From: pebenito@ieee.org (Chris PeBenito) Date: Wed, 7 Jun 2017 19:19:58 -0400 Subject: [refpolicy] [PATCH v2] system/miscfiles: Generalize the man_t fc's In-Reply-To: <20170607123859.16426-1-aranea@aixah.de> References: <20170607123859.16426-1-aranea@aixah.de> Message-ID: <0fe5cc81-0f20-6fe8-5dd1-c88edf76003d@ieee.org> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com On 06/07/2017 08:38 AM, Luis Ressel via refpolicy wrote: > This won't match subdirectories of /usr/lib, but that shouldn't be a > problem, since we have "allow domain lib_t ..." anyway. > > We can't match on "/usr/(.*/)?man(/.*)?", since that'd result in a few > false positives; in particular, the files > /usr/share/xmlto/format/docbook/man > /usr/share/bash-completion/completions/man > --- > policy/modules/system/miscfiles.fc | 13 ++++--------- > 1 file changed, 4 insertions(+), 9 deletions(-) > > diff --git a/policy/modules/system/miscfiles.fc b/policy/modules/system/miscfiles.fc > index fb7e7b20..cf82761c 100644 > --- a/policy/modules/system/miscfiles.fc > +++ b/policy/modules/system/miscfiles.fc > @@ -37,26 +37,23 @@ ifdef(`distro_redhat',` > # > # /usr > # > +/usr/(.*/)?man -d gen_context(system_u:object_r:man_t,s0) > +/usr/(.*/)?man/.* gen_context(system_u:object_r:man_t,s0) > + > /usr/lib/locale(/.*)? gen_context(system_u:object_r:locale_t,s0) > > /usr/lib/perl5/man(/.*)? gen_context(system_u:object_r:man_t,s0) > > /usr/local/share/ca-certificates(/.*)? gen_context(system_u:object_r:cert_t,s0) > > -/usr/local/man(/.*)? gen_context(system_u:object_r:man_t,s0) > -/usr/local/share/man(/.*)? gen_context(system_u:object_r:man_t,s0) > - > /usr/local/share/fonts(/.*)? gen_context(system_u:object_r:fonts_t,s0) > > -/usr/man(/.*)? gen_context(system_u:object_r:man_t,s0) > - > +/usr/share/docbook2X/xslt/man(/.*)? gen_context(system_u:object_r:usr_t,s0) > /usr/share/ca-certificates(/.*)? gen_context(system_u:object_r:cert_t,s0) > /usr/share/fonts(/.*)? gen_context(system_u:object_r:fonts_t,s0) > /usr/share/X11/fonts(/.*)? gen_context(system_u:object_r:fonts_t,s0) > /usr/share/ghostscript/fonts(/.*)? gen_context(system_u:object_r:fonts_t,s0) > /usr/share/locale(/.*)? gen_context(system_u:object_r:locale_t,s0) > -/usr/share/man(/.*)? gen_context(system_u:object_r:man_t,s0) > -/usr/share/postgresql/[^/]*/man(/.*)? gen_context(system_u:object_r:man_t,s0) > /usr/share/X11/locale(/.*)? gen_context(system_u:object_r:locale_t,s0) > /usr/share/zoneinfo(/.*)? gen_context(system_u:object_r:locale_t,s0) > > @@ -65,8 +62,6 @@ ifdef(`distro_redhat',` > > /usr/X11R6/lib/X11/fonts(/.*)? gen_context(system_u:object_r:fonts_t,s0) > > -/usr/X11R6/man(/.*)? gen_context(system_u:object_r:man_t,s0) > - > ifdef(`distro_gentoo',` > /usr/share/misc/(pci|usb)\.ids -- gen_context(system_u:object_r:hwdata_t,s0) > ') Merged. -- Chris PeBenito