commit: 44c7994f453c43349074368972d58e465e1f5d27
Author: Chris PeBenito <pebenito <AT> ieee <DOT> org>
AuthorDate: Thu Jan 28 15:53:04 2021 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Mon Feb 1 01:21:42 2021 +0000
URL:
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=44c7994f
apache, mysql, postgrey, samba, squid: Apply new mmap_manage_files_pattern().
Signed-off-by: Chris PeBenito <pebenito <AT> ieee.org>
Signed-off-by: Jason Zaman <perfinion <AT> gentoo.org>
policy/modules/services/apache.if | 6 ++----
policy/modules/services/apache.te | 15 +++++----------
policy/modules/services/mysql.te | 6 ++----
policy/modules/services/postgrey.te | 3 +--
policy/modules/services/samba.te | 15 +++++----------
policy/modules/services/squid.te | 3 +--
6 files changed, 16 insertions(+), 32 deletions(-)
diff --git a/policy/modules/services/apache.if
b/policy/modules/services/apache.if
index 44767359..1695af75 100644
--- a/policy/modules/services/apache.if
+++ b/policy/modules/services/apache.if
@@ -70,8 +70,7 @@ template(`apache_content_template',`
allow httpd_$1_script_t { httpd_$1_content_t httpd_$1_script_exec_t
}:lnk_file read_lnk_file_perms;
manage_dirs_pattern(httpd_$1_script_t, httpd_$1_rw_content_t,
httpd_$1_rw_content_t)
- manage_files_pattern(httpd_$1_script_t, httpd_$1_rw_content_t,
httpd_$1_rw_content_t)
- allow httpd_$1_script_t httpd_$1_rw_content_t:file map;
+ mmap_manage_files_pattern(httpd_$1_script_t, httpd_$1_rw_content_t,
httpd_$1_rw_content_t)
manage_lnk_files_pattern(httpd_$1_script_t, httpd_$1_rw_content_t,
httpd_$1_rw_content_t)
manage_fifo_files_pattern(httpd_$1_script_t, httpd_$1_rw_content_t,
httpd_$1_rw_content_t)
manage_sock_files_pattern(httpd_$1_script_t, httpd_$1_rw_content_t,
httpd_$1_rw_content_t)
@@ -1025,8 +1024,7 @@ interface(`apache_manage_sys_rw_content',`
apache_search_sys_content($1)
manage_dirs_pattern($1, httpd_sys_rw_content_t, httpd_sys_rw_content_t)
- manage_files_pattern($1,httpd_sys_rw_content_t, httpd_sys_rw_content_t)
- allow $1 httpd_sys_rw_content_t:file map;
+ mmap_manage_files_pattern($1,httpd_sys_rw_content_t,
httpd_sys_rw_content_t)
manage_lnk_files_pattern($1, httpd_sys_rw_content_t,
httpd_sys_rw_content_t)
')
diff --git a/policy/modules/services/apache.te
b/policy/modules/services/apache.te
index da43a1d8..35fafe56 100644
--- a/policy/modules/services/apache.te
+++ b/policy/modules/services/apache.te
@@ -378,10 +378,9 @@ allow httpd_t self:unix_stream_socket { accept connectto
listen };
allow httpd_t self:tcp_socket { accept listen };
manage_dirs_pattern(httpd_t, httpd_cache_t, httpd_cache_t)
-manage_files_pattern(httpd_t, httpd_cache_t, httpd_cache_t)
+mmap_manage_files_pattern(httpd_t, httpd_cache_t, httpd_cache_t)
manage_lnk_files_pattern(httpd_t, httpd_cache_t, httpd_cache_t)
files_var_filetrans(httpd_t, httpd_cache_t, dir)
-allow httpd_t httpd_cache_t:file map;
allow httpd_t httpd_config_t:dir list_dir_perms;
read_files_pattern(httpd_t, httpd_config_t, httpd_config_t)
@@ -415,9 +414,8 @@ read_lnk_files_pattern(httpd_t, httpd_modules_t,
httpd_modules_t)
allow httpd_t httpd_rotatelogs_t:process signal_perms;
manage_dirs_pattern(httpd_t, httpd_squirrelmail_t, httpd_squirrelmail_t)
-manage_files_pattern(httpd_t, httpd_squirrelmail_t, httpd_squirrelmail_t)
+mmap_manage_files_pattern(httpd_t, httpd_squirrelmail_t, httpd_squirrelmail_t)
manage_lnk_files_pattern(httpd_t, httpd_squirrelmail_t, httpd_squirrelmail_t)
-allow httpd_t httpd_squirrelmail_t:file map;
allow httpd_t httpd_suexec_exec_t:file read_file_perms;
@@ -441,8 +439,7 @@ manage_sock_files_pattern(httpd_t, httpd_tmpfs_t,
httpd_tmpfs_t)
fs_tmpfs_filetrans(httpd_t, httpd_tmpfs_t, { dir file lnk_file sock_file
fifo_file })
manage_dirs_pattern(httpd_t, httpd_var_lib_t, httpd_var_lib_t)
-manage_files_pattern(httpd_t, httpd_var_lib_t, httpd_var_lib_t)
-allow httpd_t httpd_var_lib_t:file map;
+mmap_manage_files_pattern(httpd_t, httpd_var_lib_t, httpd_var_lib_t)
manage_lnk_files_pattern(httpd_t, httpd_var_lib_t, httpd_var_lib_t)
files_var_lib_filetrans(httpd_t, httpd_var_lib_t, { dir file })
@@ -622,8 +619,7 @@ tunable_policy(`httpd_enable_cgi && httpd_unified &&
httpd_builtin_scripting',`
domtrans_pattern(httpd_t, httpdcontent, httpd_sys_script_t)
manage_dirs_pattern(httpd_t, httpdcontent, httpdcontent)
- manage_files_pattern(httpd_t, httpdcontent, httpdcontent)
- allow httpd_t httpdcontent:file map;
+ mmap_manage_files_pattern(httpd_t, httpdcontent, httpdcontent)
manage_fifo_files_pattern(httpd_t, httpdcontent, httpdcontent)
manage_lnk_files_pattern(httpd_t, httpdcontent, httpdcontent)
manage_sock_files_pattern(httpd_t, httpdcontent, httpdcontent)
@@ -908,8 +904,7 @@ optional_policy(`
# Helper local policy
#
-read_files_pattern(httpd_helper_t, httpd_config_t, httpd_config_t)
-allow httpd_t httpd_config_t:file map;
+mmap_read_files_pattern(httpd_helper_t, httpd_config_t, httpd_config_t)
append_files_pattern(httpd_helper_t, httpd_log_t, httpd_log_t)
read_lnk_files_pattern(httpd_helper_t, httpd_log_t, httpd_log_t)
diff --git a/policy/modules/services/mysql.te b/policy/modules/services/mysql.te
index 5a264e2f..84a49b16 100644
--- a/policy/modules/services/mysql.te
+++ b/policy/modules/services/mysql.te
@@ -74,8 +74,7 @@ allow mysqld_t self:unix_stream_socket { connectto accept
listen };
allow mysqld_t self:tcp_socket { accept listen };
manage_dirs_pattern(mysqld_t, mysqld_db_t, mysqld_db_t)
-manage_files_pattern(mysqld_t, mysqld_db_t, mysqld_db_t)
-allow mysqld_t mysqld_db_t:file map;
+mmap_manage_files_pattern(mysqld_t, mysqld_db_t, mysqld_db_t)
manage_lnk_files_pattern(mysqld_t, mysqld_db_t, mysqld_db_t)
files_var_lib_filetrans(mysqld_t, mysqld_db_t, { dir file lnk_file })
@@ -91,8 +90,7 @@ manage_lnk_files_pattern(mysqld_t, mysqld_log_t, mysqld_log_t)
logging_log_filetrans(mysqld_t, mysqld_log_t, { dir file })
manage_dirs_pattern(mysqld_t, mysqld_tmp_t, mysqld_tmp_t)
-manage_files_pattern(mysqld_t, mysqld_tmp_t, mysqld_tmp_t)
-allow mysqld_t mysqld_tmp_t:file map;
+mmap_manage_files_pattern(mysqld_t, mysqld_tmp_t, mysqld_tmp_t)
files_tmp_filetrans(mysqld_t, mysqld_tmp_t, { file dir })
manage_dirs_pattern(mysqld_t, mysqld_runtime_t, mysqld_runtime_t)
diff --git a/policy/modules/services/postgrey.te
b/policy/modules/services/postgrey.te
index a96e9dd9..da47d1e0 100644
--- a/policy/modules/services/postgrey.te
+++ b/policy/modules/services/postgrey.te
@@ -46,8 +46,7 @@ manage_files_pattern(postgrey_t, postgrey_spool_t,
postgrey_spool_t)
manage_fifo_files_pattern(postgrey_t, postgrey_spool_t, postgrey_spool_t)
manage_sock_files_pattern(postgrey_t, postgrey_spool_t, postgrey_spool_t)
-manage_files_pattern(postgrey_t, postgrey_var_lib_t, postgrey_var_lib_t)
-allow postgrey_t postgrey_var_lib_t:file map;
+mmap_manage_files_pattern(postgrey_t, postgrey_var_lib_t, postgrey_var_lib_t)
files_var_lib_filetrans(postgrey_t, postgrey_var_lib_t, file)
manage_dirs_pattern(postgrey_t, postgrey_runtime_t, postgrey_runtime_t)
diff --git a/policy/modules/services/samba.te b/policy/modules/services/samba.te
index 855d846d..40b6684c 100644
--- a/policy/modules/services/samba.te
+++ b/policy/modules/services/samba.te
@@ -217,8 +217,7 @@ manage_files_pattern(samba_net_t, samba_net_tmp_t,
samba_net_tmp_t)
files_tmp_filetrans(samba_net_t, samba_net_tmp_t, { file dir })
manage_dirs_pattern(samba_net_t, samba_var_t, samba_var_t)
-manage_files_pattern(samba_net_t, samba_var_t, samba_var_t)
-allow samba_net_t samba_var_t:file map;
+mmap_manage_files_pattern(samba_net_t, samba_var_t, samba_var_t)
manage_lnk_files_pattern(samba_net_t, samba_var_t, samba_var_t)
files_var_filetrans(samba_net_t, samba_var_t, dir, "samba")
@@ -303,8 +302,7 @@ manage_lnk_files_pattern(smbd_t, samba_share_t,
samba_share_t)
allow smbd_t samba_share_t:filesystem { getattr quotaget };
manage_dirs_pattern(smbd_t, samba_var_t, samba_var_t)
-manage_files_pattern(smbd_t, samba_var_t, samba_var_t)
-allow smbd_t samba_var_t:file map;
+mmap_manage_files_pattern(smbd_t, samba_var_t, samba_var_t)
manage_lnk_files_pattern(smbd_t, samba_var_t, samba_var_t)
manage_sock_files_pattern(smbd_t, samba_var_t, samba_var_t)
files_var_filetrans(smbd_t, samba_var_t, dir, "samba")
@@ -314,8 +312,7 @@ manage_files_pattern(smbd_t, smbd_tmp_t, smbd_tmp_t)
files_tmp_filetrans(smbd_t, smbd_tmp_t, { file dir })
manage_dirs_pattern(smbd_t, samba_runtime_t, samba_runtime_t)
-manage_files_pattern(smbd_t, samba_runtime_t, samba_runtime_t)
-allow smbd_t samba_runtime_t:file map;
+mmap_manage_files_pattern(smbd_t, samba_runtime_t, samba_runtime_t)
manage_sock_files_pattern(smbd_t, samba_runtime_t, samba_runtime_t)
files_runtime_filetrans(smbd_t, samba_runtime_t, { dir file })
@@ -530,8 +527,7 @@ allow nmbd_t self:unix_dgram_socket sendto;
allow nmbd_t self:unix_stream_socket { accept connectto listen };
manage_dirs_pattern(nmbd_t, samba_runtime_t, samba_runtime_t)
-manage_files_pattern(nmbd_t, samba_runtime_t, samba_runtime_t)
-allow nmbd_t samba_runtime_t:file map;
+mmap_manage_files_pattern(nmbd_t, samba_runtime_t, samba_runtime_t)
manage_sock_files_pattern(nmbd_t, samba_runtime_t, samba_runtime_t)
files_runtime_filetrans(nmbd_t, samba_runtime_t, { dir file sock_file })
@@ -543,8 +539,7 @@ append_files_pattern(nmbd_t, samba_log_t, samba_log_t)
create_files_pattern(nmbd_t, samba_log_t, samba_log_t)
setattr_files_pattern(nmbd_t, samba_log_t, samba_log_t)
-manage_files_pattern(nmbd_t, samba_var_t, samba_var_t)
-allow nmbd_t samba_var_t:file map;
+mmap_manage_files_pattern(nmbd_t, samba_var_t, samba_var_t)
manage_lnk_files_pattern(nmbd_t, samba_var_t, samba_var_t)
manage_sock_files_pattern(nmbd_t, samba_var_t, samba_var_t)
files_var_filetrans(nmbd_t, samba_var_t, dir, "nmbd")
diff --git a/policy/modules/services/squid.te b/policy/modules/services/squid.te
index f9890df1..263574f5 100644
--- a/policy/modules/services/squid.te
+++ b/policy/modules/services/squid.te
@@ -91,8 +91,7 @@ manage_dirs_pattern(squid_t, squid_tmp_t, squid_tmp_t)
manage_files_pattern(squid_t, squid_tmp_t, squid_tmp_t)
files_tmp_filetrans(squid_t, squid_tmp_t, { file dir })
-manage_files_pattern(squid_t, squid_tmpfs_t, squid_tmpfs_t)
-allow squid_t squid_tmpfs_t:file map;
+mmap_manage_files_pattern(squid_t, squid_tmpfs_t, squid_tmpfs_t)
fs_tmpfs_filetrans(squid_t, squid_tmpfs_t, file)
manage_files_pattern(squid_t, squid_runtime_t, squid_runtime_t)
