[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/, policy/modules/system/, policy/modules/kernel/, config/

public inbox for gentoo-commits@lists.gentoo.org
 help / color / mirror / Atom feed

* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/, policy/modules/system/, policy/modules/kernel/, config/
@ 2012-07-28 17:16 Sven Vermeulen
  0 siblings, 0 replies; 2+ messages in thread
From: Sven Vermeulen @ 2012-07-28 17:16 UTC (permalink / raw
  To: gentoo-commits

commit:     76b3291b930ec82390379af834b9dda2dbfb4e96
Author:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Sat Jul 28 17:16:08 2012 +0000
Commit:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
CommitDate: Sat Jul 28 17:16:08 2012 +0000
URL:        http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=76b3291b

Support for /usr/local

---
 config/file_contexts.subs_dist        |    2 +
 policy/modules/contrib/inetd.fc       |    2 +-
 policy/modules/contrib/java.fc        |    3 --
 policy/modules/contrib/java.te        |    3 +-
 policy/modules/contrib/kerberos.fc    |    8 +++---
 policy/modules/contrib/lpd.fc         |    4 +-
 policy/modules/kernel/corecommands.fc |    9 ++++---
 policy/modules/kernel/files.fc        |    9 --------
 policy/modules/system/ipsec.fc        |    5 ----
 policy/modules/system/libraries.fc    |   34 +++++++++++++++-----------------
 policy/modules/system/miscfiles.fc    |    5 ----
 policy/modules/system/unconfined.fc   |    2 +-
 12 files changed, 33 insertions(+), 53 deletions(-)

diff --git a/config/file_contexts.subs_dist b/config/file_contexts.subs_dist
index d14c538..34ae155 100644
--- a/config/file_contexts.subs_dist
+++ b/config/file_contexts.subs_dist
@@ -5,4 +5,6 @@
 /usr/lib32 /usr/lib
 /usr/lib64 /usr/lib
 /usr/local /usr
+/usr/local/lib64 /usr/lib
+/usr/local/lib32 /usr/lib
 /var/run/lock /var/lock

diff --git a/policy/modules/contrib/inetd.fc b/policy/modules/contrib/inetd.fc
index 39d5baa..6107467 100644
--- a/policy/modules/contrib/inetd.fc
+++ b/policy/modules/contrib/inetd.fc
@@ -1,7 +1,7 @@
+/usr/lib/pysieved/pysieved.*\.py -- gen_context(system_u:object_r:inetd_child_exec_t,s0)
 
 /usr/sbin/identd	--	gen_context(system_u:object_r:inetd_child_exec_t,s0)
 /usr/sbin/in\..*d	--	gen_context(system_u:object_r:inetd_child_exec_t,s0)
-/usr/local/lib/pysieved/pysieved.*\.py -- gen_context(system_u:object_r:inetd_child_exec_t,s0)
 
 /usr/sbin/inetd		--	gen_context(system_u:object_r:inetd_exec_t,s0)
 /usr/sbin/rlinetd	--	gen_context(system_u:object_r:inetd_exec_t,s0)

diff --git a/policy/modules/contrib/java.fc b/policy/modules/contrib/java.fc
index bc1a419..2212e30 100644
--- a/policy/modules/contrib/java.fc
+++ b/policy/modules/contrib/java.fc
@@ -3,7 +3,6 @@
 #
 /opt/(.*/)?bin/java[^/]*	--	gen_context(system_u:object_r:java_exec_t,s0)
 /opt/ibm/java.*/(bin|javaws)(/.*)? --	gen_context(system_u:object_r:java_exec_t,s0)
-/opt/local/matlab.*/bin.*/MATLAB.* --	gen_context(system_u:object_r:java_exec_t,s0)
 /opt/matlab.*/bin.*/MATLAB.*	--	gen_context(system_u:object_r:java_exec_t,s0)
 
 #
@@ -28,8 +27,6 @@
 /usr/lib/opera(/.*)?/opera	--	gen_context(system_u:object_r:java_exec_t,s0)
 /usr/lib/opera(/.*)?/works	--	gen_context(system_u:object_r:java_exec_t,s0)
 
-/usr/local/matlab.*/bin.*/MATLAB.* --	gen_context(system_u:object_r:java_exec_t,s0)
-
 /usr/matlab.*/bin.*/MATLAB.*	--	gen_context(system_u:object_r:java_exec_t,s0)
 
 ifdef(`distro_redhat',`

diff --git a/policy/modules/contrib/java.te b/policy/modules/contrib/java.te
index f59610c..20f3477 100644
--- a/policy/modules/contrib/java.te
+++ b/policy/modules/contrib/java.te
@@ -45,7 +45,7 @@ allow java_t self:fifo_file rw_fifo_file_perms;
 # For java browser plugin accessing internet resources?
 allow java_t self:netlink_route_socket create_netlink_socket_perms; 
 allow java_t self:sem create_sem_perms;
-allow java_t self:tcp_socket create_socket_perms;
+allow java_t self:tcp_socket create_stream_socket_perms;
 allow java_t self:udp_socket create_socket_perms;
 
 manage_dirs_pattern(java_t, java_home_t, java_home_t)
@@ -130,6 +130,7 @@ tunable_policy(`allow_java_execstack',`
 ')
 
 optional_policy(`
+	alsa_domain(java_t, java_tmpfs_t)
 	alsa_read_rw_config(java_t)
 ')
 

diff --git a/policy/modules/contrib/kerberos.fc b/policy/modules/contrib/kerberos.fc
index 3525d24..0a3d05a 100644
--- a/policy/modules/contrib/kerberos.fc
+++ b/policy/modules/contrib/kerberos.fc
@@ -13,13 +13,13 @@ HOME_DIR/\.k5login		--	gen_context(system_u:object_r:krb5_home_t,s0)
 /etc/rc\.d/init\.d/krb524d	--	gen_context(system_u:object_r:kerberos_initrc_exec_t,s0)
 /etc/rc\.d/init\.d/krb5kdc	--	gen_context(system_u:object_r:kerberos_initrc_exec_t,s0)
 
-/usr/(local/)?(kerberos/)?sbin/krb5kdc -- gen_context(system_u:object_r:krb5kdc_exec_t,s0)
-/usr/(local/)?(kerberos/)?sbin/kadmind -- gen_context(system_u:object_r:kadmind_exec_t,s0)
+/usr/(kerberos/)?sbin/krb5kdc -- gen_context(system_u:object_r:krb5kdc_exec_t,s0)
+/usr/(kerberos/)?sbin/kadmind -- gen_context(system_u:object_r:kadmind_exec_t,s0)
 /usr/kerberos/sbin/kadmin\.local --	gen_context(system_u:object_r:kadmind_exec_t,s0)
 /usr/kerberos/sbin/kpropd	--	gen_context(system_u:object_r:kpropd_exec_t,s0)
 
-/usr/local/var/krb5kdc(/.*)?		gen_context(system_u:object_r:krb5kdc_conf_t,s0)
-/usr/local/var/krb5kdc/principal.*	gen_context(system_u:object_r:krb5kdc_principal_t,s0)
+/usr/var/krb5kdc(/.*)?		gen_context(system_u:object_r:krb5kdc_conf_t,s0)
+/usr/var/krb5kdc/principal.*	gen_context(system_u:object_r:krb5kdc_principal_t,s0)
 
 /var/kerberos/krb5kdc(/.*)?		gen_context(system_u:object_r:krb5kdc_conf_t,s0)
 /var/kerberos/krb5kdc/from_master.*	gen_context(system_u:object_r:krb5kdc_lock_t,s0)

diff --git a/policy/modules/contrib/lpd.fc b/policy/modules/contrib/lpd.fc
index 5c9eb68..62a8834 100644
--- a/policy/modules/contrib/lpd.fc
+++ b/policy/modules/contrib/lpd.fc
@@ -16,6 +16,8 @@
 /usr/bin/lprm(\.cups)?	--	gen_context(system_u:object_r:lpr_exec_t,s0)
 /usr/bin/lpstat(\.cups)? --	gen_context(system_u:object_r:lpr_exec_t,s0)
 
+/usr/linuxprinter/bin/l?lpr -- gen_context(system_u:object_r:lpr_exec_t,s0)
+
 /usr/sbin/accept	--	gen_context(system_u:object_r:lpr_exec_t,s0)
 /usr/sbin/checkpc	--	gen_context(system_u:object_r:checkpc_exec_t,s0)
 /usr/sbin/lpd		--	gen_context(system_u:object_r:lpd_exec_t,s0)
@@ -24,8 +26,6 @@
 /usr/sbin/lpinfo	--	gen_context(system_u:object_r:lpr_exec_t,s0)
 /usr/sbin/lpmove	--	gen_context(system_u:object_r:lpr_exec_t,s0)
 
-/usr/local/linuxprinter/bin/l?lpr -- gen_context(system_u:object_r:lpr_exec_t,s0)
-
 /usr/share/printconf/.* --	gen_context(system_u:object_r:printconf_t,s0)
 
 #

diff --git a/policy/modules/kernel/corecommands.fc b/policy/modules/kernel/corecommands.fc
index ca47068..f212f4a 100644
--- a/policy/modules/kernel/corecommands.fc
+++ b/policy/modules/kernel/corecommands.fc
@@ -191,6 +191,8 @@ ifdef(`distro_gentoo',`
 /usr/bin/scponly		--	gen_context(system_u:object_r:shell_exec_t,s0)
 /usr/bin/tcsh			--	gen_context(system_u:object_r:shell_exec_t,s0)
 
+/usr/Brother(/.*)?			gen_context(system_u:object_r:bin_t,s0)
+
 /usr/lib(.*/)?bin(/.*)?			gen_context(system_u:object_r:bin_t,s0)
 
 /usr/(.*/)?sbin(/.*)?			gen_context(system_u:object_r:bin_t,s0)
@@ -263,10 +265,9 @@ ifdef(`distro_gentoo',`
 
 /usr/libexec/openssh/sftp-server --	gen_context(system_u:object_r:bin_t,s0)
 
-/usr/local/lib/ipsec/.*		-- 	gen_context(system_u:object_r:bin_t,s0)
-/usr/local/Brother(/.*)?		gen_context(system_u:object_r:bin_t,s0)
-/usr/local/Printer(/.*)?		gen_context(system_u:object_r:bin_t,s0)
-/usr/local/linuxprinter/filters(/.*)?	gen_context(system_u:object_r:bin_t,s0)
+/usr/linuxprinter/filters(/.*)?		gen_context(system_u:object_r:bin_t,s0)
+
+/usr/Printer(/.*)?			gen_context(system_u:object_r:bin_t,s0)
 
 /usr/sbin/scponlyc		--	gen_context(system_u:object_r:shell_exec_t,s0)
 /usr/sbin/sesh			--	gen_context(system_u:object_r:shell_exec_t,s0)

diff --git a/policy/modules/kernel/files.fc b/policy/modules/kernel/files.fc
index 8796ca3..9f95ab2 100644
--- a/policy/modules/kernel/files.fc
+++ b/policy/modules/kernel/files.fc
@@ -204,13 +204,6 @@ ifdef(`distro_debian',`
 
 /usr/inclu.e(/.*)?		gen_context(system_u:object_r:usr_t,s0)
 
-/usr/local/\.journal		<<none>>
-
-/usr/local/etc(/.*)?		gen_context(system_u:object_r:etc_t,s0)
-
-/usr/local/lost\+found	-d	gen_context(system_u:object_r:lost_found_t,mls_systemhigh)
-/usr/local/lost\+found/.*	<<none>>
-
 /usr/lost\+found	-d	gen_context(system_u:object_r:lost_found_t,mls_systemhigh)
 /usr/lost\+found/.*		<<none>>
 
@@ -220,8 +213,6 @@ ifdef(`distro_debian',`
 /usr/tmp/.*			<<none>>
 
 ifndef(`distro_redhat',`
-/usr/local/src(/.*)?		gen_context(system_u:object_r:src_t,s0)
-
 /usr/src(/.*)?			gen_context(system_u:object_r:src_t,s0)
 /usr/src/kernels/.+/lib(/.*)?	gen_context(system_u:object_r:usr_t,s0)
 ')

diff --git a/policy/modules/system/ipsec.fc b/policy/modules/system/ipsec.fc
index e25c6b6..74a2256 100644
--- a/policy/modules/system/ipsec.fc
+++ b/policy/modules/system/ipsec.fc
@@ -27,11 +27,6 @@
 /usr/libexec/ipsec/spi		--	gen_context(system_u:object_r:ipsec_exec_t,s0)
 /usr/libexec/nm-openswan-service -- 	gen_context(system_u:object_r:ipsec_mgmt_exec_t,s0)
 
-/usr/local/lib/ipsec/eroute --	gen_context(system_u:object_r:ipsec_exec_t,s0)
-/usr/local/lib/ipsec/klipsdebug -- gen_context(system_u:object_r:ipsec_exec_t,s0)
-/usr/local/lib/ipsec/pluto --	gen_context(system_u:object_r:ipsec_exec_t,s0)
-/usr/local/lib/ipsec/spi	--	gen_context(system_u:object_r:ipsec_exec_t,s0)
-
 /usr/sbin/ipsec			-- 	gen_context(system_u:object_r:ipsec_mgmt_exec_t,s0)
 /usr/sbin/racoon		--	gen_context(system_u:object_r:racoon_exec_t,s0)
 /usr/sbin/setkey		--	gen_context(system_u:object_r:setkey_exec_t,s0)

diff --git a/policy/modules/system/libraries.fc b/policy/modules/system/libraries.fc
index 8a68e0a..4fc5af3 100644
--- a/policy/modules/system/libraries.fc
+++ b/policy/modules/system/libraries.fc
@@ -151,9 +151,9 @@ ifdef(`distro_redhat',`
 /usr/lib/nvidia/libGL(core)?\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
 /usr/lib/xorg/modules/glesx\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
 
-/usr/(local/)?.*\.so(\.[^/]*)*		--	gen_context(system_u:object_r:lib_t,s0)
-/usr/(local/)?lib/wine/.+\.so	--	gen_context(system_u:object_r:textrel_shlib_t,s0)
-/usr/(local/)?lib/(sse2/)?libfame-.*\.so.*	--	gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/.*\.so(\.[^/]*)*		--	gen_context(system_u:object_r:lib_t,s0)
+/usr/lib/wine/.+\.so	--	gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/lib/(sse2/)?libfame-.*\.so.*	--	gen_context(system_u:object_r:textrel_shlib_t,s0)
 /usr/NX/lib/libXcomp\.so.*		--	gen_context(system_u:object_r:textrel_shlib_t,s0)
 /usr/NX/lib/libjpeg\.so.* 		--	gen_context(system_u:object_r:textrel_shlib_t,s0)
 
@@ -241,14 +241,13 @@ HOME_DIR/.*/plugins/nppdf\.so.* --	gen_context(system_u:object_r:textrel_shlib_t
 
 # Livna.org packages: xmms-mp3, ffmpeg, xvidcore, xine-lib, gsm, lame
 /usr/lib.*/libmpg123\.so(\.[^/]*)* --	gen_context(system_u:object_r:textrel_shlib_t,s0)
-/usr/local(/.*)?/libmpg123\.so(\.[^/]*)* --	gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/(/.*)?/libmpg123\.so(\.[^/]*)* --	gen_context(system_u:object_r:textrel_shlib_t,s0)
 /usr/lib/codecs/drv[1-9c]\.so(\.[^/]*)* --	gen_context(system_u:object_r:textrel_shlib_t,s0)
-/usr/local/lib/codecs/drv[1-9c]\.so(\.[^/]*)* --	gen_context(system_u:object_r:textrel_shlib_t,s0)
 
 HOME_DIR/.*/plugins/nppdf\.so	--	gen_context(system_u:object_r:textrel_shlib_t,s0)
 HOME_DIR/.mozilla/plugins/nprhapengine\.so.* --	gen_context(system_u:object_r:textrel_shlib_t,s0)
 /usr/lib/.*/nprhapengine\.so.*	--	gen_context(system_u:object_r:textrel_shlib_t,s0)
-/usr/local/(.*/)?nprhapengine\.so.*	--	gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/(.*/)?nprhapengine\.so.*	--	gen_context(system_u:object_r:textrel_shlib_t,s0)
 
 # Jai, Sun Microsystems (Jpackage SPRM)
 /usr/lib/libmlib_jai\.so		--	gen_context(system_u:object_r:textrel_shlib_t,s0)
@@ -270,20 +269,19 @@ HOME_DIR/.mozilla/plugins/nprhapengine\.so.* --	gen_context(system_u:object_r:te
 
 # Java, Sun Microsystems (JPackage SRPM)
 /usr/(.*/)?jre.*/.*\.so(\.[^/]*)* --	gen_context(system_u:object_r:textrel_shlib_t,s0)
-/usr/local/(.*/)?jre.*/.*\.so(\.[^/]*)* --	gen_context(system_u:object_r:textrel_shlib_t,s0)
 /usr/lib/(.*/)?jre.*/.*\.so(\.[^/]*)* --	gen_context(system_u:object_r:textrel_shlib_t,s0)
 
-/usr/(local/)?Adobe/(.*/)?intellinux/nppdf\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-/usr/(local/)?Adobe/(.*/)?intellinux/sidecars/* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-
-/usr/(local/)?acroread/(.*/)?intellinux/nppdf\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-/usr/(local/)?Adobe/(.*/)?lib/[^/]*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-/usr/(local/)?acroread/(.*/)?lib/[^/]*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-/usr/(local/)?Adobe/.*\.api		--	gen_context(system_u:object_r:textrel_shlib_t,s0)
-/usr/(local/)?lib/xchat/plugins/systray\.so --	gen_context(system_u:object_r:textrel_shlib_t,s0)
-/usr/(local/)?matlab.*/bin/glnx86/libmwlapack\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-/usr/(local/)?matlab.*/bin/glnx86/(libmw(lapack|mathutil|services)|lapack|libmkl)\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-/usr/(local/)?matlab.*/sys/os/glnx86/libtermcap\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/Adobe/(.*/)?intellinux/nppdf\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/Adobe/(.*/)?intellinux/sidecars/* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+
+/usr/acroread/(.*/)?intellinux/nppdf\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/Adobe/(.*/)?lib/[^/]*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/acroread/(.*/)?lib/[^/]*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/Adobe/.*\.api		--	gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/lib/xchat/plugins/systray\.so --	gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/matlab.*/bin/glnx86/libmwlapack\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/matlab.*/bin/glnx86/(libmw(lapack|mathutil|services)|lapack|libmkl)\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/matlab.*/sys/os/glnx86/libtermcap\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
 
 /usr/(.*/)?intellinux/SPPlugins/ADMPlugin\.apl -- gen_context(system_u:object_r:textrel_shlib_t,s0)
 

diff --git a/policy/modules/system/miscfiles.fc b/policy/modules/system/miscfiles.fc
index ba2b623..5820646 100644
--- a/policy/modules/system/miscfiles.fc
+++ b/policy/modules/system/miscfiles.fc
@@ -36,11 +36,6 @@ ifdef(`distro_redhat',`
 
 /usr/lib/perl5/man(/.*)?	gen_context(system_u:object_r:man_t,s0)
 
-/usr/local/man(/.*)?		gen_context(system_u:object_r:man_t,s0)
-/usr/local/share/man(/.*)?	gen_context(system_u:object_r:man_t,s0)
-
-/usr/local/share/fonts(/.*)?	gen_context(system_u:object_r:fonts_t,s0)
-
 /usr/man(/.*)?			gen_context(system_u:object_r:man_t,s0)
 
 /usr/share/fonts(/.*)?		gen_context(system_u:object_r:fonts_t,s0)

diff --git a/policy/modules/system/unconfined.fc b/policy/modules/system/unconfined.fc
index 0abaf84..25efa00 100644
--- a/policy/modules/system/unconfined.fc
+++ b/policy/modules/system/unconfined.fc
@@ -8,7 +8,7 @@
 /usr/lib/ia32el/ia32x_loader 	--	gen_context(system_u:object_r:unconfined_execmem_exec_t,s0)
 /usr/lib/openoffice\.org.*/program/.+\.bin -- gen_context(system_u:object_r:unconfined_execmem_exec_t,s0)
 
-/usr/local/RealPlayer/realplay\.bin --	gen_context(system_u:object_r:unconfined_execmem_exec_t,s0)
+/usr/RealPlayer/realplay\.bin --	gen_context(system_u:object_r:unconfined_execmem_exec_t,s0)
 
 ifdef(`distro_debian',`
 /usr/bin/gcj-dbtool-4\.1	--	gen_context(system_u:object_r:unconfined_execmem_exec_t,s0)


^ permalink raw reply related	[flat|nested] 2+ messages in thread

* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/, policy/modules/system/, policy/modules/kernel/, config/
@ 2012-08-09 16:44 Sven Vermeulen
  0 siblings, 0 replies; 2+ messages in thread
From: Sven Vermeulen @ 2012-08-09 16:44 UTC (permalink / raw
  To: gentoo-commits

commit:     aaa0f803d363b62e7105ef1e1cf282a08a0350e1
Author:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Thu Aug  9 15:35:50 2012 +0000
Commit:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
CommitDate: Thu Aug  9 15:35:50 2012 +0000
URL:        http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=aaa0f803

Use /usr/local/lib* to /usr/lib

The translation of /usr/local to /usr is not supported upstream and might lead
to issues later, so undo those changes. Keep the /usr/local/lib* stuff in
though.

---
 config/file_contexts.subs_dist        |    1 -
 policy/modules/contrib/java.fc        |    3 +++
 policy/modules/contrib/kerberos.fc    |    8 ++++----
 policy/modules/contrib/lpd.fc         |    2 +-
 policy/modules/kernel/corecommands.fc |    6 +++---
 policy/modules/kernel/files.fc        |    9 +++++++++
 policy/modules/system/libraries.fc    |   20 ++++++++++----------
 policy/modules/system/miscfiles.fc    |    5 +++++
 policy/modules/system/unconfined.fc   |    2 +-
 9 files changed, 36 insertions(+), 20 deletions(-)

diff --git a/config/file_contexts.subs_dist b/config/file_contexts.subs_dist
index 34ae155..9121dce 100644
--- a/config/file_contexts.subs_dist
+++ b/config/file_contexts.subs_dist
@@ -4,7 +4,6 @@
 /run/lock /var/lock
 /usr/lib32 /usr/lib
 /usr/lib64 /usr/lib
-/usr/local /usr
 /usr/local/lib64 /usr/lib
 /usr/local/lib32 /usr/lib
 /var/run/lock /var/lock

diff --git a/policy/modules/contrib/java.fc b/policy/modules/contrib/java.fc
index 2212e30..ca524bd 100644
--- a/policy/modules/contrib/java.fc
+++ b/policy/modules/contrib/java.fc
@@ -4,6 +4,7 @@
 /opt/(.*/)?bin/java[^/]*	--	gen_context(system_u:object_r:java_exec_t,s0)
 /opt/ibm/java.*/(bin|javaws)(/.*)? --	gen_context(system_u:object_r:java_exec_t,s0)
 /opt/matlab.*/bin.*/MATLAB.*	--	gen_context(system_u:object_r:java_exec_t,s0)
+/opt/matlab.*/bin.*/MATLAB.*	--	gen_context(system_u:object_r:java_exec_t,s0)
 
 #
 # /usr
@@ -27,6 +28,8 @@
 /usr/lib/opera(/.*)?/opera	--	gen_context(system_u:object_r:java_exec_t,s0)
 /usr/lib/opera(/.*)?/works	--	gen_context(system_u:object_r:java_exec_t,s0)
 
+/usr/local/matlab.*/bin.*/MATLAB.* --	gen_context(system_u:object_r:java_exec_t,s0)
+
 /usr/matlab.*/bin.*/MATLAB.*	--	gen_context(system_u:object_r:java_exec_t,s0)
 
 ifdef(`distro_redhat',`

diff --git a/policy/modules/contrib/kerberos.fc b/policy/modules/contrib/kerberos.fc
index 0a3d05a..3525d24 100644
--- a/policy/modules/contrib/kerberos.fc
+++ b/policy/modules/contrib/kerberos.fc
@@ -13,13 +13,13 @@ HOME_DIR/\.k5login		--	gen_context(system_u:object_r:krb5_home_t,s0)
 /etc/rc\.d/init\.d/krb524d	--	gen_context(system_u:object_r:kerberos_initrc_exec_t,s0)
 /etc/rc\.d/init\.d/krb5kdc	--	gen_context(system_u:object_r:kerberos_initrc_exec_t,s0)
 
-/usr/(kerberos/)?sbin/krb5kdc -- gen_context(system_u:object_r:krb5kdc_exec_t,s0)
-/usr/(kerberos/)?sbin/kadmind -- gen_context(system_u:object_r:kadmind_exec_t,s0)
+/usr/(local/)?(kerberos/)?sbin/krb5kdc -- gen_context(system_u:object_r:krb5kdc_exec_t,s0)
+/usr/(local/)?(kerberos/)?sbin/kadmind -- gen_context(system_u:object_r:kadmind_exec_t,s0)
 /usr/kerberos/sbin/kadmin\.local --	gen_context(system_u:object_r:kadmind_exec_t,s0)
 /usr/kerberos/sbin/kpropd	--	gen_context(system_u:object_r:kpropd_exec_t,s0)
 
-/usr/var/krb5kdc(/.*)?		gen_context(system_u:object_r:krb5kdc_conf_t,s0)
-/usr/var/krb5kdc/principal.*	gen_context(system_u:object_r:krb5kdc_principal_t,s0)
+/usr/local/var/krb5kdc(/.*)?		gen_context(system_u:object_r:krb5kdc_conf_t,s0)
+/usr/local/var/krb5kdc/principal.*	gen_context(system_u:object_r:krb5kdc_principal_t,s0)
 
 /var/kerberos/krb5kdc(/.*)?		gen_context(system_u:object_r:krb5kdc_conf_t,s0)
 /var/kerberos/krb5kdc/from_master.*	gen_context(system_u:object_r:krb5kdc_lock_t,s0)

diff --git a/policy/modules/contrib/lpd.fc b/policy/modules/contrib/lpd.fc
index 62a8834..dd53b37 100644
--- a/policy/modules/contrib/lpd.fc
+++ b/policy/modules/contrib/lpd.fc
@@ -16,7 +16,7 @@
 /usr/bin/lprm(\.cups)?	--	gen_context(system_u:object_r:lpr_exec_t,s0)
 /usr/bin/lpstat(\.cups)? --	gen_context(system_u:object_r:lpr_exec_t,s0)
 
-/usr/linuxprinter/bin/l?lpr -- gen_context(system_u:object_r:lpr_exec_t,s0)
+/usr/local/linuxprinter/bin/l?lpr -- gen_context(system_u:object_r:lpr_exec_t,s0)
 
 /usr/sbin/accept	--	gen_context(system_u:object_r:lpr_exec_t,s0)
 /usr/sbin/checkpc	--	gen_context(system_u:object_r:checkpc_exec_t,s0)

diff --git a/policy/modules/kernel/corecommands.fc b/policy/modules/kernel/corecommands.fc
index defaa6d..0ec2975 100644
--- a/policy/modules/kernel/corecommands.fc
+++ b/policy/modules/kernel/corecommands.fc
@@ -196,7 +196,6 @@ ifdef(`distro_gentoo',`
 /usr/bin/scponly		--	gen_context(system_u:object_r:shell_exec_t,s0)
 /usr/bin/tcsh			--	gen_context(system_u:object_r:shell_exec_t,s0)
 
-/usr/Brother(/.*)?			gen_context(system_u:object_r:bin_t,s0)
 
 /usr/lib(.*/)?bin(/.*)?			gen_context(system_u:object_r:bin_t,s0)
 
@@ -270,9 +269,10 @@ ifdef(`distro_gentoo',`
 
 /usr/libexec/openssh/sftp-server --	gen_context(system_u:object_r:bin_t,s0)
 
-/usr/linuxprinter/filters(/.*)?		gen_context(system_u:object_r:bin_t,s0)
+/usr/local/Brother(/.*)?		gen_context(system_u:object_r:bin_t,s0)
+/usr/local/Printer(/.*)?		gen_context(system_u:object_r:bin_t,s0)
+/usr/local/linuxprinter/filters(/.*)?	gen_context(system_u:object_r:bin_t,s0)
 
-/usr/Printer(/.*)?			gen_context(system_u:object_r:bin_t,s0)
 
 /usr/sbin/scponlyc		--	gen_context(system_u:object_r:shell_exec_t,s0)
 /usr/sbin/sesh			--	gen_context(system_u:object_r:shell_exec_t,s0)

diff --git a/policy/modules/kernel/files.fc b/policy/modules/kernel/files.fc
index 9f95ab2..8796ca3 100644
--- a/policy/modules/kernel/files.fc
+++ b/policy/modules/kernel/files.fc
@@ -204,6 +204,13 @@ ifdef(`distro_debian',`
 
 /usr/inclu.e(/.*)?		gen_context(system_u:object_r:usr_t,s0)
 
+/usr/local/\.journal		<<none>>
+
+/usr/local/etc(/.*)?		gen_context(system_u:object_r:etc_t,s0)
+
+/usr/local/lost\+found	-d	gen_context(system_u:object_r:lost_found_t,mls_systemhigh)
+/usr/local/lost\+found/.*	<<none>>
+
 /usr/lost\+found	-d	gen_context(system_u:object_r:lost_found_t,mls_systemhigh)
 /usr/lost\+found/.*		<<none>>
 
@@ -213,6 +220,8 @@ ifdef(`distro_debian',`
 /usr/tmp/.*			<<none>>
 
 ifndef(`distro_redhat',`
+/usr/local/src(/.*)?		gen_context(system_u:object_r:src_t,s0)
+
 /usr/src(/.*)?			gen_context(system_u:object_r:src_t,s0)
 /usr/src/kernels/.+/lib(/.*)?	gen_context(system_u:object_r:usr_t,s0)
 ')

diff --git a/policy/modules/system/libraries.fc b/policy/modules/system/libraries.fc
index 4fc5af3..6a2a3ed 100644
--- a/policy/modules/system/libraries.fc
+++ b/policy/modules/system/libraries.fc
@@ -247,7 +247,7 @@ HOME_DIR/.*/plugins/nppdf\.so.* --	gen_context(system_u:object_r:textrel_shlib_t
 HOME_DIR/.*/plugins/nppdf\.so	--	gen_context(system_u:object_r:textrel_shlib_t,s0)
 HOME_DIR/.mozilla/plugins/nprhapengine\.so.* --	gen_context(system_u:object_r:textrel_shlib_t,s0)
 /usr/lib/.*/nprhapengine\.so.*	--	gen_context(system_u:object_r:textrel_shlib_t,s0)
-/usr/(.*/)?nprhapengine\.so.*	--	gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/local/(.*/)?nprhapengine\.so.* --	gen_context(system_u:object_r:textrel_shlib_t,s0)
 
 # Jai, Sun Microsystems (Jpackage SPRM)
 /usr/lib/libmlib_jai\.so		--	gen_context(system_u:object_r:textrel_shlib_t,s0)
@@ -271,17 +271,17 @@ HOME_DIR/.mozilla/plugins/nprhapengine\.so.* --	gen_context(system_u:object_r:te
 /usr/(.*/)?jre.*/.*\.so(\.[^/]*)* --	gen_context(system_u:object_r:textrel_shlib_t,s0)
 /usr/lib/(.*/)?jre.*/.*\.so(\.[^/]*)* --	gen_context(system_u:object_r:textrel_shlib_t,s0)
 
-/usr/Adobe/(.*/)?intellinux/nppdf\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-/usr/Adobe/(.*/)?intellinux/sidecars/* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/(local/)?Adobe/(.*/)?intellinux/nppdf\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/(local/)?Adobe/(.*/)?intellinux/sidecars/* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
 
-/usr/acroread/(.*/)?intellinux/nppdf\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-/usr/Adobe/(.*/)?lib/[^/]*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-/usr/acroread/(.*/)?lib/[^/]*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-/usr/Adobe/.*\.api		--	gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/(local/)?acroread/(.*/)?intellinux/nppdf\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/(local/)?Adobe/(.*/)?lib/[^/]*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/(local/)?acroread/(.*/)?lib/[^/]*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/(local/)?Adobe/.*\.api		--	gen_context(system_u:object_r:textrel_shlib_t,s0)
 /usr/lib/xchat/plugins/systray\.so --	gen_context(system_u:object_r:textrel_shlib_t,s0)
-/usr/matlab.*/bin/glnx86/libmwlapack\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-/usr/matlab.*/bin/glnx86/(libmw(lapack|mathutil|services)|lapack|libmkl)\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-/usr/matlab.*/sys/os/glnx86/libtermcap\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/(local/)?matlab.*/bin/glnx86/libmwlapack\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/(local/)?matlab.*/bin/glnx86/(libmw(lapack|mathutil|services)|lapack|libmkl)\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/(local/)?matlab.*/sys/os/glnx86/libtermcap\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
 
 /usr/(.*/)?intellinux/SPPlugins/ADMPlugin\.apl -- gen_context(system_u:object_r:textrel_shlib_t,s0)
 

diff --git a/policy/modules/system/miscfiles.fc b/policy/modules/system/miscfiles.fc
index 5820646..f058c71 100644
--- a/policy/modules/system/miscfiles.fc
+++ b/policy/modules/system/miscfiles.fc
@@ -36,6 +36,11 @@ ifdef(`distro_redhat',`
 
 /usr/lib/perl5/man(/.*)?	gen_context(system_u:object_r:man_t,s0)
 
+/usr/local/man(/.*)?		gen_context(system_u:object_r:man_t,s0)
+/usr/local/share/man(/.*)?	gen_context(system_u:object_r:man_t,s0)
+
+/usr/local/share/fonts(/.*)?	gen_context(system_u:object_r:man_t,s0)
+
 /usr/man(/.*)?			gen_context(system_u:object_r:man_t,s0)
 
 /usr/share/fonts(/.*)?		gen_context(system_u:object_r:fonts_t,s0)

diff --git a/policy/modules/system/unconfined.fc b/policy/modules/system/unconfined.fc
index 25efa00..0abaf84 100644
--- a/policy/modules/system/unconfined.fc
+++ b/policy/modules/system/unconfined.fc
@@ -8,7 +8,7 @@
 /usr/lib/ia32el/ia32x_loader 	--	gen_context(system_u:object_r:unconfined_execmem_exec_t,s0)
 /usr/lib/openoffice\.org.*/program/.+\.bin -- gen_context(system_u:object_r:unconfined_execmem_exec_t,s0)
 
-/usr/RealPlayer/realplay\.bin --	gen_context(system_u:object_r:unconfined_execmem_exec_t,s0)
+/usr/local/RealPlayer/realplay\.bin --	gen_context(system_u:object_r:unconfined_execmem_exec_t,s0)
 
 ifdef(`distro_debian',`
 /usr/bin/gcj-dbtool-4\.1	--	gen_context(system_u:object_r:unconfined_execmem_exec_t,s0)


^ permalink raw reply related	[flat|nested] 2+ messages in thread

end of thread, other threads:[~2012-08-09 16:44 UTC | newest]

Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2012-07-28 17:16 [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/, policy/modules/system/, policy/modules/kernel/, config/ Sven Vermeulen
  -- strict thread matches above, loose matches on Subject: below --
2012-08-09 16:44 Sven Vermeulen

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox