diff options
| author |   Sven Vermeulen <swift@gentoo.org> | 2017-04-10 18:58:05 +0200 |
|---|---|---|
| committer | Sven Vermeulen <swift@gentoo.org> | 2017-04-10 18:58:05 +0200 |
| commit | e4b056799a16ac4b3e00106baa3297b2862684a0 (patch) | |
| tree | 9239e68eb085359663368fd9a401bd949dcbfb3d | |
| parent | systemd-nspawn again (diff) | |
| download | hardened-refpolicy-e4b056799a16ac4b3e00106baa3297b2862684a0.tar.gz hardened-refpolicy-e4b056799a16ac4b3e00106baa3297b2862684a0.tar.bz2 hardened-refpolicy-e4b056799a16ac4b3e00106baa3297b2862684a0.zip | |
Backport "Misc fc changes from Russel Coker."
git apply failed so had to do this manually
| -rw-r--r-- | policy/modules/kernel/corecommands.fc | 5 | ||||
| -rw-r--r-- | policy/modules/kernel/corecommands.te | 2 | ||||
| -rw-r--r-- | policy/modules/kernel/files.fc | 1 | ||||
| -rw-r--r-- | policy/modules/kernel/files.te | 2 | ||||
| -rw-r--r-- | policy/modules/kernel/terminal.fc | 4 | ||||
| -rw-r--r-- | policy/modules/kernel/terminal.te | 2 | ||||
| -rw-r--r-- | policy/modules/services/xserver.fc | 4 | ||||
| -rw-r--r-- | policy/modules/services/xserver.te | 2 | ||||
| -rw-r--r-- | policy/modules/system/init.fc | 5 | ||||
| -rw-r--r-- | policy/modules/system/init.te | 2 | ||||
| -rw-r--r-- | policy/modules/system/libraries.fc | 1 | ||||
| -rw-r--r-- | policy/modules/system/libraries.te | 2 | ||||
| -rw-r--r-- | policy/modules/system/lvm.fc | 2 | ||||
| -rw-r--r-- | policy/modules/system/lvm.te | 2 | ||||
| -rw-r--r-- | policy/modules/system/udev.fc | 1 | ||||
| -rw-r--r-- | policy/modules/system/udev.te | 2 |
16 files changed, 29 insertions, 10 deletions
diff --git a/policy/modules/kernel/corecommands.fc b/policy/modules/kernel/corecommands.fc index 2b645e4d3..f86daaf75 100644 --- a/policy/modules/kernel/corecommands.fc +++ b/policy/modules/kernel/corecommands.fc @@ -153,6 +153,7 @@ ifdef(`distro_gentoo',` /usr/bin/zsh.* -- gen_context(system_u:object_r:shell_exec_t,s0) /usr/lib/(.*/)?bin(/.*)? gen_context(system_u:object_r:bin_t,s0) +/usr/lib/postfix/configure-instance\.sh -- gen_context(system_u:object_r:bin_t,s0) /usr/(.*/)?sbin(/.*)? gen_context(system_u:object_r:bin_t,s0) /usr/lib/(.*/)?sbin(/.*)? gen_context(system_u:object_r:bin_t,s0) @@ -160,6 +161,7 @@ ifdef(`distro_gentoo',` /usr/lib/at-spi2-core(/.*)? gen_context(system_u:object_r:bin_t,s0) /usr/lib/avahi/avahi-daemon-check-dns\.sh -- gen_context(system_u:object_r:bin_t,s0) /usr/lib/ccache/bin(/.*)? gen_context(system_u:object_r:bin_t,s0) +/usr/lib/dovecot/.+ gen_context(system_u:object_r:bin_t,s0) /usr/lib/fence(/.*)? gen_context(system_u:object_r:bin_t,s0) /usr/lib/pgsql/test/regress/.*\.sh -- gen_context(system_u:object_r:bin_t,s0) /usr/lib/qt.*/bin(/.*)? gen_context(system_u:object_r:bin_t,s0) @@ -205,6 +207,7 @@ ifdef(`distro_gentoo',` /usr/lib/rpm/rpmq -- gen_context(system_u:object_r:bin_t,s0) /usr/lib/rpm/rpmv -- gen_context(system_u:object_r:bin_t,s0) /usr/lib/security/pam_krb5/pam_krb5_storetmp -- gen_context(system_u:object_r:bin_t,s0) +/usr/lib/selinux/hll/pp -- gen_context(system_u:object_r:bin_t,s0) /usr/lib/sftp-server -- gen_context(system_u:object_r:bin_t,s0) /usr/lib/ssh(/.*)? gen_context(system_u:object_r:bin_t,s0) /usr/lib/sudo/sesh -- gen_context(system_u:object_r:shell_exec_t,s0) @@ -266,6 +269,7 @@ ifdef(`distro_gentoo',` /usr/sbin/sesh -- gen_context(system_u:object_r:shell_exec_t,s0) /usr/sbin/smrsh -- gen_context(system_u:object_r:shell_exec_t,s0) +/usr/share/mdadm/checkarray -- gen_context(system_u:object_r:bin_t,s0) /usr/share/(.*/)?bin(/.*)? gen_context(system_u:object_r:bin_t,s0) /usr/share/ajaxterm/ajaxterm.py.* -- gen_context(system_u:object_r:bin_t,s0) /usr/share/ajaxterm/qweb.py.* -- gen_context(system_u:object_r:bin_t,s0) @@ -299,6 +303,7 @@ ifdef(`distro_gentoo',` /usr/share/printconf/util/print\.py -- gen_context(system_u:object_r:bin_t,s0) /usr/share/PackageKit/pk-upgrade-distro\.sh -- gen_context(system_u:object_r:bin_t,s0) /usr/share/PackageKit/helpers(/.*)? gen_context(system_u:object_r:bin_t,s0) +/usr/share/reportbug/handle_bugscript -- gen_context(system_u:object_r:bin_t,s0) /usr/share/sandbox/sandboxX.sh -- gen_context(system_u:object_r:bin_t,s0) /usr/share/sectool/.*\.py -- gen_context(system_u:object_r:bin_t,s0) /usr/share/selinux/devel/policygentool -- gen_context(system_u:object_r:bin_t,s0) diff --git a/policy/modules/kernel/corecommands.te b/policy/modules/kernel/corecommands.te index 1f532aa3e..6f051a328 100644 --- a/policy/modules/kernel/corecommands.te +++ b/policy/modules/kernel/corecommands.te @@ -1,4 +1,4 @@ -policy_module(corecommands, 1.23.5) +policy_module(corecommands, 1.23.6) ######################################## # diff --git a/policy/modules/kernel/files.fc b/policy/modules/kernel/files.fc index 548d1e03b..e69a00252 100644 --- a/policy/modules/kernel/files.fc +++ b/policy/modules/kernel/files.fc @@ -215,6 +215,7 @@ HOME_ROOT/lost\+found/.* <<none>> ifdef(`distro_debian',` # on Debian /lib/init/rw is a tmpfs used like /run /usr/lib/init/rw(/.*)? gen_context(system_u:object_r:var_run_t,s0-mls_systemhigh) +/run/resolvconf(/.*)? -d gen_context(system_u:object_r:etc_t,s0) ') ifndef(`distro_redhat',` diff --git a/policy/modules/kernel/files.te b/policy/modules/kernel/files.te index 33c92c703..67be5c71c 100644 --- a/policy/modules/kernel/files.te +++ b/policy/modules/kernel/files.te @@ -1,4 +1,4 @@ -policy_module(files, 1.23.9) +policy_module(files, 1.23.10) ######################################## # diff --git a/policy/modules/kernel/terminal.fc b/policy/modules/kernel/terminal.fc index 6657b048b..51199ac47 100644 --- a/policy/modules/kernel/terminal.fc +++ b/policy/modules/kernel/terminal.fc @@ -24,8 +24,10 @@ /dev/pty/.* -c gen_context(system_u:object_r:bsdpty_device_t,s0) /dev/pts -d gen_context(system_u:object_r:devpts_t,s0-mls_systemhigh) -/dev/pts/ptmx -c gen_context(system_u:object_r:devpts_t,s0) /dev/pts/[0-9]+ -c gen_context(system_u:object_r:user_devpts_t,s0) +# if /dev/ptmx is a symlink to /dev/pts/ptmx then we need to have /dev/pts/ptmx +# relabelled before sshd etc are ready to accept connections +/dev/pts/ptmx -c gen_context(system_u:object_r:ptmx_t,s0) /dev/tts/[^/]* -c gen_context(system_u:object_r:tty_device_t,s0) diff --git a/policy/modules/kernel/terminal.te b/policy/modules/kernel/terminal.te index a1fca0dae..bf1e11ff2 100644 --- a/policy/modules/kernel/terminal.te +++ b/policy/modules/kernel/terminal.te @@ -1,4 +1,4 @@ -policy_module(terminal, 1.16.2) +policy_module(terminal, 1.16.3) ######################################## # diff --git a/policy/modules/services/xserver.fc b/policy/modules/services/xserver.fc index f9f541d40..201d28fa2 100644 --- a/policy/modules/services/xserver.fc +++ b/policy/modules/services/xserver.fc @@ -33,6 +33,7 @@ HOME_DIR/\.Xauthority.* -- gen_context(system_u:object_r:xauth_home_t,s0) /etc/kde[34]?/kdm/backgroundrc gen_context(system_u:object_r:xdm_var_run_t,s0) /etc/rc\.d/init\.d/x11-common -- gen_context(system_u:object_r:xdm_exec_t,s0) +/etc/sddm/Xsession -- gen_context(system_u:object_r:xsession_exec_t,s0) /etc/X11/[wx]dm/Xreset.* -- gen_context(system_u:object_r:xsession_exec_t,s0) /etc/X11/[wxg]dm/Xsession -- gen_context(system_u:object_r:xsession_exec_t,s0) @@ -66,6 +67,7 @@ HOME_DIR/\.Xauthority.* -- gen_context(system_u:object_r:xauth_home_t,s0) /usr/bin/gdm-binary -- gen_context(system_u:object_r:xdm_exec_t,s0) /usr/bin/lxdm(-binary)? -- gen_context(system_u:object_r:xdm_exec_t,s0) /usr/bin/[xkw]dm -- gen_context(system_u:object_r:xdm_exec_t,s0) +/usr/bin/sddm -- gen_context(system_u:object_r:xdm_exec_t,s0) /usr/bin/gpe-dm -- gen_context(system_u:object_r:xdm_exec_t,s0) /usr/bin/iceauth -- gen_context(system_u:object_r:iceauth_exec_t,s0) /usr/bin/slim -- gen_context(system_u:object_r:xdm_exec_t,s0) @@ -116,6 +118,7 @@ ifndef(`distro_debian',` /var/lib/lxdm(/.*)? gen_context(system_u:object_r:xdm_var_lib_t,s0) /var/lib/[xkw]dm(/.*)? gen_context(system_u:object_r:xdm_var_lib_t,s0) /var/lib/xkb(/.*)? gen_context(system_u:object_r:xkb_var_lib_t,s0) +/var/lib/sddm(/.*)? gen_context(system_u:object_r:xkb_var_lib_t,s0) /var/log/[kwx]dm\.log.* -- gen_context(system_u:object_r:xserver_log_t,s0) /var/log/lightdm(/.*)? gen_context(system_u:object_r:xserver_log_t,s0) @@ -125,6 +128,7 @@ ifndef(`distro_debian',` /var/log/XFree86.* -- gen_context(system_u:object_r:xserver_log_t,s0) /var/log/Xorg.* -- gen_context(system_u:object_r:xserver_log_t,s0) +/run/sddm(/.*)? gen_context(system_u:object_r:xdm_var_run_t,s0) /run/gdm(3)?(/.*)? gen_context(system_u:object_r:xdm_var_run_t,s0) /run/gdm(3)?\.pid -- gen_context(system_u:object_r:xdm_var_run_t,s0) /run/xdm\.pid -- gen_context(system_u:object_r:xdm_var_run_t,s0) diff --git a/policy/modules/services/xserver.te b/policy/modules/services/xserver.te index 5750e14ea..a692f7a21 100644 --- a/policy/modules/services/xserver.te +++ b/policy/modules/services/xserver.te @@ -1,4 +1,4 @@ -policy_module(xserver, 3.13.5) +policy_module(xserver, 3.13.6) gen_require(` class x_drawable all_x_drawable_perms; diff --git a/policy/modules/system/init.fc b/policy/modules/system/init.fc index d39bdee62..49c847729 100644 --- a/policy/modules/system/init.fc +++ b/policy/modules/system/init.fc @@ -38,7 +38,6 @@ ifdef(`distro_gentoo', ` /usr/libexec/dcc/start-.* -- gen_context(system_u:object_r:initrc_exec_t,s0) /usr/libexec/dcc/stop-.* -- gen_context(system_u:object_r:initrc_exec_t,s0) -/usr/sbin/apachectl -- gen_context(system_u:object_r:initrc_exec_t,s0) /usr/sbin/init(ng)? -- gen_context(system_u:object_r:init_exec_t,s0) /usr/sbin/open_init_pty -- gen_context(system_u:object_r:initrc_exec_t,s0) /usr/sbin/upstart -- gen_context(system_u:object_r:init_exec_t,s0) @@ -65,6 +64,10 @@ ifdef(`distro_gentoo', ` ifdef(`distro_debian',` /run/hotkey-setup -- gen_context(system_u:object_r:initrc_var_run_t,s0) /run/kdm/.* -- gen_context(system_u:object_r:initrc_var_run_t,s0) +/etc/network/if-pre-up\.d/.* -- gen_context(system_u:object_r:initrc_exec_t,s0) +/etc/network/if-up\.d/.* -- gen_context(system_u:object_r:initrc_exec_t,s0) +/etc/network/if-down\.d/.* -- gen_context(system_u:object_r:initrc_exec_t,s0) +/etc/network/if-post-down\.d/.* -- gen_context(system_u:object_r:initrc_exec_t,s0) ') ifdef(`distro_gentoo', ` diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te index a0a1723c3..aed3e65a4 100644 --- a/policy/modules/system/init.te +++ b/policy/modules/system/init.te @@ -1,4 +1,4 @@ -policy_module(init, 2.2.14) +policy_module(init, 2.2.15) gen_require(` class passwd rootok; diff --git a/policy/modules/system/libraries.fc b/policy/modules/system/libraries.fc index 1bac96596..f174ab68d 100644 --- a/policy/modules/system/libraries.fc +++ b/policy/modules/system/libraries.fc @@ -105,6 +105,7 @@ ifdef(`distro_debian',` /usr/(.*/)?dh-python/dh_pypy -- gen_context(system_u:object_r:lib_t,s0) ') +/usr/lib/postfix/lib.*so.* -- gen_context(system_u:object_r:lib_t,s0) /usr/lib/altivec/libavcodec\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/lib/cedega/.+\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/lib/dovecot/(.*/)?lib.*\.so.* -- gen_context(system_u:object_r:lib_t,s0) diff --git a/policy/modules/system/libraries.te b/policy/modules/system/libraries.te index bf5a9b638..a4e2764d3 100644 --- a/policy/modules/system/libraries.te +++ b/policy/modules/system/libraries.te @@ -1,4 +1,4 @@ -policy_module(libraries, 2.14.1) +policy_module(libraries, 2.14.2) ######################################## # diff --git a/policy/modules/system/lvm.fc b/policy/modules/system/lvm.fc index e9e7882e4..d2f755f2a 100644 --- a/policy/modules/system/lvm.fc +++ b/policy/modules/system/lvm.fc @@ -46,6 +46,7 @@ ifdef(`distro_gentoo',` /usr/sbin/lvdisplay -- gen_context(system_u:object_r:lvm_exec_t,s0) /usr/sbin/lvextend -- gen_context(system_u:object_r:lvm_exec_t,s0) /usr/sbin/lvm -- gen_context(system_u:object_r:lvm_exec_t,s0) +/usr/sbin/lvmetad -- gen_context(system_u:object_r:lvm_exec_t,s0) /usr/sbin/lvm\.static -- gen_context(system_u:object_r:lvm_exec_t,s0) /usr/sbin/lvmchange -- gen_context(system_u:object_r:lvm_exec_t,s0) /usr/sbin/lvmdiskscan -- gen_context(system_u:object_r:lvm_exec_t,s0) @@ -97,6 +98,7 @@ ifdef(`distro_gentoo',` /var/lock/lvm(/.*)? gen_context(system_u:object_r:lvm_lock_t,s0) /run/multipathd\.sock -s gen_context(system_u:object_r:lvm_var_run_t,s0) /run/dmevent.* gen_context(system_u:object_r:lvm_var_run_t,s0) +/run/lvm(/.*)? gen_context(system_u:object_r:lvm_var_run_t,s0) ifdef(`distro_gentoo',` # Bug 529430 comment 7 diff --git a/policy/modules/system/lvm.te b/policy/modules/system/lvm.te index 59cb1ba57..977a374ba 100644 --- a/policy/modules/system/lvm.te +++ b/policy/modules/system/lvm.te @@ -1,4 +1,4 @@ -policy_module(lvm, 1.19.6) +policy_module(lvm, 1.19.7) ######################################## # diff --git a/policy/modules/system/udev.fc b/policy/modules/system/udev.fc index 709d83308..0e433bed8 100644 --- a/policy/modules/system/udev.fc +++ b/policy/modules/system/udev.fc @@ -38,6 +38,7 @@ ifdef(`distro_redhat',` /run/udev(/.*)? gen_context(system_u:object_r:udev_var_run_t,s0) ifdef(`distro_debian',` +/run/console-setup(/.*)? gen_context(system_u:object_r:udev_var_run_t,s0) /run/xen-hotplug -d gen_context(system_u:object_r:udev_var_run_t,s0) ') diff --git a/policy/modules/system/udev.te b/policy/modules/system/udev.te index 18b0e29c2..f115d9f85 100644 --- a/policy/modules/system/udev.te +++ b/policy/modules/system/udev.te @@ -1,4 +1,4 @@ -policy_module(udev, 1.21.5) +policy_module(udev, 1.21.6) ######################################## # |