From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by finch.gentoo.org (Postfix) with ESMTPS id 79494139694 for ; Thu, 30 Mar 2017 17:06:59 +0000 (UTC) Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id 69D20234019; Thu, 30 Mar 2017 17:06:46 +0000 (UTC) Received: from smtp.gentoo.org (woodpecker.gentoo.org [IPv6:2001:470:ea4a:1:5054:ff:fec7:86e4]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by pigeon.gentoo.org (Postfix) with ESMTPS id 35AE4234017 for ; Thu, 30 Mar 2017 17:06:41 +0000 (UTC) Received: from oystercatcher.gentoo.org (unknown [IPv6:2a01:4f8:202:4333:225:90ff:fed9:fc84]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.gentoo.org (Postfix) with ESMTPS id 8C32D341641 for ; Thu, 30 Mar 2017 17:06:24 +0000 (UTC) Received: from localhost.localdomain (localhost [IPv6:::1]) by oystercatcher.gentoo.org (Postfix) with ESMTP id EE77F73EA for ; Thu, 30 Mar 2017 17:06:21 +0000 (UTC) From: "Jason Zaman" To: gentoo-commits@lists.gentoo.org Content-Transfer-Encoding: 8bit Content-type: text/plain; charset=UTF-8 Reply-To: gentoo-dev@lists.gentoo.org, "Jason Zaman" Message-ID: <1490882319.4ab83a2a3657e6838b704166dea7b318b8046ce8.perfinion@gentoo> Subject: [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/ X-VCS-Repository: proj/hardened-refpolicy X-VCS-Files: policy/modules/contrib/mandb.fc policy/modules/contrib/mandb.if policy/modules/contrib/mandb.te X-VCS-Directories: policy/modules/contrib/ X-VCS-Committer: perfinion X-VCS-Committer-Name: Jason Zaman X-VCS-Revision: 4ab83a2a3657e6838b704166dea7b318b8046ce8 X-VCS-Branch: master Date: Thu, 30 Mar 2017 17:06:21 +0000 (UTC) Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-commits@lists.gentoo.org X-Archives-Salt: 9b908335-b28a-4e4d-989e-63189e23737a X-Archives-Hash: 09cd5b8df7f2a9c48a1e14c2f6cccdec commit: 4ab83a2a3657e6838b704166dea7b318b8046ce8 Author: cgzones googlemail com> AuthorDate: Wed Mar 8 20:35:28 2017 +0000 Commit: Jason Zaman gentoo org> CommitDate: Thu Mar 30 13:58:39 2017 +0000 URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=4ab83a2a mandb: update fix mandb when running as root move file label from cronjob to binary file policy/modules/contrib/mandb.fc | 3 +-- policy/modules/contrib/mandb.if | 10 +++------- policy/modules/contrib/mandb.te | 26 +++++++++++--------------- 3 files changed, 15 insertions(+), 24 deletions(-) diff --git a/policy/modules/contrib/mandb.fc b/policy/modules/contrib/mandb.fc index 9f2825e9..d92a58fd 100644 --- a/policy/modules/contrib/mandb.fc +++ b/policy/modules/contrib/mandb.fc @@ -1,4 +1,3 @@ -/etc/cron\.(daily|weekly)/man-db.* -- gen_context(system_u:object_r:mandb_exec_t,s0) +/usr/bin/mandb -- gen_context(system_u:object_r:mandb_exec_t,s0) -# Systemd unit file /usr/lib/systemd/system/[^/]*man-db.* -- gen_context(system_u:object_r:mandb_unit_t,s0) diff --git a/policy/modules/contrib/mandb.if b/policy/modules/contrib/mandb.if index 327f3f72..2b5d5385 100644 --- a/policy/modules/contrib/mandb.if +++ b/policy/modules/contrib/mandb.if @@ -42,7 +42,7 @@ interface(`mandb_run',` attribute_role mandb_roles; ') - lightsquid_domtrans($1) + mandb_domtrans($1) roleattribute $2 mandb_roles; ') @@ -122,14 +122,10 @@ interface(`mandb_manage_cache_content',` # interface(`mandb_admin',` gen_require(` - type mandb_t, mandb_cache_t; + type mandb_t; ') - allow $1 mandb_t:process { ptrace signal_perms }; - ps_process_pattern($1, mandb_t) + admin_process_pattern($1, mandb_t) mandb_run($1, $2) - - # pending - # miscfiles_manage_man_cache_content(mandb_t) ') diff --git a/policy/modules/contrib/mandb.te b/policy/modules/contrib/mandb.te index 142e7e07..0358aaff 100644 --- a/policy/modules/contrib/mandb.te +++ b/policy/modules/contrib/mandb.te @@ -21,7 +21,11 @@ init_unit_file(mandb_unit_t) # Local policy # -allow mandb_t self:capability { setgid setuid }; +# dac_override : write /var/cache/man/* +# fowner : chmod /var/cache/man/* +# chown : lchown32 /var/cache/man/* +# fsetid : chmod /var/cache/man/* +allow mandb_t self:capability { chown dac_override fowner fsetid setgid setuid }; allow mandb_t self:process { setsched signal }; allow mandb_t self:fifo_file rw_fifo_file_perms; allow mandb_t self:unix_stream_socket create_stream_socket_perms; @@ -32,28 +36,20 @@ kernel_read_system_state(mandb_t) corecmd_exec_bin(mandb_t) corecmd_exec_shell(mandb_t) -dev_search_sysfs(mandb_t) - domain_use_interactive_fds(mandb_t) +files_dontaudit_search_home(mandb_t) files_read_etc_files(mandb_t) +# search /var/run/nscd/socket +files_search_pids(mandb_t) + +fs_getattr_xattr_fs(mandb_t) miscfiles_manage_man_cache(mandb_t) miscfiles_read_man_pages(mandb_t) miscfiles_read_localization(mandb_t) -ifdef(`distro_debian',` - optional_policy(` - apt_exec(mandb_t) - apt_read_db(mandb_t) - ') - - optional_policy(` - dpkg_exec(mandb_t) - dpkg_read_db(mandb_t) - userdom_dontaudit_search_user_home_dirs(mandb_t) - ') -') +userdom_use_inherited_user_terminals(mandb_t) optional_policy(` cron_system_entry(mandb_t, mandb_exec_t)