commit: 4ab83a2a3657e6838b704166dea7b318b8046ce8
Author: cgzones <cgzones <AT> googlemail <DOT> com>
AuthorDate: Wed Mar 8 20:35:28 2017 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Thu Mar 30 13:58:39 2017 +0000
URL:
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=4ab83a2a
mandb: update
fix mandb when running as root
move file label from cronjob to binary file
policy/modules/contrib/mandb.fc | 3 +--
policy/modules/contrib/mandb.if | 10 +++-------
policy/modules/contrib/mandb.te | 26 +++++++++++---------------
3 files changed, 15 insertions(+), 24 deletions(-)
diff --git a/policy/modules/contrib/mandb.fc b/policy/modules/contrib/mandb.fc
index 9f2825e9..d92a58fd 100644
--- a/policy/modules/contrib/mandb.fc
+++ b/policy/modules/contrib/mandb.fc
@@ -1,4 +1,3 @@
-/etc/cron\.(daily|weekly)/man-db.* --
gen_context(system_u:object_r:mandb_exec_t,s0)
+/usr/bin/mandb --
gen_context(system_u:object_r:mandb_exec_t,s0)
-# Systemd unit file
/usr/lib/systemd/system/[^/]*man-db.* --
gen_context(system_u:object_r:mandb_unit_t,s0)
diff --git a/policy/modules/contrib/mandb.if b/policy/modules/contrib/mandb.if
index 327f3f72..2b5d5385 100644
--- a/policy/modules/contrib/mandb.if
+++ b/policy/modules/contrib/mandb.if
@@ -42,7 +42,7 @@ interface(`mandb_run',`
attribute_role mandb_roles;
')
- lightsquid_domtrans($1)
+ mandb_domtrans($1)
roleattribute $2 mandb_roles;
')
@@ -122,14 +122,10 @@ interface(`mandb_manage_cache_content',`
#
interface(`mandb_admin',`
gen_require(`
- type mandb_t, mandb_cache_t;
+ type mandb_t;
')
- allow $1 mandb_t:process { ptrace signal_perms };
- ps_process_pattern($1, mandb_t)
+ admin_process_pattern($1, mandb_t)
mandb_run($1, $2)
-
- # pending
- # miscfiles_manage_man_cache_content(mandb_t)
')
diff --git a/policy/modules/contrib/mandb.te b/policy/modules/contrib/mandb.te
index 142e7e07..0358aaff 100644
--- a/policy/modules/contrib/mandb.te
+++ b/policy/modules/contrib/mandb.te
@@ -21,7 +21,11 @@ init_unit_file(mandb_unit_t)
# Local policy
#
-allow mandb_t self:capability { setgid setuid };
+# dac_override : write /var/cache/man/*
+# fowner : chmod /var/cache/man/*
+# chown : lchown32 /var/cache/man/*
+# fsetid : chmod /var/cache/man/*
+allow mandb_t self:capability { chown dac_override fowner fsetid setgid setuid
};
allow mandb_t self:process { setsched signal };
allow mandb_t self:fifo_file rw_fifo_file_perms;
allow mandb_t self:unix_stream_socket create_stream_socket_perms;
@@ -32,28 +36,20 @@ kernel_read_system_state(mandb_t)
corecmd_exec_bin(mandb_t)
corecmd_exec_shell(mandb_t)
-dev_search_sysfs(mandb_t)
-
domain_use_interactive_fds(mandb_t)
+files_dontaudit_search_home(mandb_t)
files_read_etc_files(mandb_t)
+# search /var/run/nscd/socket
+files_search_pids(mandb_t)
+
+fs_getattr_xattr_fs(mandb_t)
miscfiles_manage_man_cache(mandb_t)
miscfiles_read_man_pages(mandb_t)
miscfiles_read_localization(mandb_t)
-ifdef(`distro_debian',`
- optional_policy(`
- apt_exec(mandb_t)
- apt_read_db(mandb_t)
- ')
-
- optional_policy(`
- dpkg_exec(mandb_t)
- dpkg_read_db(mandb_t)
- userdom_dontaudit_search_user_home_dirs(mandb_t)
- ')
-')
+userdom_use_inherited_user_terminals(mandb_t)
optional_policy(`
cron_system_entry(mandb_t, mandb_exec_t)
