diff options
author | Russell Coker <russell@coker.com.au> | 2019-01-31 13:58:52 +1100 |
---|---|---|
committer | Jason Zaman <jason@perfinion.com> | 2019-02-10 12:11:25 +0800 |
commit | 6821d0d812722efa73ccba5bee8410241b622721 (patch) | |
tree | dab27b2dacfb6c2d202f382692fb4a231a922cc9 | |
parent | redis: Module version bump. (diff) | |
download | hardened-refpolicy-6821d0d8.tar.gz hardened-refpolicy-6821d0d8.tar.bz2 hardened-refpolicy-6821d0d8.zip |
more misc stuff
Here's the latest stuff, most of which is to make staff_t usable as a login
domain. Please merge whatever you think is good and skip the rest.
Signed-off-by: Jason Zaman <jason@perfinion.com>
-rw-r--r-- | policy/modules/kernel/corecommands.fc | 2 | ||||
-rw-r--r-- | policy/modules/roles/staff.te | 4 | ||||
-rw-r--r-- | policy/modules/roles/unprivuser.te | 4 | ||||
-rw-r--r-- | policy/modules/services/ssh.te | 1 | ||||
-rw-r--r-- | policy/modules/system/locallogin.te | 1 | ||||
-rw-r--r-- | policy/modules/system/systemd.te | 3 |
6 files changed, 14 insertions, 1 deletions
diff --git a/policy/modules/kernel/corecommands.fc b/policy/modules/kernel/corecommands.fc index 6a94f6ef..3b5f9c4d 100644 --- a/policy/modules/kernel/corecommands.fc +++ b/policy/modules/kernel/corecommands.fc @@ -168,6 +168,7 @@ ifdef(`distro_gentoo',` /usr/lib/at-spi2-core(/.*)? gen_context(system_u:object_r:bin_t,s0) /usr/lib/avahi/avahi-daemon-check-dns\.sh -- gen_context(system_u:object_r:bin_t,s0) +/usr/lib/bluetooth/.* -- gen_context(system_u:object_r:bin_t,s0) /usr/lib/bridge-utils/.*\.sh -- gen_context(system_u:object_r:bin_t,s0) /usr/lib/ccache/bin(/.*)? gen_context(system_u:object_r:bin_t,s0) #/usr/lib/dhcpcd/dhcpcd-hooks(/.*)? gen_context(system_u:object_r:bin_t,s0) @@ -200,6 +201,7 @@ ifdef(`distro_gentoo',` /usr/lib/gvfs/gvfs.* -- gen_context(system_u:object_r:bin_t,s0) /usr/lib/ipsec/.* -- gen_context(system_u:object_r:bin_t,s0) /usr/lib/kde4/libexec/.* -- gen_context(system_u:object_r:bin_t,s0) +/usr/lib/[^/]+/libexec/kf5/.* -- gen_context(system_u:object_r:bin_t,s0) /usr/lib/mailman/bin(/.*)? gen_context(system_u:object_r:bin_t,s0) /usr/lib/mailman/mail(/.*)? gen_context(system_u:object_r:bin_t,s0) /usr/lib/mediawiki/math/texvc.* gen_context(system_u:object_r:bin_t,s0) diff --git a/policy/modules/roles/staff.te b/policy/modules/roles/staff.te index 803cca2a..1db51e0f 100644 --- a/policy/modules/roles/staff.te +++ b/policy/modules/roles/staff.te @@ -32,6 +32,10 @@ optional_policy(` ') optional_policy(` + modemmanager_dbus_chat(staff_t) +') + +optional_policy(` postgresql_role(staff_r, staff_t) ') diff --git a/policy/modules/roles/unprivuser.te b/policy/modules/roles/unprivuser.te index 0e21b2ad..f3241612 100644 --- a/policy/modules/roles/unprivuser.te +++ b/policy/modules/roles/unprivuser.te @@ -21,6 +21,10 @@ optional_policy(` ') optional_policy(` + modemmanager_dbus_chat(user_t) +') + +optional_policy(` screen_role_template(user, user_r, user_t) ') diff --git a/policy/modules/services/ssh.te b/policy/modules/services/ssh.te index 9a9b1061..ccc29001 100644 --- a/policy/modules/services/ssh.te +++ b/policy/modules/services/ssh.te @@ -178,6 +178,7 @@ logging_read_generic_logs(ssh_t) auth_use_nsswitch(ssh_t) +miscfiles_read_generic_certs(ssh_t) miscfiles_read_localization(ssh_t) seutil_read_config(ssh_t) diff --git a/policy/modules/system/locallogin.te b/policy/modules/system/locallogin.te index 9908a645..adbe775e 100644 --- a/policy/modules/system/locallogin.te +++ b/policy/modules/system/locallogin.te @@ -209,6 +209,7 @@ optional_policy(` ') optional_policy(` + xserver_link_xdm_keys(local_login_t) xserver_read_xdm_tmp_files(local_login_t) xserver_rw_xdm_tmp_files(local_login_t) xserver_rw_xdm_keys(local_login_t) diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te index e5f37321..34c38cad 100644 --- a/policy/modules/system/systemd.te +++ b/policy/modules/system/systemd.te @@ -1008,6 +1008,7 @@ files_create_lock_dirs(systemd_tmpfiles_t) files_manage_all_pid_dirs(systemd_tmpfiles_t) files_delete_usr_files(systemd_tmpfiles_t) files_list_home(systemd_tmpfiles_t) +files_list_locks(systemd_tmpfiles_t) files_manage_generic_tmp_dirs(systemd_tmpfiles_t) files_manage_var_dirs(systemd_tmpfiles_t) files_manage_var_lib_dirs(systemd_tmpfiles_t) @@ -1026,8 +1027,8 @@ files_relabelto_etc_dirs(systemd_tmpfiles_t) files_manage_etc_symlinks(systemd_tmpfiles_t) fs_getattr_tmpfs(systemd_tmpfiles_t) -fs_getattr_tmpfs_dirs(systemd_tmpfiles_t) fs_getattr_xattr_fs(systemd_tmpfiles_t) +fs_list_tmpfs(systemd_tmpfiles_t) selinux_get_fs_mount(systemd_tmpfiles_t) selinux_search_fs(systemd_tmpfiles_t) |