commit: a3557731110822effbdd433dffe24c3fbacdc9d8
Author: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Wed Aug 6 08:55:58 2014 +0000
Commit: Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Wed Aug 6 18:08:37 2014 +0000
URL:
http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=a3557731
Comment out seutil_relabelto_bin_policy
We comment out the use of the seutil_relabelto_bin_policy call in the
files_relabel_non_auth_files interface. This allows us to set this
interface in a tunable statement, like so:
seutil_relabelto_bin_policy(foo_t)
tunable_policy(`foo_relabel_non_auth_files',`
files_relabel_non_auth_files(foo_t)
')
In larger entries, this allows us to have a minimalistic policy (a
domain only allowed to manage and relabel a certain set of file types)
and, through a boolean, enable it to manage and relabel a larger set of
types.
---
policy/modules/kernel/files.if | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if
index 3f20525..ca278d5 100644
--- a/policy/modules/kernel/files.if
+++ b/policy/modules/kernel/files.if
@@ -1445,7 +1445,9 @@ interface(`files_relabel_non_auth_files',`
relabelfrom_chr_files_pattern($1, non_auth_file_type,
non_auth_file_type)
# satisfy the assertions:
- seutil_relabelto_bin_policy($1)
+ # seutil_relabelto_bin_policy($1)
+ # Gentoo: this is removed as we do not want to set attributes in this
phase, we want
+ # to allow files_relabel_non_auth_files to be an optional setting
(tunable).
')
