From 609ffa1d2ed490c7d5c77d2dd2dfdc50f415b935 Mon Sep 17 00:00:00 2001 From: Radovan Sroka Date: Thu, 24 Mar 2022 09:59:05 +0100 Subject: [PATCH] Reorder loop holes with patterns in rules.d - this keeps backwards compatibility with older wersions of rules - the ld_so pattern was applied to root - it caused problems with running ldd as root(previously unrestricted) Signed-off-by: Radovan Sroka --- fapolicyd.spec | 6 +++--- rules.d/{30-dracut.rules => 20-dracut.rules} | 0 rules.d/{30-updaters.rules => 21-updaters.rules} | 0 rules.d/{20-patterns.rules => 30-patterns.rules} | 0 rules.d/Makefile.am | 4 ++-- rules.d/README-rules | 16 ++++++++-------- 6 files changed, 13 insertions(+), 13 deletions(-) rename rules.d/{30-dracut.rules => 20-dracut.rules} (100%) rename rules.d/{30-updaters.rules => 21-updaters.rules} (100%) rename rules.d/{20-patterns.rules => 30-patterns.rules} (100%) diff --git a/fapolicyd.spec b/fapolicyd.spec index c2aae21..261b780 100644 --- a/fapolicyd.spec +++ b/fapolicyd.spec @@ -66,9 +66,9 @@ if [ ! -e %{_sysconfdir}/%{name}/%{name}.rules ] ; then if [ "$files" -eq 0 ] ; then ## Install the known libs policy cp %{_datadir}/%{name}/sample-rules/10-languages.rules %{_sysconfdir}/%{name}/rules.d/ -cp %{_datadir}/%{name}/sample-rules/20-patterns.rules %{_sysconfdir}/%{name}/rules.d/ -cp %{_datadir}/%{name}/sample-rules/30-dracut.rules %{_sysconfdir}/%{name}/rules.d/ -cp %{_datadir}/%{name}/sample-rules/30-updaters.rules %{_sysconfdir}/%{name}/rules.d/ +cp %{_datadir}/%{name}/sample-rules/20-dracut.rules %{_sysconfdir}/%{name}/rules.d/ +cp %{_datadir}/%{name}/sample-rules/21-updaters.rules %{_sysconfdir}/%{name}/rules.d/ +cp %{_datadir}/%{name}/sample-rules/30-patterns.rules %{_sysconfdir}/%{name}/rules.d/ cp %{_datadir}/%{name}/sample-rules/40-bad-elf.rules %{_sysconfdir}/%{name}/rules.d/ cp %{_datadir}/%{name}/sample-rules/41-shared-obj.rules %{_sysconfdir}/%{name}/rules.d/ cp %{_datadir}/%{name}/sample-rules/42-trusted-elf.rules %{_sysconfdir}/%{name}/rules.d/ diff --git a/rules.d/30-dracut.rules b/rules.d/20-dracut.rules similarity index 100% rename from rules.d/30-dracut.rules rename to rules.d/20-dracut.rules diff --git a/rules.d/30-updaters.rules b/rules.d/21-updaters.rules similarity index 100% rename from rules.d/30-updaters.rules rename to rules.d/21-updaters.rules diff --git a/rules.d/20-patterns.rules b/rules.d/30-patterns.rules similarity index 100% rename from rules.d/20-patterns.rules rename to rules.d/30-patterns.rules diff --git a/rules.d/Makefile.am b/rules.d/Makefile.am index 76b5377..9bb61a7 100644 --- a/rules.d/Makefile.am +++ b/rules.d/Makefile.am @@ -23,8 +23,8 @@ CONFIG_CLEAN_FILES = *.rej *.orig -EXTRA_DIST = README-rules 10-languages.rules 20-patterns.rules \ - 30-dracut.rules 30-updaters.rules \ +EXTRA_DIST = README-rules 10-languages.rules 20-dracut.rules \ + 21-updaters.rules 30-patterns.rules \ 40-bad-elf.rules 41-shared-obj.rules 42-trusted-elf.rules \ 43-known-elf.rules \ 70-trusted-lang.rules 71-known-python.rules 72-shell.rules \ diff --git a/rules.d/README-rules b/rules.d/README-rules index c03c02b..30fcd01 100644 --- a/rules.d/README-rules +++ b/rules.d/README-rules @@ -5,8 +5,8 @@ sort order. To make things easier to use, the files in this directory are organized into groups with the following meanings: 10 - macros -20 - patterns -30 - loop holes +20 - loop holes +30 - patterns 40 - ELF rules 50 - user/group access rules 60 - application access rules @@ -25,9 +25,9 @@ You can reconstruct the old policy files by including the following: fapolicyd.rules.known-libs -------------------------- 10-languages.rules -20-patterns.rules -30-dracut.rules -30-updaters.rules +20-dracut.rules +21-updaters.rules +30-patterns.rules 40-bad-elf.rules 41-shared-obj.rules 42-trusted-elf.rules @@ -39,9 +39,9 @@ fapolicyd.rules.known-libs fapolicyd.rules.restrictive --------------------------- 10-languages.rules -20-patterns.rules -30-dracut.rules -30-updaters.rules +20-dracut.rules +21-updaters.rules +30-patterns.rules 40-bad-elf.rules 41-shared-obj.rules 43-known-elf.rules -- 2.35.1