diff --git a/refpolicy/policy/modules/admin/rpm.if b/refpolicy/policy/modules/admin/rpm.if index 12f93fa..d630645 100644 --- a/refpolicy/policy/modules/admin/rpm.if +++ b/refpolicy/policy/modules/admin/rpm.if @@ -28,6 +28,28 @@ interface(`rpm_domtrans',` ######################################## ## +## Execute rpm_script programs in the rpm_script domain. +## +## +## Domain allowed access. +## +# +interface(`rpm_script_domtrans',` + gen_require(` + type rpm_exec_t; + ') + + # transition to rpm script: + corecmd_shell_domtrans($1,rpm_script_t) + + allow $1 rpm_script_t:fd use; + allow rpm_script_t $1:fd use; + allow rpm_script_t $1:fifo_file rw_file_perms; + allow rpm_script_t $1:process sigchld; +') + +######################################## +## ## Execute RPM programs in the RPM domain. ## ## diff --git a/refpolicy/policy/modules/admin/rpm.te b/refpolicy/policy/modules/admin/rpm.te index 847e2c7..27194c3 100644 --- a/refpolicy/policy/modules/admin/rpm.te +++ b/refpolicy/policy/modules/admin/rpm.te @@ -1,5 +1,5 @@ -policy_module(rpm,1.1.0) +policy_module(rpm,1.1.1) ######################################## # @@ -47,12 +47,6 @@ files_tmp_file(rpm_script_tmp_t) type rpm_script_tmpfs_t; files_tmpfs_file(rpm_script_tmpfs_t) -type rpmbuild_t; -domain_type(rpmbuild_t) - -type rpmbuild_exec_t; -domain_entry_file(rpmbuild_t,rpmbuild_exec_t) - ######################################## # # rpm Local policy @@ -140,7 +134,7 @@ auth_dontaudit_read_shadow(rpm_t) corecmd_exec_bin(rpm_t) corecmd_exec_sbin(rpm_t) # transition to rpm script: -corecmd_shell_domtrans(rpm_t,rpm_script_t) +rpm_script_domtrans(rpm_t) domain_exec_all_entry_files(rpm_t) domain_read_all_domains_state(rpm_t) @@ -362,27 +356,6 @@ ifdef(`TODO',` optional_policy(`lpd',` can_exec(rpm_script_t,printconf_t) ') -') dnl end TODO - -######################################## -# -# rpm-build Local policy -# - -# cjp: this looks like dead policy. nothing -# can transition to this domain, nor can it -# really do anything useful. - -selinux_get_fs_mount(rpmbuild_t) -selinux_validate_context(rpmbuild_t) -selinux_compute_access_vector(rpmbuild_t) -selinux_compute_create_context(rpmbuild_t) -selinux_compute_relabel_context(rpmbuild_t) -selinux_compute_user_contexts(rpmbuild_t) - -seutil_read_src_pol(rpmbuild_t) - -ifdef(`TODO',` optional_policy(`cups',` allow cupsd_t rpm_var_lib_t:dir r_dir_perms; diff --git a/refpolicy/policy/modules/services/hal.te b/refpolicy/policy/modules/services/hal.te index 455e384..78365a0 100644 --- a/refpolicy/policy/modules/services/hal.te +++ b/refpolicy/policy/modules/services/hal.te @@ -1,5 +1,5 @@ -policy_module(hal,1.1.2) +policy_module(hal,1.1.3) ######################################## # @@ -182,10 +182,6 @@ optional_policy(`nscd',` nscd_use_socket(hald_t) ') -optional_policy(`ntp',` - ntp_domtrans(hald_t) -') - optional_policy(`pcmcia',` pcmcia_manage_pid(hald_t) pcmcia_manage_runtime_chr(hald_t) diff --git a/refpolicy/policy/modules/services/nis.if b/refpolicy/policy/modules/services/nis.if index 9193fbe..297c4b7 100644 --- a/refpolicy/policy/modules/services/nis.if +++ b/refpolicy/policy/modules/services/nis.if @@ -217,11 +217,11 @@ interface(`nis_tcp_connect_ypbind',` # interface(`nis_read_ypbind_pid',` gen_require(` - type ypbind_t; + type ypbind_var_run_t; ') files_search_pids($1) - allow $1 ypbind_t:file r_file_perms; + allow $1 ypbind_var_run_t:file r_file_perms; ') ######################################## diff --git a/refpolicy/policy/modules/system/libraries.fc b/refpolicy/policy/modules/system/libraries.fc index 82fb18a..e7f1ef0 100644 --- a/refpolicy/policy/modules/system/libraries.fc +++ b/refpolicy/policy/modules/system/libraries.fc @@ -113,6 +113,7 @@ ifdef(`distro_redhat',` /usr/lib(64)?/.*/program/libsvx680li\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/lib(64)?/.*/program/libcomphelp4gcc3\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/lib(64)?/.*/program/libsoffice\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) +/usr(/.*)?/pcsc/drivers(/.*)?/libcm(2020|4000|SCR24x)\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/lib(64)?/firefox.*\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/lib(64)?/mozilla.*\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/lib(64)?/sunbird.*\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) diff --git a/refpolicy/policy/modules/system/unconfined.te b/refpolicy/policy/modules/system/unconfined.te index c4c2a89..37b933d 100644 --- a/refpolicy/policy/modules/system/unconfined.te +++ b/refpolicy/policy/modules/system/unconfined.te @@ -1,5 +1,5 @@ -policy_module(unconfined,1.1.1) +policy_module(unconfined,1.1.2) ######################################## # @@ -118,6 +118,7 @@ ifdef(`targeted_policy',` optional_policy(`rpm',` rpm_domtrans(unconfined_t) + rpm_script_domtrans(unconfined_t) ') optional_policy(`samba',`