_perms; + dontaudit $1 usbmon_device_t:chr_file read_chr_file_perms; ') diff --git a/policy/modules/kernel/files.fc b/policy/modules/kernel/files.fc index 1bec89a0..d7b46a3d 100644 --- a/policy/modules/kernel/files.fc +++ b/policy/modules/kernel/files.fc @@ -215,6 +215,11 @@ HOME_ROOT/lost\+found/.* <> /usr/share/doc(/.*)?/README.* gen_context(system_u:object_r:usr_t,s0) /usr/share/docbook2X/xslt/man(/.*)? gen_context(system_u:object_r:usr_t,s0) +ifdef(`distro_gentoo',` +# Running maven (mvn) command needs read access to this, yet the file is marked as bin_t otherwise +/usr/share/maven-bin-[^/]*/bin/m2\.conf -- gen_context(system_u:object_r:usr_t,s0) +') + /usr/tmp -d gen_context(system_u:object_r:tmp_t,s0-mls_systemhigh) /usr/tmp/.* <> diff --git a/policy/modules/services/mysql.fc b/policy/modules/services/mysql.fc index e1f090fa..7739d36d 100644 --- a/policy/modules/services/mysql.fc +++ b/policy/modules/services/mysql.fc @@ -30,8 +30,3 @@ HOME_DIR/\.my\.cnf -- gen_context(system_u:object_r:mysqld_home_t,s0) /run/mysqld.* gen_context(system_u:object_r:mysqld_runtime_t,s0) /run/mysqlmanager.* -- gen_context(system_u:object_r:mysqlmanagerd_runtime_t,s0) /run/mysqld/mysqlmanager.* -- gen_context(system_u:object_r:mysqlmanagerd_runtime_t,s0) - - -ifdef(`distro_gentoo',` -/usr/share/mysql/scripts(/.*)? gen_context(system_u:object_r:bin_t,s0) -') diff --git a/policy/modules/services/networkmanager.if b/policy/modules/services/networkmanager.if index 2897a484..de48cdbe 100644 --- a/policy/modules/services/networkmanager.if +++ b/policy/modules/services/networkmanager.if @@ -485,7 +485,7 @@ interface(`networkmanager_domtrans_wpa_cli',` # interface(`networkmanager_run_wpa_cli',` gen_require(` - type wpa_cli_exec_t; + type wpa_cli_t; ') networkmanager_domtrans_wpa_cli($1) diff --git a/policy/modules/services/postgresql.if b/policy/modules/services/postgresql.if index 6089d18d..c8b31909 100644 --- a/policy/modules/services/postgresql.if +++ b/policy/modules/services/postgresql.if @@ -349,7 +349,7 @@ interface(`postgresql_exec',` type postgresql_exec_t; ') - can_exec($1, postgresql_exec_t); + can_exec($1, postgresql_exec_t) ') ######################################## diff --git a/policy/modules/services/snmp.if b/policy/modules/services/snmp.if index a945c50e..4d4bf888 100644 --- a/policy/modules/services/snmp.if +++ b/policy/modules/services/snmp.if @@ -193,8 +193,8 @@ interface(`snmp_admin',` # interface(`snmp_append_var_lib_files',` gen_require(` - type snmp_var_lib_t; + type snmpd_var_lib_t; ') - allow $1 snmp_var_lib_t:file append_file_perms; + allow $1 snmpd_var_lib_t:file append_file_perms; ') diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te index eb78df9a..b52eaddb 100644 --- a/policy/modules/system/init.te +++ b/policy/modules/system/init.te @@ -1003,7 +1003,7 @@ ifdef(`enabled_mls',` # Allow initrc_su_t, now defined, to transition to postgresql_t postgresql_domtrans(initrc_su_t) # Allow initrc_su_t to use the initrc_devpts_t (needed for init script failure output) - allow initrc_su_t initrc_devpts_t:chr_file { read write }; + allow initrc_su_t initrc_devpts_t:chr_file rw_inherited_term_perms; ') ') diff --git a/policy/modules/system/libraries.fc b/policy/modules/system/libraries.fc index 3cdc22f9..757b18bc 100644 --- a/policy/modules/system/libraries.fc +++ b/policy/modules/system/libraries.fc @@ -60,10 +60,14 @@ ifdef(`distro_gentoo',` /opt/Acrobat[5-9]/Reader/intellinux/plug_ins/.*\.api -- gen_context(system_u:object_r:lib_t,s0) /opt/Acrobat[5-9]/Reader/intellinux/plug_ins3d/.*\.x3d -- gen_context(system_u:object_r:lib_t,s0) /opt/Acrobat[5-9]/Reader/intellinux/SPPlugins/.*\.ap[il] -- gen_context(system_u:object_r:lib_t,s0) +/opt/dropbox/.*py?\.?.*egg(/.*)? gen_context(system_u:object_r:lib_t,s0) +/opt/dropbox/lib.*\.so\.[0-9]+ -- gen_context(system_u:object_r:lib_t,s0) +/opt/dropbox/library\.zip -l gen_context(system_u:object_r:lib_t,s0) +/opt/firefox/libxul\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) /opt/netscape/plugins(/.*)? gen_context(system_u:object_r:lib_t,s0) /opt/netscape/plugins/libflashplayer\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) -/opt/netscape/plugins/nppdf\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) +/opt/netscape/plugins/nppdf\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) /opt/RealPlayer/codecs(/.*)? gen_context(system_u:object_r:lib_t,s0) /opt/RealPlayer/common(/.*)? gen_context(system_u:object_r:lib_t,s0) /opt/RealPlayer/lib(/.*)? gen_context(system_u:object_r:lib_t,s0) diff --git a/policy/modules/system/logging.if b/policy/modules/system/logging.if index ae993536..0f6efef8 100644 --- a/policy/modules/system/logging.if +++ b/policy/modules/system/logging.if @@ -1068,7 +1068,7 @@ interface(`logging_append_all_inherited_logs',` attribute logfile; ') - allow $1 logfile:file { getattr append ioctl lock }; + allow $1 logfile:file append_inherited_file_perms; ') ######################################## diff --git a/policy/modules/system/modutils.te b/policy/modules/system/modutils.te index 9e7fd769..e002e6e3 100644 --- a/policy/modules/system/modutils.te +++ b/policy/modules/system/modutils.te @@ -213,5 +213,5 @@ ifdef(`distro_gentoo',` # for /run/tmpfiles.d/kmod.conf tmpfiles_create_runtime_files(kmod_t) - filetrans_add_pattern(kmod_t, tmpfiles_runtime_t, kmod_tmpfiles_conf_t, file) + filetrans_add_pattern(kmod_t, tmpfiles_runtime_t, kmod_tmpfiles_conf_t, file) #selint-disable:W-001 ')