diff options
| author |   Luis Ressel <aranea@aixah.de> | 2017-06-07 14:38:59 +0200 |
|---|---|---|
| committer |   Jason Zaman <jason@perfinion.com> | 2017-06-13 16:02:15 +0800 |
| commit | 0f2822b1a99d11618c35b0b878b24cce28a8e461 (patch) | |
| tree | f0c13d1e097b964c44052b5f2bac4978feef8c59 | |
| parent | fc_sort: avoid compiler warning/error (diff) | |
| download | hardened-refpolicy-0f2822b1a99d11618c35b0b878b24cce28a8e461.tar.gz hardened-refpolicy-0f2822b1a99d11618c35b0b878b24cce28a8e461.tar.bz2 hardened-refpolicy-0f2822b1a99d11618c35b0b878b24cce28a8e461.zip | |
system/miscfiles: Generalize the man_t fc's
This won't match subdirectories of /usr/lib, but that shouldn't be a
problem, since we have "allow domain lib_t ..." anyway.
We can't match on "/usr/(.*/)?man(/.*)?", since that'd result in a few
false positives; in particular, the files
/usr/share/xmlto/format/docbook/man
/usr/share/bash-completion/completions/man
| -rw-r--r-- | policy/modules/system/miscfiles.fc | 13 |
1 files changed, 4 insertions, 9 deletions
diff --git a/policy/modules/system/miscfiles.fc b/policy/modules/system/miscfiles.fc index 42ac30bda..88eceb99d 100644 --- a/policy/modules/system/miscfiles.fc +++ b/policy/modules/system/miscfiles.fc @@ -39,26 +39,23 @@ ifdef(`distro_redhat',` # # /usr # +/usr/(.*/)?man -d gen_context(system_u:object_r:man_t,s0) +/usr/(.*/)?man/.* gen_context(system_u:object_r:man_t,s0) + /usr/lib/locale(/.*)? gen_context(system_u:object_r:locale_t,s0) /usr/lib/perl5/man(/.*)? gen_context(system_u:object_r:man_t,s0) /usr/local/share/ca-certificates(/.*)? gen_context(system_u:object_r:cert_t,s0) -/usr/local/man(/.*)? gen_context(system_u:object_r:man_t,s0) -/usr/local/share/man(/.*)? gen_context(system_u:object_r:man_t,s0) - /usr/local/share/fonts(/.*)? gen_context(system_u:object_r:man_t,s0) -/usr/man(/.*)? gen_context(system_u:object_r:man_t,s0) - +/usr/share/docbook2X/xslt/man(/.*)? gen_context(system_u:object_r:usr_t,s0) /usr/share/ca-certificates(/.*)? gen_context(system_u:object_r:cert_t,s0) /usr/share/fonts(/.*)? gen_context(system_u:object_r:fonts_t,s0) /usr/share/X11/fonts(/.*)? gen_context(system_u:object_r:fonts_t,s0) /usr/share/ghostscript/fonts(/.*)? gen_context(system_u:object_r:fonts_t,s0) /usr/share/locale(/.*)? gen_context(system_u:object_r:locale_t,s0) -/usr/share/man(/.*)? gen_context(system_u:object_r:man_t,s0) -/usr/share/postgresql/[^/]*/man(/.*)? gen_context(system_u:object_r:man_t,s0) /usr/share/X11/locale(/.*)? gen_context(system_u:object_r:locale_t,s0) /usr/share/zoneinfo(/.*)? gen_context(system_u:object_r:locale_t,s0) @@ -67,8 +64,6 @@ ifdef(`distro_redhat',` /usr/X11R6/lib/X11/fonts(/.*)? gen_context(system_u:object_r:fonts_t,s0) -/usr/X11R6/man(/.*)? gen_context(system_u:object_r:man_t,s0) - ifdef(`distro_gentoo',` /usr/share/misc/(pci|usb)\.ids -- gen_context(system_u:object_r:hwdata_t,s0) ') |