LinuxLists.cc - [refpolicy] [PATCH v2] system/miscfiles: Generalize the man

2017-06-07 12:38:59

Subject: [refpolicy] [PATCH v2] system/miscfiles: Generalize the man_t fc's

This won't match subdirectories of /usr/lib, but that shouldn't be a
problem, since we have "allow domain lib_t ..." anyway.

We can't match on "/usr/(.*/)?man(/.*)?", since that'd result in a few
false positives; in particular, the files
/usr/share/xmlto/format/docbook/man
/usr/share/bash-completion/completions/man
---
policy/modules/system/miscfiles.fc | 13 ++++---------
1 file changed, 4 insertions(+), 9 deletions(-)

diff --git a/policy/modules/system/miscfiles.fc b/policy/modules/system/miscfiles.fc
index fb7e7b20..cf82761c 100644
--- a/policy/modules/system/miscfiles.fc
+++ b/policy/modules/system/miscfiles.fc
@@ -37,26 +37,23 @@ ifdef(`distro_redhat',`
#
# /usr
#
+/usr/(.*/)?man -d gen_context(system_u:object_r:man_t,s0)
+/usr/(.*/)?man/.* gen_context(system_u:object_r:man_t,s0)
+
/usr/lib/locale(/.*)? gen_context(system_u:object_r:locale_t,s0)

/usr/lib/perl5/man(/.*)? gen_context(system_u:object_r:man_t,s0)

/usr/local/share/ca-certificates(/.*)? gen_context(system_u:object_r:cert_t,s0)

-/usr/local/man(/.*)? gen_context(system_u:object_r:man_t,s0)
-/usr/local/share/man(/.*)? gen_context(system_u:object_r:man_t,s0)
-
/usr/local/share/fonts(/.*)? gen_context(system_u:object_r:fonts_t,s0)

-/usr/man(/.*)? gen_context(system_u:object_r:man_t,s0)
-
+/usr/share/docbook2X/xslt/man(/.*)? gen_context(system_u:object_r:usr_t,s0)
/usr/share/ca-certificates(/.*)? gen_context(system_u:object_r:cert_t,s0)
/usr/share/fonts(/.*)? gen_context(system_u:object_r:fonts_t,s0)
/usr/share/X11/fonts(/.*)? gen_context(system_u:object_r:fonts_t,s0)
/usr/share/ghostscript/fonts(/.*)? gen_context(system_u:object_r:fonts_t,s0)
/usr/share/locale(/.*)? gen_context(system_u:object_r:locale_t,s0)
-/usr/share/man(/.*)? gen_context(system_u:object_r:man_t,s0)
-/usr/share/postgresql/[^/]*/man(/.*)? gen_context(system_u:object_r:man_t,s0)
/usr/share/X11/locale(/.*)? gen_context(system_u:object_r:locale_t,s0)
/usr/share/zoneinfo(/.*)? gen_context(system_u:object_r:locale_t,s0)

@@ -65,8 +62,6 @@ ifdef(`distro_redhat',`

/usr/X11R6/lib/X11/fonts(/.*)? gen_context(system_u:object_r:fonts_t,s0)

-/usr/X11R6/man(/.*)? gen_context(system_u:object_r:man_t,s0)
-
ifdef(`distro_gentoo',`
/usr/share/misc/(pci|usb)\.ids -- gen_context(system_u:object_r:hwdata_t,s0)
')
--
2.13.1

2017-06-07 23:19:58

by Chris PeBenito

[permalink] [raw]

Subject: [refpolicy] [PATCH v2] system/miscfiles: Generalize the man_t fc's

On 06/07/2017 08:38 AM, Luis Ressel via refpolicy wrote:
> This won't match subdirectories of /usr/lib, but that shouldn't be a
> problem, since we have "allow domain lib_t ..." anyway.
>
> We can't match on "/usr/(.*/)?man(/.*)?", since that'd result in a few
> false positives; in particular, the files
> /usr/share/xmlto/format/docbook/man
> /usr/share/bash-completion/completions/man
> ---
> policy/modules/system/miscfiles.fc | 13 ++++---------
> 1 file changed, 4 insertions(+), 9 deletions(-)
>
> diff --git a/policy/modules/system/miscfiles.fc b/policy/modules/system/miscfiles.fc
> index fb7e7b20..cf82761c 100644
> --- a/policy/modules/system/miscfiles.fc
> +++ b/policy/modules/system/miscfiles.fc
> @@ -37,26 +37,23 @@ ifdef(`distro_redhat',`
> #
> # /usr
> #
> +/usr/(.*/)?man -d gen_context(system_u:object_r:man_t,s0)
> +/usr/(.*/)?man/.* gen_context(system_u:object_r:man_t,s0)
> +
> /usr/lib/locale(/.*)? gen_context(system_u:object_r:locale_t,s0)
>
> /usr/lib/perl5/man(/.*)? gen_context(system_u:object_r:man_t,s0)
>
> /usr/local/share/ca-certificates(/.*)? gen_context(system_u:object_r:cert_t,s0)
>
> -/usr/local/man(/.*)? gen_context(system_u:object_r:man_t,s0)
> -/usr/local/share/man(/.*)? gen_context(system_u:object_r:man_t,s0)
> -
> /usr/local/share/fonts(/.*)? gen_context(system_u:object_r:fonts_t,s0)
>
> -/usr/man(/.*)? gen_context(system_u:object_r:man_t,s0)
> -
> +/usr/share/docbook2X/xslt/man(/.*)? gen_context(system_u:object_r:usr_t,s0)
> /usr/share/ca-certificates(/.*)? gen_context(system_u:object_r:cert_t,s0)
> /usr/share/fonts(/.*)? gen_context(system_u:object_r:fonts_t,s0)
> /usr/share/X11/fonts(/.*)? gen_context(system_u:object_r:fonts_t,s0)
> /usr/share/ghostscript/fonts(/.*)? gen_context(system_u:object_r:fonts_t,s0)
> /usr/share/locale(/.*)? gen_context(system_u:object_r:locale_t,s0)
> -/usr/share/man(/.*)? gen_context(system_u:object_r:man_t,s0)
> -/usr/share/postgresql/[^/]*/man(/.*)? gen_context(system_u:object_r:man_t,s0)
> /usr/share/X11/locale(/.*)? gen_context(system_u:object_r:locale_t,s0)
> /usr/share/zoneinfo(/.*)? gen_context(system_u:object_r:locale_t,s0)
>
> @@ -65,8 +62,6 @@ ifdef(`distro_redhat',`
>
> /usr/X11R6/lib/X11/fonts(/.*)? gen_context(system_u:object_r:fonts_t,s0)
>
> -/usr/X11R6/man(/.*)? gen_context(system_u:object_r:man_t,s0)
> -
> ifdef(`distro_gentoo',`
> /usr/share/misc/(pci|usb)\.ids -- gen_context(system_u:object_r:hwdata_t,s0)
> ')

Merged.

--
Chris PeBenito