diff --git a/policy/modules/kernel/corecommands.fc b/policy/modules/kernel/corecommands.fc index 8745c6f3..bcf84b38 100644 --- a/policy/modules/kernel/corecommands.fc +++ b/policy/modules/kernel/corecommands.fc @@ -103,6 +103,8 @@ ifdef(`distro_gentoo',` /opt/(.*/)?sbin(/.*)? gen_context(system_u:object_r:sbin_t,s0) ifdef(`distro_gentoo',` +/opt/RealPlayer/realplay(\.bin)? gen_context(system_u:object_r:bin_t,s0) +/opt/RealPlayer/postint(/.*)? gen_context(system_u:object_r:bin_t,s0) /opt/vmware/workstation/lib/lib/wrapper-gtk24\.sh -- gen_context(system_u:object_r:bin_t,s0) ') diff --git a/policy/modules/kernel/corecommands.te b/policy/modules/kernel/corecommands.te index 854ca0ea..5805cd07 100644 --- a/policy/modules/kernel/corecommands.te +++ b/policy/modules/kernel/corecommands.te @@ -1,5 +1,5 @@ -policy_module(corecommands,1.3.11) +policy_module(corecommands,1.3.12) ######################################## # diff --git a/policy/modules/kernel/devices.fc b/policy/modules/kernel/devices.fc index e1e67f60..f8735a47 100644 --- a/policy/modules/kernel/devices.fc +++ b/policy/modules/kernel/devices.fc @@ -12,7 +12,6 @@ /dev/atibm -c gen_context(system_u:object_r:mouse_device_t,s0) /dev/audio.* -c gen_context(system_u:object_r:sound_device_t,s0) /dev/beep -c gen_context(system_u:object_r:sound_device_t,s0) -/dev/console -c gen_context(system_u:object_r:console_device_t,s0) /dev/dsp.* -c gen_context(system_u:object_r:sound_device_t,s0) /dev/efirtc -c gen_context(system_u:object_r:clock_device_t,s0) /dev/event.* -c gen_context(system_u:object_r:event_device_t,s0) @@ -99,6 +98,12 @@ ifdef(`distro_suse', ` /dev/xen/evtchn -c gen_context(system_u:object_r:xen_device_t,s0) +ifdef(`distro_gentoo',` +# used by init scripts to initally populate udev /dev +/lib/udev/devices/null -c gen_context(system_u:object_r:null_device_t,s0) +/lib/udev/devices/zero -c gen_context(system_u:object_r:zero_device_t,s0) +') + ifdef(`distro_redhat',` # originally from named.fc /var/named/chroot/dev/null -c gen_context(system_u:object_r:null_device_t,s0) diff --git a/policy/modules/kernel/devices.te b/policy/modules/kernel/devices.te index 9d209458..c7aee136 100644 --- a/policy/modules/kernel/devices.te +++ b/policy/modules/kernel/devices.te @@ -1,5 +1,5 @@ -policy_module(devices,1.1.16) +policy_module(devices,1.1.17) ######################################## # diff --git a/policy/modules/kernel/terminal.fc b/policy/modules/kernel/terminal.fc index df0d76c0..22ef3916 100644 --- a/policy/modules/kernel/terminal.fc +++ b/policy/modules/kernel/terminal.fc @@ -1,10 +1,11 @@ /dev/.*tty[^/]* -c gen_context(system_u:object_r:tty_device_t,s0) -/dev/[pt]ty[abcdepqrstuvwxyz][0-9a-f] -c gen_context(system_u:object_r:bsdpty_device_t,s0) +/dev/[pt]ty[a-ep-z][0-9a-f] -c gen_context(system_u:object_r:bsdpty_device_t,s0) /dev/adb.* -c gen_context(system_u:object_r:tty_device_t,s0) /dev/capi.* -c gen_context(system_u:object_r:tty_device_t,s0) +/dev/console -c gen_context(system_u:object_r:console_device_t,s0) /dev/cu.* -c gen_context(system_u:object_r:tty_device_t,s0) -/dev/dcbri[0-9]+ -c gen_context(system_u:object_r:tty_device_t,s0) +/dev/dcbri[0-9]+ -c gen_context(system_u:object_r:tty_device_t,s0) /dev/hvc.* -c gen_context(system_u:object_r:tty_device_t,s0) /dev/hvsi.* -c gen_context(system_u:object_r:tty_device_t,s0) /dev/ircomm[0-9]+ -c gen_context(system_u:object_r:tty_device_t,s0) @@ -17,7 +18,7 @@ /dev/pty/.* -c gen_context(system_u:object_r:bsdpty_device_t,s0) -/dev/pts -d gen_context(system_u:object_r:devpts_t,s0-s15:c0.c255) +/dev/pts -d gen_context(system_u:object_r:devpts_t,s0-s15:c0.c255) /dev/tts/[^/]* -c gen_context(system_u:object_r:tty_device_t,s0) @@ -29,4 +30,7 @@ ifdef(`distro_gentoo',` /dev/tts/[0-9]* -c gen_context(system_u:object_r:tty_device_t,s0) + +# used by init scripts to initally populate udev /dev +/lib/udev/devices/console -c gen_context(system_u:object_r:console_device_t,s0) ') diff --git a/policy/modules/kernel/terminal.te b/policy/modules/kernel/terminal.te index 9fa8156c..216751b5 100644 --- a/policy/modules/kernel/terminal.te +++ b/policy/modules/kernel/terminal.te @@ -1,5 +1,5 @@ -policy_module(terminal,1.1.2) +policy_module(terminal,1.1.3) ######################################## # diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te index d798bd06..95809549 100644 --- a/policy/modules/system/init.te +++ b/policy/modules/system/init.te @@ -1,5 +1,5 @@ -policy_module(init,1.3.19) +policy_module(init,1.3.20) gen_require(` class passwd rootok; @@ -397,6 +397,11 @@ ifdef(`distro_debian',` ') ifdef(`distro_gentoo',` + # needed until baselayout is fixed to have the + # restorecon on /dev to again be immediately after + # mounting tmpfs on /dev + fs_tmpfs_filetrans(initrc_t,initrc_state_t,file) + optional_policy(` arpwatch_manage_data_files(initrc_t) ') diff --git a/policy/modules/system/libraries.fc b/policy/modules/system/libraries.fc index 054f2bb1..ec811c6d 100644 --- a/policy/modules/system/libraries.fc +++ b/policy/modules/system/libraries.fc @@ -64,8 +64,20 @@ ifdef(`distro_gentoo',` /opt/netbeans(.*/)?jdk.*/linux/.+\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) ifdef(`distro_gentoo',` +# despite the extensions, they're actually libs +/opt/Acrobat[5-9]/Reader/intellinux/plug_ins/.*\.api gen_context(system_u:object_r:shlib_t,s0) +/opt/Acrobat[5-9]/Reader/intellinux/SPPlugins/.*\.api gen_context(system_u:object_r:shlib_t,s0) + /opt/netscape/plugins/libflashplayer\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) /opt/netscape/plugins/nppdf\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) +/opt/RealPlayer/codecs(/.*)? gen_context(system_u:object_r:lib_t,s0) +/opt/RealPlayer/codecs/.*\.so gen_context(system_u:object_r:shlib_t,s0) +/opt/RealPlayer/common(/.*)? gen_context(system_u:object_r:lib_t,s0) +/opt/RealPlayer/common/.*\.so gen_context(system_u:object_r:shlib_t,s0) +/opt/RealPlayer/lib(/.*)? gen_context(system_u:object_r:lib_t,s0) +/opt/RealPlayer/lib/.*\.so gen_context(system_u:object_r:shlib_t,s0) +/opt/RealPlayer/mozilla(/.*)? gen_context(system_u:object_r:lib_t,s0) +/opt/RealPlayer/mozilla/.*\.so gen_context(system_u:object_r:shlib_t,s0) ') # diff --git a/policy/modules/system/libraries.te b/policy/modules/system/libraries.te index a1dd7d39..01236031 100644 --- a/policy/modules/system/libraries.te +++ b/policy/modules/system/libraries.te @@ -1,5 +1,5 @@ -policy_module(libraries,1.3.10) +policy_module(libraries,1.3.11) ######################################## # diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te index f209df68..0c1b3ed0 100644 --- a/policy/modules/system/logging.te +++ b/policy/modules/system/logging.te @@ -1,5 +1,5 @@ -policy_module(logging,1.3.8) +policy_module(logging,1.3.9) ######################################## # @@ -255,11 +255,13 @@ optional_policy(` # syslogd local policy # -# sys_admin chown fsetid for syslog-ng +# chown fsetid for syslog-ng +# sys_admin for the integrated klog of syslog-ng and metalog # cjp: why net_admin! allow syslogd_t self:capability { dac_override sys_resource sys_tty_config net_admin sys_admin chown fsetid }; dontaudit syslogd_t self:capability sys_tty_config; -allow syslogd_t self:process signal_perms; +# setpgid for metalog +allow syslogd_t self:process { signal_perms setpgid }; allow syslogd_t self:netlink_route_socket r_netlink_socket_perms; # receive messages to be logged allow syslogd_t self:unix_dgram_socket create_socket_perms; diff --git a/policy/modules/system/modutils.fc b/policy/modules/system/modutils.fc index aa219c13..688afeb8 100644 --- a/policy/modules/system/modutils.fc +++ b/policy/modules/system/modutils.fc @@ -2,6 +2,12 @@ /etc/modules\.conf.* -- gen_context(system_u:object_r:modules_conf_t,s0) /etc/modprobe\.conf.* -- gen_context(system_u:object_r:modules_conf_t,s0) +ifdef(`distro_gentoo',` +# gentoo init scripts still manage this file +# even if devfs is off +/etc/modprobe.devfs.* -- gen_context(system_u:object_r:modules_conf_t,s0) +') + /lib/modules/[^/]+/modules\..+ -- gen_context(system_u:object_r:modules_dep_t,s0) /lib64/modules/[^/]+/modules\..+ -- gen_context(system_u:object_r:modules_dep_t,s0) @@ -12,5 +18,6 @@ /sbin/generate-modprobe\.conf -- gen_context(system_u:object_r:update_modules_exec_t,s0) /sbin/insmod.* -- gen_context(system_u:object_r:insmod_exec_t,s0) /sbin/modprobe.* -- gen_context(system_u:object_r:insmod_exec_t,s0) +/sbin/modules-update -- gen_context(system_u:object_r:update_modules_exec_t,s0) /sbin/rmmod.* -- gen_context(system_u:object_r:insmod_exec_t,s0) /sbin/update-modules -- gen_context(system_u:object_r:update_modules_exec_t,s0) diff --git a/policy/modules/system/modutils.te b/policy/modules/system/modutils.te index f50a4028..3884ddef 100644 --- a/policy/modules/system/modutils.te +++ b/policy/modules/system/modutils.te @@ -1,5 +1,5 @@ -policy_module(modutils,1.1.3) +policy_module(modutils,1.1.4) gen_require(` bool secure_mode_insmod; @@ -68,7 +68,7 @@ files_read_kernel_modules(insmod_t) # for locking: (cjp: ????) files_write_kernel_modules(insmod_t) -dev_search_sysfs(insmod_t) +dev_read_sysfs(insmod_t) dev_search_usbfs(insmod_t) dev_rw_mtrr(insmod_t) dev_read_urand(insmod_t)