commit: 13028888c98455c718f3706b38a2801c7b76b465
Author: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Wed Aug 6 09:17:15 2014 +0000
Commit: Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Wed Aug 6 09:17:15 2014 +0000
URL:
http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=13028888
Make SELinux configuration a security file type
The SELinux configuration should be considered a security-sensitive
configuration type and as such should not be made part of the
system-wide accesses towards regular files (non_auth/non_security).
---
policy/modules/system/selinuxutil.te | 8 ++++----
1 file changed, 4 insertions(+), 4 deletions(-)
diff --git a/policy/modules/system/selinuxutil.te
b/policy/modules/system/selinuxutil.te
index 48566a4..4d6f5d9 100644
--- a/policy/modules/system/selinuxutil.te
+++ b/policy/modules/system/selinuxutil.te
@@ -28,7 +28,7 @@ roleattribute system_r semanage_roles;
# in the domain_type interface
# (fix dup decl)
type selinux_config_t;
-files_type(selinux_config_t)
+files_security_file(selinux_config_t)
type checkpolicy_t, can_write_binary_policy;
type checkpolicy_exec_t;
@@ -40,14 +40,14 @@ role system_r types checkpolicy_t;
# /etc/selinux/*/contexts/*
#
type default_context_t;
-files_type(default_context_t)
+files_security_file(default_context_t)
#
# file_context_t is the type applied to
# /etc/selinux/*/contexts/files
#
type file_context_t;
-files_type(file_context_t)
+files_security_file(file_context_t)
type load_policy_t;
type load_policy_exec_t;
@@ -67,7 +67,7 @@ role newrole_roles types newrole_t;
# the security server policy configuration.
#
type policy_config_t;
-files_type(policy_config_t)
+files_security_file(policy_config_t)
neverallow ~can_relabelto_binary_policy policy_config_t:file relabelto;
#neverallow ~can_write_binary_policy policy_config_t:file { write append };
