commit: e4b056799a16ac4b3e00106baa3297b2862684a0
Author: Sven Vermeulen <swift <AT> gentoo <DOT> org>
AuthorDate: Mon Apr 10 16:58:05 2017 +0000
Commit: Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Mon Apr 10 16:58:05 2017 +0000
URL:
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=e4b05679
Backport "Misc fc changes from Russel Coker."
git apply failed so had to do this manually
policy/modules/kernel/corecommands.fc | 5 +++++
policy/modules/kernel/corecommands.te | 2 +-
policy/modules/kernel/files.fc | 1 +
policy/modules/kernel/files.te | 2 +-
policy/modules/kernel/terminal.fc | 4 +++-
policy/modules/kernel/terminal.te | 2 +-
policy/modules/services/xserver.fc | 4 ++++
policy/modules/services/xserver.te | 2 +-
policy/modules/system/init.fc | 5 ++++-
policy/modules/system/init.te | 2 +-
policy/modules/system/libraries.fc | 1 +
policy/modules/system/libraries.te | 2 +-
policy/modules/system/lvm.fc | 2 ++
policy/modules/system/lvm.te | 2 +-
policy/modules/system/udev.fc | 1 +
policy/modules/system/udev.te | 2 +-
16 files changed, 29 insertions(+), 10 deletions(-)
diff --git a/policy/modules/kernel/corecommands.fc
b/policy/modules/kernel/corecommands.fc
index 2b645e4d..f86daaf7 100644
--- a/policy/modules/kernel/corecommands.fc
+++ b/policy/modules/kernel/corecommands.fc
@@ -153,6 +153,7 @@ ifdef(`distro_gentoo',`
/usr/bin/zsh.* --
gen_context(system_u:object_r:shell_exec_t,s0)
/usr/lib/(.*/)?bin(/.*)? gen_context(system_u:object_r:bin_t,s0)
+/usr/lib/postfix/configure-instance\.sh --
gen_context(system_u:object_r:bin_t,s0)
/usr/(.*/)?sbin(/.*)? gen_context(system_u:object_r:bin_t,s0)
/usr/lib/(.*/)?sbin(/.*)? gen_context(system_u:object_r:bin_t,s0)
@@ -160,6 +161,7 @@ ifdef(`distro_gentoo',`
/usr/lib/at-spi2-core(/.*)? gen_context(system_u:object_r:bin_t,s0)
/usr/lib/avahi/avahi-daemon-check-dns\.sh --
gen_context(system_u:object_r:bin_t,s0)
/usr/lib/ccache/bin(/.*)? gen_context(system_u:object_r:bin_t,s0)
+/usr/lib/dovecot/.+ gen_context(system_u:object_r:bin_t,s0)
/usr/lib/fence(/.*)? gen_context(system_u:object_r:bin_t,s0)
/usr/lib/pgsql/test/regress/.*\.sh -- gen_context(system_u:object_r:bin_t,s0)
/usr/lib/qt.*/bin(/.*)?
gen_context(system_u:object_r:bin_t,s0)
@@ -205,6 +207,7 @@ ifdef(`distro_gentoo',`
/usr/lib/rpm/rpmq -- gen_context(system_u:object_r:bin_t,s0)
/usr/lib/rpm/rpmv -- gen_context(system_u:object_r:bin_t,s0)
/usr/lib/security/pam_krb5/pam_krb5_storetmp --
gen_context(system_u:object_r:bin_t,s0)
+/usr/lib/selinux/hll/pp --
gen_context(system_u:object_r:bin_t,s0)
/usr/lib/sftp-server -- gen_context(system_u:object_r:bin_t,s0)
/usr/lib/ssh(/.*)? gen_context(system_u:object_r:bin_t,s0)
/usr/lib/sudo/sesh --
gen_context(system_u:object_r:shell_exec_t,s0)
@@ -266,6 +269,7 @@ ifdef(`distro_gentoo',`
/usr/sbin/sesh --
gen_context(system_u:object_r:shell_exec_t,s0)
/usr/sbin/smrsh --
gen_context(system_u:object_r:shell_exec_t,s0)
+/usr/share/mdadm/checkarray -- gen_context(system_u:object_r:bin_t,s0)
/usr/share/(.*/)?bin(/.*)? gen_context(system_u:object_r:bin_t,s0)
/usr/share/ajaxterm/ajaxterm.py.* -- gen_context(system_u:object_r:bin_t,s0)
/usr/share/ajaxterm/qweb.py.* -- gen_context(system_u:object_r:bin_t,s0)
@@ -299,6 +303,7 @@ ifdef(`distro_gentoo',`
/usr/share/printconf/util/print\.py -- gen_context(system_u:object_r:bin_t,s0)
/usr/share/PackageKit/pk-upgrade-distro\.sh --
gen_context(system_u:object_r:bin_t,s0)
/usr/share/PackageKit/helpers(/.*)? gen_context(system_u:object_r:bin_t,s0)
+/usr/share/reportbug/handle_bugscript --
gen_context(system_u:object_r:bin_t,s0)
/usr/share/sandbox/sandboxX.sh -- gen_context(system_u:object_r:bin_t,s0)
/usr/share/sectool/.*\.py -- gen_context(system_u:object_r:bin_t,s0)
/usr/share/selinux/devel/policygentool --
gen_context(system_u:object_r:bin_t,s0)
diff --git a/policy/modules/kernel/corecommands.te
b/policy/modules/kernel/corecommands.te
index 1f532aa3..6f051a32 100644
--- a/policy/modules/kernel/corecommands.te
+++ b/policy/modules/kernel/corecommands.te
@@ -1,4 +1,4 @@
-policy_module(corecommands, 1.23.5)
+policy_module(corecommands, 1.23.6)
########################################
#
diff --git a/policy/modules/kernel/files.fc b/policy/modules/kernel/files.fc
index 548d1e03..e69a0025 100644
--- a/policy/modules/kernel/files.fc
+++ b/policy/modules/kernel/files.fc
@@ -215,6 +215,7 @@ HOME_ROOT/lost\+found/.* <<none>>
ifdef(`distro_debian',`
# on Debian /lib/init/rw is a tmpfs used like /run
/usr/lib/init/rw(/.*)?
gen_context(system_u:object_r:var_run_t,s0-mls_systemhigh)
+/run/resolvconf(/.*)? -d gen_context(system_u:object_r:etc_t,s0)
')
ifndef(`distro_redhat',`
diff --git a/policy/modules/kernel/files.te b/policy/modules/kernel/files.te
index 33c92c70..67be5c71 100644
--- a/policy/modules/kernel/files.te
+++ b/policy/modules/kernel/files.te
@@ -1,4 +1,4 @@
-policy_module(files, 1.23.9)
+policy_module(files, 1.23.10)
########################################
#
diff --git a/policy/modules/kernel/terminal.fc
b/policy/modules/kernel/terminal.fc
index 6657b048..51199ac4 100644
--- a/policy/modules/kernel/terminal.fc
+++ b/policy/modules/kernel/terminal.fc
@@ -24,8 +24,10 @@
/dev/pty/.* -c
gen_context(system_u:object_r:bsdpty_device_t,s0)
/dev/pts -d
gen_context(system_u:object_r:devpts_t,s0-mls_systemhigh)
-/dev/pts/ptmx -c gen_context(system_u:object_r:devpts_t,s0)
/dev/pts/[0-9]+ -c
gen_context(system_u:object_r:user_devpts_t,s0)
+# if /dev/ptmx is a symlink to /dev/pts/ptmx then we need to have /dev/pts/ptmx
+# relabelled before sshd etc are ready to accept connections
+/dev/pts/ptmx -c gen_context(system_u:object_r:ptmx_t,s0)
/dev/tts/[^/]* -c gen_context(system_u:object_r:tty_device_t,s0)
diff --git a/policy/modules/kernel/terminal.te
b/policy/modules/kernel/terminal.te
index a1fca0da..bf1e11ff 100644
--- a/policy/modules/kernel/terminal.te
+++ b/policy/modules/kernel/terminal.te
@@ -1,4 +1,4 @@
-policy_module(terminal, 1.16.2)
+policy_module(terminal, 1.16.3)
########################################
#
diff --git a/policy/modules/services/xserver.fc
b/policy/modules/services/xserver.fc
index f9f541d4..201d28fa 100644
--- a/policy/modules/services/xserver.fc
+++ b/policy/modules/services/xserver.fc
@@ -33,6 +33,7 @@ HOME_DIR/\.Xauthority.* --
gen_context(system_u:object_r:xauth_home_t,s0)
/etc/kde[34]?/kdm/backgroundrc gen_context(system_u:object_r:xdm_var_run_t,s0)
/etc/rc\.d/init\.d/x11-common -- gen_context(system_u:object_r:xdm_exec_t,s0)
+/etc/sddm/Xsession --
gen_context(system_u:object_r:xsession_exec_t,s0)
/etc/X11/[wx]dm/Xreset.* --
gen_context(system_u:object_r:xsession_exec_t,s0)
/etc/X11/[wxg]dm/Xsession --
gen_context(system_u:object_r:xsession_exec_t,s0)
@@ -66,6 +67,7 @@ HOME_DIR/\.Xauthority.* --
gen_context(system_u:object_r:xauth_home_t,s0)
/usr/bin/gdm-binary -- gen_context(system_u:object_r:xdm_exec_t,s0)
/usr/bin/lxdm(-binary)? -- gen_context(system_u:object_r:xdm_exec_t,s0)
/usr/bin/[xkw]dm -- gen_context(system_u:object_r:xdm_exec_t,s0)
+/usr/bin/sddm -- gen_context(system_u:object_r:xdm_exec_t,s0)
/usr/bin/gpe-dm --
gen_context(system_u:object_r:xdm_exec_t,s0)
/usr/bin/iceauth -- gen_context(system_u:object_r:iceauth_exec_t,s0)
/usr/bin/slim -- gen_context(system_u:object_r:xdm_exec_t,s0)
@@ -116,6 +118,7 @@ ifndef(`distro_debian',`
/var/lib/lxdm(/.*)? gen_context(system_u:object_r:xdm_var_lib_t,s0)
/var/lib/[xkw]dm(/.*)? gen_context(system_u:object_r:xdm_var_lib_t,s0)
/var/lib/xkb(/.*)? gen_context(system_u:object_r:xkb_var_lib_t,s0)
+/var/lib/sddm(/.*)? gen_context(system_u:object_r:xkb_var_lib_t,s0)
/var/log/[kwx]dm\.log.* --
gen_context(system_u:object_r:xserver_log_t,s0)
/var/log/lightdm(/.*)? gen_context(system_u:object_r:xserver_log_t,s0)
@@ -125,6 +128,7 @@ ifndef(`distro_debian',`
/var/log/XFree86.* -- gen_context(system_u:object_r:xserver_log_t,s0)
/var/log/Xorg.* --
gen_context(system_u:object_r:xserver_log_t,s0)
+/run/sddm(/.*)?
gen_context(system_u:object_r:xdm_var_run_t,s0)
/run/gdm(3)?(/.*)? gen_context(system_u:object_r:xdm_var_run_t,s0)
/run/gdm(3)?\.pid -- gen_context(system_u:object_r:xdm_var_run_t,s0)
/run/xdm\.pid -- gen_context(system_u:object_r:xdm_var_run_t,s0)
diff --git a/policy/modules/services/xserver.te
b/policy/modules/services/xserver.te
index 5750e14e..a692f7a2 100644
--- a/policy/modules/services/xserver.te
+++ b/policy/modules/services/xserver.te
@@ -1,4 +1,4 @@
-policy_module(xserver, 3.13.5)
+policy_module(xserver, 3.13.6)
gen_require(`
class x_drawable all_x_drawable_perms;
diff --git a/policy/modules/system/init.fc b/policy/modules/system/init.fc
index d39bdee6..49c84772 100644
--- a/policy/modules/system/init.fc
+++ b/policy/modules/system/init.fc
@@ -38,7 +38,6 @@ ifdef(`distro_gentoo', `
/usr/libexec/dcc/start-.* -- gen_context(system_u:object_r:initrc_exec_t,s0)
/usr/libexec/dcc/stop-.* -- gen_context(system_u:object_r:initrc_exec_t,s0)
-/usr/sbin/apachectl -- gen_context(system_u:object_r:initrc_exec_t,s0)
/usr/sbin/init(ng)? -- gen_context(system_u:object_r:init_exec_t,s0)
/usr/sbin/open_init_pty --
gen_context(system_u:object_r:initrc_exec_t,s0)
/usr/sbin/upstart -- gen_context(system_u:object_r:init_exec_t,s0)
@@ -65,6 +64,10 @@ ifdef(`distro_gentoo', `
ifdef(`distro_debian',`
/run/hotkey-setup --
gen_context(system_u:object_r:initrc_var_run_t,s0)
/run/kdm/.* --
gen_context(system_u:object_r:initrc_var_run_t,s0)
+/etc/network/if-pre-up\.d/.* --
gen_context(system_u:object_r:initrc_exec_t,s0)
+/etc/network/if-up\.d/.* --
gen_context(system_u:object_r:initrc_exec_t,s0)
+/etc/network/if-down\.d/.* --
gen_context(system_u:object_r:initrc_exec_t,s0)
+/etc/network/if-post-down\.d/.* --
gen_context(system_u:object_r:initrc_exec_t,s0)
')
ifdef(`distro_gentoo', `
diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
index a0a1723c..aed3e65a 100644
--- a/policy/modules/system/init.te
+++ b/policy/modules/system/init.te
@@ -1,4 +1,4 @@
-policy_module(init, 2.2.14)
+policy_module(init, 2.2.15)
gen_require(`
class passwd rootok;
diff --git a/policy/modules/system/libraries.fc
b/policy/modules/system/libraries.fc
index 1bac9659..f174ab68 100644
--- a/policy/modules/system/libraries.fc
+++ b/policy/modules/system/libraries.fc
@@ -105,6 +105,7 @@ ifdef(`distro_debian',`
/usr/(.*/)?dh-python/dh_pypy --
gen_context(system_u:object_r:lib_t,s0)
')
+/usr/lib/postfix/lib.*so.* --
gen_context(system_u:object_r:lib_t,s0)
/usr/lib/altivec/libavcodec\.so(\.[^/]*)* --
gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib/cedega/.+\.so(\.[^/]*)* --
gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib/dovecot/(.*/)?lib.*\.so.* --
gen_context(system_u:object_r:lib_t,s0)
diff --git a/policy/modules/system/libraries.te
b/policy/modules/system/libraries.te
index bf5a9b63..a4e2764d 100644
--- a/policy/modules/system/libraries.te
+++ b/policy/modules/system/libraries.te
@@ -1,4 +1,4 @@
-policy_module(libraries, 2.14.1)
+policy_module(libraries, 2.14.2)
########################################
#
diff --git a/policy/modules/system/lvm.fc b/policy/modules/system/lvm.fc
index e9e7882e..d2f755f2 100644
--- a/policy/modules/system/lvm.fc
+++ b/policy/modules/system/lvm.fc
@@ -46,6 +46,7 @@ ifdef(`distro_gentoo',`
/usr/sbin/lvdisplay --
gen_context(system_u:object_r:lvm_exec_t,s0)
/usr/sbin/lvextend --
gen_context(system_u:object_r:lvm_exec_t,s0)
/usr/sbin/lvm --
gen_context(system_u:object_r:lvm_exec_t,s0)
+/usr/sbin/lvmetad --
gen_context(system_u:object_r:lvm_exec_t,s0)
/usr/sbin/lvm\.static --
gen_context(system_u:object_r:lvm_exec_t,s0)
/usr/sbin/lvmchange --
gen_context(system_u:object_r:lvm_exec_t,s0)
/usr/sbin/lvmdiskscan --
gen_context(system_u:object_r:lvm_exec_t,s0)
@@ -97,6 +98,7 @@ ifdef(`distro_gentoo',`
/var/lock/lvm(/.*)?
gen_context(system_u:object_r:lvm_lock_t,s0)
/run/multipathd\.sock -s
gen_context(system_u:object_r:lvm_var_run_t,s0)
/run/dmevent.*
gen_context(system_u:object_r:lvm_var_run_t,s0)
+/run/lvm(/.*)?
gen_context(system_u:object_r:lvm_var_run_t,s0)
ifdef(`distro_gentoo',`
# Bug 529430 comment 7
diff --git a/policy/modules/system/lvm.te b/policy/modules/system/lvm.te
index 59cb1ba5..977a374b 100644
--- a/policy/modules/system/lvm.te
+++ b/policy/modules/system/lvm.te
@@ -1,4 +1,4 @@
-policy_module(lvm, 1.19.6)
+policy_module(lvm, 1.19.7)
########################################
#
diff --git a/policy/modules/system/udev.fc b/policy/modules/system/udev.fc
index 709d8330..0e433bed 100644
--- a/policy/modules/system/udev.fc
+++ b/policy/modules/system/udev.fc
@@ -38,6 +38,7 @@ ifdef(`distro_redhat',`
/run/udev(/.*)? gen_context(system_u:object_r:udev_var_run_t,s0)
ifdef(`distro_debian',`
+/run/console-setup(/.*)? gen_context(system_u:object_r:udev_var_run_t,s0)
/run/xen-hotplug -d gen_context(system_u:object_r:udev_var_run_t,s0)
')
diff --git a/policy/modules/system/udev.te b/policy/modules/system/udev.te
index 18b0e29c..f115d9f8 100644
--- a/policy/modules/system/udev.te
+++ b/policy/modules/system/udev.te
@@ -1,4 +1,4 @@
-policy_module(udev, 1.21.5)
+policy_module(udev, 1.21.6)
########################################
#
