diff --git a/refpolicy/policy/modules.conf b/refpolicy/policy/modules.conf index d3c8605..c5c447d 100644 --- a/refpolicy/policy/modules.conf +++ b/refpolicy/policy/modules.conf @@ -189,7 +189,7 @@ logrotate = off # # Virtual Private Networking client # -vpn = base +vpn = off # Layer: admin # Module: consoletype diff --git a/refpolicy/policy/modules/admin/rpm.te b/refpolicy/policy/modules/admin/rpm.te index 416c7b8..0961259 100644 --- a/refpolicy/policy/modules/admin/rpm.te +++ b/refpolicy/policy/modules/admin/rpm.te @@ -6,12 +6,7 @@ policy_module(rpm,1.0.1) # Declarations # -ifdef(`targeted_policy',` - unconfined_alias_domain(rpm_t) -',` - type rpm_t; -') - +type rpm_t; type rpm_exec_t; init_system_domain(rpm_t,rpm_exec_t) domain_obj_id_change_exempt(rpm_t) @@ -143,6 +138,8 @@ auth_dontaudit_read_shadow(rpm_t) corecmd_exec_bin(rpm_t) corecmd_exec_sbin(rpm_t) +# transition to rpm script: +corecmd_shell_domtrans(rpm_t,rpm_script_t) domain_exec_all_entry_files(rpm_t) domain_read_all_domains_state(rpm_t) @@ -178,11 +175,6 @@ ifdef(`targeted_policy',` # unconfined in the targeted policy allow rpm_t rpm_log_t:file create_file_perms; logging_create_log(rpm_t,rpm_log_t) - - # cjp: if rpm_t and xdm_t are aliases of - # unconfined_t, this will break xdm logins - # by making users log in to rpm_script_t. - corecmd_shell_domtrans(rpm_t,rpm_script_t) ') optional_policy(`cron.te',` diff --git a/refpolicy/policy/modules/services/pegasus.te b/refpolicy/policy/modules/services/pegasus.te index 09981a8..4efcce4 100644 --- a/refpolicy/policy/modules/services/pegasus.te +++ b/refpolicy/policy/modules/services/pegasus.te @@ -35,9 +35,9 @@ allow pegasus_t self:unix_stream_socket create_stream_socket_perms; allow pegasus_t self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay }; allow pegasus_t self:tcp_socket create_stream_socket_perms; -allow pegasus_t pegasus_conf_t:dir rw_dir_perms; -allow pegasus_t pegasus_conf_t:file create_file_perms; -allow pegasus_t pegasus_conf_t:lnk_file create_lnk_perms; +allow pegasus_t pegasus_conf_t:dir r_dir_perms; +allow pegasus_t pegasus_conf_t:file { r_file_perms link unlink }; +allow pegasus_t pegasus_conf_t:lnk_file r_file_perms; allow pegasus_t pegasus_data_t:dir rw_dir_perms; allow pegasus_t pegasus_data_t:file create_file_perms; diff --git a/refpolicy/policy/modules/system/corecommands.fc b/refpolicy/policy/modules/system/corecommands.fc index 59cb49a..298abe0 100644 --- a/refpolicy/policy/modules/system/corecommands.fc +++ b/refpolicy/policy/modules/system/corecommands.fc @@ -6,6 +6,7 @@ /bin/d?ash -- gen_context(system_u:object_r:shell_exec_t,s0) /bin/bash -- gen_context(system_u:object_r:shell_exec_t,s0) /bin/bash2 -- gen_context(system_u:object_r:shell_exec_t,s0) +/bin/ksh.* -- gen_context(system_u:object_r:shell_exec_t,s0) /bin/ls -- gen_context(system_u:object_r:ls_exec_t,s0) /bin/sash -- gen_context(system_u:object_r:shell_exec_t,s0) /bin/tcsh -- gen_context(system_u:object_r:shell_exec_t,s0) @@ -97,8 +98,8 @@ ifdef(`distro_gentoo',` /usr/lib/qt.*/bin(/.*)? gen_context(system_u:object_r:bin_t,s0) # these two lines are separate because of a # sorting issue with the java module -/usr/lib/jvm/java(.*)?/jre/bin -d gen_context(system_u:object_r:bin_t,s0) -/usr/lib/jvm/java(.*)?/jre/bin/.* gen_context(system_u:object_r:bin_t,s0) +/usr/lib/jvm/java.*/jre/bin -d gen_context(system_u:object_r:bin_t,s0) +/usr/lib/jvm/java.*/jre/bin/.* gen_context(system_u:object_r:bin_t,s0) /usr/lib(64)?/cups/cgi-bin/.* -- gen_context(system_u:object_r:bin_t,s0) /usr/lib(64)?/cups/filter/.* -- gen_context(system_u:object_r:bin_t,s0) @@ -120,7 +121,7 @@ ifdef(`distro_gentoo',` /usr/lib(64)?/[^/]*thunderbird[^/]*/open-browser\.sh -- gen_context(system_u:object_r:bin_t,s0) /usr/lib(64)?/[^/]*/run-mozilla\.sh -- gen_context(system_u:object_r:bin_t,s0) /usr/lib(64)?/[^/]*/mozilla-xremote-client -- gen_context(system_u:object_r:bin_t,s0) -/usr/lib(64)?/thunderbird(.*)?/mozilla-xremote-client -- gen_context(system_u:object_r:bin_t,s0) +/usr/lib(64)?/thunderbird.*/mozilla-xremote-client -- gen_context(system_u:object_r:bin_t,s0) /usr/libexec(/.*)? gen_context(system_u:object_r:bin_t,s0) /usr/libexec/openssh/sftp-server -- gen_context(system_u:object_r:bin_t,s0)