[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/kernel/

Wed, 23 Mar 2016 11:36:56 -0700 

commit:     81028072096b64f3a06b3444311958ee9f442244
Author:     Nicolas Iooss <nicolas.iooss <AT> m4x <DOT> org>
AuthorDate: Sat Mar 19 09:30:42 2016 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Wed Mar 23 17:53:49 2016 +0000
URL:        
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=81028072

Do not label /usr/lib/gvfs/libgvfscommon.so as bin_t

On Arch Linux, /usr/lib/gvfs directory contains both executable files
(gvfsd, gvfs-udisks2-volume-monitor...) and libraries (libgvfscommon.so
and libgvfsdaemon.so).  As all executable files are prefixed with
"gfvs", so use this to distinguish them with the libraries.

This fixes the following AVC denials, reported from geoclue service
using a library wrongly labelled bin_t:

    avc:  denied  { read } for  pid=14872 comm="geoclue"
    name="libgvfscommon.so" dev="dm-0" ino=3152594
    scontext=system_u:system_r:geoclue_t
    tcontext=system_u:object_r:bin_t tclass=file permissive=1

    avc:  denied  { open } for  pid=14872 comm="geoclue"
    path="/usr/lib/gvfs/libgvfscommon.so" dev="dm-0" ino=3152594
    scontext=system_u:system_r:geoclue_t
    tcontext=system_u:object_r:bin_t tclass=file permissive=1

     avc:  denied  { execute } for  pid=14872 comm="geoclue"
     path="/usr/lib/gvfs/libgvfscommon.so" dev="dm-0" ino=3152594
     scontext=system_u:system_r:geoclue_t
     tcontext=system_u:object_r:bin_t tclass=file permissive=1

 policy/modules/kernel/corecommands.fc | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/policy/modules/kernel/corecommands.fc 
b/policy/modules/kernel/corecommands.fc
index 1e8e894..c228d79 100644
--- a/policy/modules/kernel/corecommands.fc
+++ b/policy/modules/kernel/corecommands.fc
@@ -222,7 +222,7 @@ ifdef(`distro_gentoo',`
 /usr/lib/git-core/git-shell    --      
gen_context(system_u:object_r:shell_exec_t,s0)
 /usr/lib/git-core(/.*)         --      gen_context(system_u:object_r:bin_t,s0)
 /usr/lib/gnome-settings-daemon/.* --   gen_context(system_u:object_r:bin_t,s0)
-/usr/lib/gvfs/.*               --      gen_context(system_u:object_r:bin_t,s0)
+/usr/lib/gvfs/gvfs.*           --      gen_context(system_u:object_r:bin_t,s0)
 /usr/lib/ipsec/.*              --      gen_context(system_u:object_r:bin_t,s0)
 /usr/lib/kde4/libexec/.*       --      gen_context(system_u:object_r:bin_t,s0)
 /usr/lib/mailman/bin(/.*)?             gen_context(system_u:object_r:bin_t,s0)

Reply via email to