commit: 7ee6f362b949e90e54e31478c86c0eb353a58c84
Author: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Wed Aug 6 08:53:19 2014 +0000
Commit: Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Wed Aug 6 18:08:37 2014 +0000
URL:
http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=7ee6f362
Add seutil_relabelto_bin_policy explicitly to all users
As we are going to move seutil_relabelto_bin_policy outside the
files_relabel_non_auth_files, we first add it to all the users
explicitly.
The move is needed because otherwise files_relabel_non_auth_files cannot
be used inside a tunable_policy statement.
---
policy/modules/contrib/dpkg.te | 5 +++++
policy/modules/contrib/rpm.te | 6 ++++++
policy/modules/roles/secadm.te | 5 +++++
policy/modules/system/selinuxutil.te | 8 ++++++++
policy/modules/system/userdomain.if | 10 ++++++++++
5 files changed, 34 insertions(+)
diff --git a/policy/modules/contrib/dpkg.te b/policy/modules/contrib/dpkg.te
index 31c8884..9bb9d6f 100644
--- a/policy/modules/contrib/dpkg.te
+++ b/policy/modules/contrib/dpkg.te
@@ -324,3 +324,8 @@ optional_policy(`
usermanage_run_groupadd(dpkg_script_t, dpkg_roles)
usermanage_run_useradd(dpkg_script_t, dpkg_roles)
')
+
+ifdef(`distro_gentoo',`
+ # Moved out of files_relabel_non_auth_files as it cannot be used in
tunable_policy otherwise
+ seutil_relabelto_bin_policy(dpkg_t)
+')
diff --git a/policy/modules/contrib/rpm.te b/policy/modules/contrib/rpm.te
index 6fc360e..8d44a78 100644
--- a/policy/modules/contrib/rpm.te
+++ b/policy/modules/contrib/rpm.te
@@ -412,3 +412,9 @@ optional_policy(`
usermanage_run_groupadd(rpm_script_t, rpm_roles)
usermanage_run_useradd(rpm_script_t, rpm_roles)
')
+
+ifdef(`distro_gentoo',`
+ # Moved out of files_relabel_non_auth_files as it cannot be used in
tunables otherwise
+ seutil_relabelto_bin_policy(rpm_t)
+ seutil_relabelto_bin_policy(rpm_script_t)
+')
diff --git a/policy/modules/roles/secadm.te b/policy/modules/roles/secadm.te
index f7791d0..422d445 100644
--- a/policy/modules/roles/secadm.te
+++ b/policy/modules/roles/secadm.te
@@ -74,3 +74,8 @@ optional_policy(`
optional_policy(`
vlock_run(secadm_t, secadm_r)
')
+
+ifdef(`distro_gentoo',`
+ # Moved out of files_relabel_non_auth_files as it cannot be used in
tunable_policy otherwise
+ seutil_relabelto_bin_policy(secadm_t)
+')
diff --git a/policy/modules/system/selinuxutil.te
b/policy/modules/system/selinuxutil.te
index 2910423..48566a4 100644
--- a/policy/modules/system/selinuxutil.te
+++ b/policy/modules/system/selinuxutil.te
@@ -660,4 +660,12 @@ ifdef(`distro_gentoo',`
term_getattr_pty_fs(setfiles_t)
files_read_all_symlinks(setfiles_t)
+
+ ########################################
+ #
+ # restorecond local policy
+ #
+
+ # Moved out of files_relabel_non_auth_files as it cannot be used in
tunable_policy otherwise
+ seutil_relabelto_bin_policy(restorecond_t)
')
diff --git a/policy/modules/system/userdomain.if
b/policy/modules/system/userdomain.if
index 6eb83e5..f299e2e 100644
--- a/policy/modules/system/userdomain.if
+++ b/policy/modules/system/userdomain.if
@@ -1241,6 +1241,11 @@ template(`userdom_admin_user_template',`
optional_policy(`
userhelper_exec($1_t)
')
+
+ ifdef(`distro_gentoo',`
+ # Moved out of files_relabel_non_auth_files as it cannot be
used in tunable_policy otherwise
+ seutil_relabelto_bin_policy($1_t)
+ ')
')
########################################
@@ -1331,6 +1336,11 @@ template(`userdom_security_admin_template',`
optional_policy(`
samhain_run($1, $2)
')
+
+ ifdef(`distro_gentoo',`
+ # Moved out of files_relabel_non_auth_files as it cannot be
used in tunable_policy otherwise
+ seutil_relabelto_bin_policy($1)
+ ')
')
########################################
