commit: 76008658e98058de115d4353bedb6177c79c371a Author: Russell Coker <russell <AT> coker <DOT> com <DOT> au> AuthorDate: Wed Aug 27 18:06:40 2025 +0000 Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org> CommitDate: Tue Sep 2 22:07:41 2025 +0000 URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=76008658
justthefcerror (#1005) * Patch with just the fc change the checks don't like * A bunch of other small fc changes --------- Signed-off-by: Russell Coker <russell <AT> coker.com.au> Signed-off-by: Jason Zaman <perfinion <AT> gentoo.org> policy/modules/apps/evolution.fc | 1 + policy/modules/apps/wm.fc | 2 ++ policy/modules/kernel/corecommands.fc | 8 ++++++++ policy/modules/kernel/files.fc | 3 ++- policy/modules/services/dnsmasq.fc | 2 +- policy/modules/services/networkmanager.fc | 1 - policy/modules/system/authlogin.fc | 1 + policy/modules/system/libraries.fc | 4 ++++ 8 files changed, 19 insertions(+), 3 deletions(-) diff --git a/policy/modules/apps/evolution.fc b/policy/modules/apps/evolution.fc index 7f5e89806..d8994bb79 100644 --- a/policy/modules/apps/evolution.fc +++ b/policy/modules/apps/evolution.fc @@ -14,4 +14,5 @@ HOME_DIR/\.local/share/camel_certs(/.*)? gen_context(system_u:object_r:evolution /usr/libexec/evolution/.*evolution-alarm-notify.* -- gen_context(system_u:object_r:evolution_alarm_exec_t,s0) /usr/libexec/evolution/.*evolution-exchange-storage.* -- gen_context(system_u:object_r:evolution_exchange_exec_t,s0) /usr/libexec/evolution-data-server.* -- gen_context(system_u:object_r:evolution_server_exec_t,s0) +/usr/libexec/evolution-data-server/evolution-alarm-notify -- gen_context(system_u:object_r:evolution_alarm_exec_t,s0) /usr/libexec/evolution-webcal.* -- gen_context(system_u:object_r:evolution_webcal_exec_t,s0) diff --git a/policy/modules/apps/wm.fc b/policy/modules/apps/wm.fc index a9e34459d..230e5a3c8 100644 --- a/policy/modules/apps/wm.fc +++ b/policy/modules/apps/wm.fc @@ -1,6 +1,8 @@ /usr/bin/gnome-shell -- gen_context(system_u:object_r:wm_exec_t,s0) /usr/bin/openbox -- gen_context(system_u:object_r:wm_exec_t,s0) /usr/bin/kwin_((wayland)|(x11)) -- gen_context(system_u:object_r:wm_exec_t,s0) +/usr/bin/maliit-keyboard -- gen_context(system_u:object_r:wm_exec_t,s0) /usr/bin/metacity -- gen_context(system_u:object_r:wm_exec_t,s0) /usr/bin/mutter -- gen_context(system_u:object_r:wm_exec_t,s0) +/usr/bin/phoc -- gen_context(system_u:object_r:wm_exec_t,s0) /usr/bin/twm -- gen_context(system_u:object_r:wm_exec_t,s0) diff --git a/policy/modules/kernel/corecommands.fc b/policy/modules/kernel/corecommands.fc index d0d9b6454..9bd47bfdd 100644 --- a/policy/modules/kernel/corecommands.fc +++ b/policy/modules/kernel/corecommands.fc @@ -43,6 +43,8 @@ ifdef(`distro_redhat',` /etc/cron\.monthly(/.*)? gen_context(system_u:object_r:bin_t,s0) /etc/dhcp/dhclient\.d(/.*)? gen_context(system_u:object_r:bin_t,s0) +/etc/dhcp/dhclient-enter-hooks\.d(/.*)? -- gen_context(system_u:object_r:bin_t,s0) +/etc/dhcp/dhclient-exit-hooks\.d(/.*)? -- gen_context(system_u:object_r:bin_t,s0) /etc/hotplug/.*agent -- gen_context(system_u:object_r:bin_t,s0) /etc/hotplug/.*rc -- gen_context(system_u:object_r:bin_t,s0) @@ -105,6 +107,10 @@ ifdef(`distro_redhat',` /etc/wpa_supplicant/wpa_cli\.sh -- gen_context(system_u:object_r:bin_t,s0) +/etc/wide-dhcpv6/dhcp6c-ifupdown -- gen_context(system_u:object_r:bin_t,s0) +/etc/wide-dhcpv6/dhcp6c-script -- gen_context(system_u:object_r:bin_t,s0) +/etc/wpa_supplicant/.*\.sh -- gen_context(system_u:object_r:bin_t,s0) + /etc/X11/xdm/GiveConsole -- gen_context(system_u:object_r:bin_t,s0) /etc/X11/xdm/TakeConsole -- gen_context(system_u:object_r:bin_t,s0) /etc/X11/xdm/Xsetup_0 -- gen_context(system_u:object_r:bin_t,s0) @@ -175,6 +181,7 @@ ifdef(`distro_gentoo',` /usr/bin/zsh.* -- gen_context(system_u:object_r:shell_exec_t,s0) /usr/lib/(.*/)?bin(/.*)? gen_context(system_u:object_r:bin_t,s0) +/usr/lib/(.*/)?glib-2\.0(/.*)? gen_context(system_u:object_r:bin_t,s0) /usr/lib/postfix/configure-instance\.sh -- gen_context(system_u:object_r:bin_t,s0) /usr/(.*/)?sbin(/.*)? gen_context(system_u:object_r:bin_t,s0) @@ -228,6 +235,7 @@ ifdef(`distro_gentoo',` /usr/lib/mon/alert\.d(/.*)? gen_context(system_u:object_r:bin_t,s0) /usr/lib/nagios/plugins(/.*)? gen_context(system_u:object_r:bin_t,s0) /usr/lib/netsaint/plugins(/.*)? gen_context(system_u:object_r:bin_t,s0) +/usr/lib/NetworkManager/dispatcher\.d(/.*)? gen_context(system_u:object_r:bin_t,s0) /usr/lib/NetworkManager/nm-.* -- gen_context(system_u:object_r:bin_t,s0) /usr/lib/networkmanager/nm-.* -- gen_context(system_u:object_r:bin_t,s0) /usr/lib/news/bin(/.*)? gen_context(system_u:object_r:bin_t,s0) diff --git a/policy/modules/kernel/files.fc b/policy/modules/kernel/files.fc index a2ba6c7be..aa27e5343 100644 --- a/policy/modules/kernel/files.fc +++ b/policy/modules/kernel/files.fc @@ -242,6 +242,8 @@ ifndef(`distro_redhat',` /var/lib(/.*)? gen_context(system_u:object_r:var_lib_t,s0) +/var/lib/dkms(/.*)? gen_context(system_u:object_r:src_t,s0) + /var/lib/nfs/rpc_pipefs(/.*)? <<none>> /var/lock -d gen_context(system_u:object_r:var_lock_t,s0-mls_systemhigh) @@ -261,7 +263,6 @@ ifndef(`distro_redhat',` /var/run -l gen_context(system_u:object_r:var_run_t,s0) /var/spool(/.*)? gen_context(system_u:object_r:var_spool_t,s0) -/var/spool/postfix/etc(/.*)? gen_context(system_u:object_r:etc_t,s0) /var/spool/postfix/pid -d gen_context(system_u:object_r:var_run_t,s0) /var/tmp -d gen_context(system_u:object_r:tmp_t,s0-mls_systemhigh) diff --git a/policy/modules/services/dnsmasq.fc b/policy/modules/services/dnsmasq.fc index 04e45e57a..281501cab 100644 --- a/policy/modules/services/dnsmasq.fc +++ b/policy/modules/services/dnsmasq.fc @@ -13,7 +13,7 @@ /usr/sbin/dnsmasq -- gen_context(system_u:object_r:dnsmasq_exec_t,s0) -/var/lib/misc/dnsmasq\.leases -- gen_context(system_u:object_r:dnsmasq_lease_t,s0) +/var/lib/misc/dnsmasq\.([a-z0-9]+\.)?leases -- gen_context(system_u:object_r:dnsmasq_lease_t,s0) /var/lib/dnsmasq(/.*)? gen_context(system_u:object_r:dnsmasq_lease_t,s0) /var/log/dnsmasq.* -- gen_context(system_u:object_r:dnsmasq_var_log_t,s0) diff --git a/policy/modules/services/networkmanager.fc b/policy/modules/services/networkmanager.fc index 17d31cbf5..b0542972c 100644 --- a/policy/modules/services/networkmanager.fc +++ b/policy/modules/services/networkmanager.fc @@ -15,7 +15,6 @@ /etc/wicd/wireless-settings\.conf -- gen_context(system_u:object_r:NetworkManager_etc_rw_t, s0) /etc/wicd/wired-settings\.conf -- gen_context(system_u:object_r:NetworkManager_etc_rw_t, s0) -/usr/lib/NetworkManager/dispatcher\.d(/.*)? -- gen_context(system_u:object_r:NetworkManager_initrc_exec_t,s0) /usr/lib/NetworkManager/nm-dispatcher.* -- gen_context(system_u:object_r:NetworkManager_initrc_exec_t,s0) /usr/lib/networkmanager/nm-dispatcher.* -- gen_context(system_u:object_r:NetworkManager_initrc_exec_t,s0) /usr/libexec/nm-dispatcher.* -- gen_context(system_u:object_r:NetworkManager_exec_t,s0) diff --git a/policy/modules/system/authlogin.fc b/policy/modules/system/authlogin.fc index eca178a2e..9712f0f87 100644 --- a/policy/modules/system/authlogin.fc +++ b/policy/modules/system/authlogin.fc @@ -51,6 +51,7 @@ ifdef(`distro_gentoo',` /var/lib/abl(/.*)? gen_context(system_u:object_r:var_auth_t,s0) /var/lib/pam_ssh(/.*)? gen_context(system_u:object_r:var_auth_t,s0) +/var/lib/wtmpdb(/.*)? gen_context(system_u:object_r:faillog_t,s0) /var/log/btmp.* -- gen_context(system_u:object_r:faillog_t,s0) /var/log/faillog -- gen_context(system_u:object_r:faillog_t,s0) diff --git a/policy/modules/system/libraries.fc b/policy/modules/system/libraries.fc index b5491aa8a..8436eb058 100644 --- a/policy/modules/system/libraries.fc +++ b/policy/modules/system/libraries.fc @@ -43,9 +43,13 @@ ifdef(`distro_redhat',` /opt/(.*/)?jre.*/.+\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) /opt/(.*/)?jre/.+\.jar -- gen_context(system_u:object_r:lib_t,s0) +/opt/brother/scanner/brscan5/.+\.so(\.[^/]*)* -- gen_context(system_u:object_r:lib_t,s0) /opt/google/chrome/libudev\.so\.0 gen_context(system_u:object_r:lib_t,s0) /opt/google/chrome-beta/libudev\.so\.0 gen_context(system_u:object_r:lib_t,s0) /opt/google/chrome-unstable/libudev\.so\.0 gen_context(system_u:object_r:lib_t,s0) +/opt/google/chrome/libvulkan\.so\.1 gen_context(system_u:object_r:lib_t,s0) +/opt/google/chrome-beta/libvulkan\.so\.1 gen_context(system_u:object_r:lib_t,s0) +/opt/google/chrome-unstable/libvulkan\.so\.1 gen_context(system_u:object_r:lib_t,s0) /opt/openoffice4/program/.+\.so(\.[^/]*)* -- gen_context(system_u:object_r:lib_t,s0)
