diff options
| author |   Sven Vermeulen <sven.vermeulen@siphos.be> | 2014-08-06 10:53:19 +0200 |
|---|---|---|
| committer | Sven Vermeulen <sven.vermeulen@siphos.be> | 2014-08-06 20:08:37 +0200 |
| commit | 7ee6f362b949e90e54e31478c86c0eb353a58c84 (patch) | |
| tree | 66dffc163fa8246697977345a783ff64722f81ca | |
| parent | Merged upstream, so can be removed from the ifdef distro_gentoo (diff) | |
| download | hardened-refpolicy-7ee6f362b949e90e54e31478c86c0eb353a58c84.tar.gz hardened-refpolicy-7ee6f362b949e90e54e31478c86c0eb353a58c84.tar.bz2 hardened-refpolicy-7ee6f362b949e90e54e31478c86c0eb353a58c84.zip | |
Add seutil_relabelto_bin_policy explicitly to all users
As we are going to move seutil_relabelto_bin_policy outside the
files_relabel_non_auth_files, we first add it to all the users
explicitly.
The move is needed because otherwise files_relabel_non_auth_files cannot
be used inside a tunable_policy statement.
| -rw-r--r-- | policy/modules/contrib/dpkg.te | 5 | ||||
| -rw-r--r-- | policy/modules/contrib/rpm.te | 6 | ||||
| -rw-r--r-- | policy/modules/roles/secadm.te | 5 | ||||
| -rw-r--r-- | policy/modules/system/selinuxutil.te | 8 | ||||
| -rw-r--r-- | policy/modules/system/userdomain.if | 10 |
5 files changed, 34 insertions, 0 deletions
diff --git a/policy/modules/contrib/dpkg.te b/policy/modules/contrib/dpkg.te index 31c8884d..9bb9d6f6 100644 --- a/policy/modules/contrib/dpkg.te +++ b/policy/modules/contrib/dpkg.te @@ -324,3 +324,8 @@ optional_policy(` usermanage_run_groupadd(dpkg_script_t, dpkg_roles) usermanage_run_useradd(dpkg_script_t, dpkg_roles) ') + +ifdef(`distro_gentoo',` + # Moved out of files_relabel_non_auth_files as it cannot be used in tunable_policy otherwise + seutil_relabelto_bin_policy(dpkg_t) +') diff --git a/policy/modules/contrib/rpm.te b/policy/modules/contrib/rpm.te index 6fc360e6..8d44a78a 100644 --- a/policy/modules/contrib/rpm.te +++ b/policy/modules/contrib/rpm.te @@ -412,3 +412,9 @@ optional_policy(` usermanage_run_groupadd(rpm_script_t, rpm_roles) usermanage_run_useradd(rpm_script_t, rpm_roles) ') + +ifdef(`distro_gentoo',` + # Moved out of files_relabel_non_auth_files as it cannot be used in tunables otherwise + seutil_relabelto_bin_policy(rpm_t) + seutil_relabelto_bin_policy(rpm_script_t) +') diff --git a/policy/modules/roles/secadm.te b/policy/modules/roles/secadm.te index f7791d07..422d445d 100644 --- a/policy/modules/roles/secadm.te +++ b/policy/modules/roles/secadm.te @@ -74,3 +74,8 @@ optional_policy(` optional_policy(` vlock_run(secadm_t, secadm_r) ') + +ifdef(`distro_gentoo',` + # Moved out of files_relabel_non_auth_files as it cannot be used in tunable_policy otherwise + seutil_relabelto_bin_policy(secadm_t) +') diff --git a/policy/modules/system/selinuxutil.te b/policy/modules/system/selinuxutil.te index 29104239..48566a41 100644 --- a/policy/modules/system/selinuxutil.te +++ b/policy/modules/system/selinuxutil.te @@ -660,4 +660,12 @@ ifdef(`distro_gentoo',` term_getattr_pty_fs(setfiles_t) files_read_all_symlinks(setfiles_t) + + ######################################## + # + # restorecond local policy + # + + # Moved out of files_relabel_non_auth_files as it cannot be used in tunable_policy otherwise + seutil_relabelto_bin_policy(restorecond_t) ') diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if index 6eb83e54..f299e2e4 100644 --- a/policy/modules/system/userdomain.if +++ b/policy/modules/system/userdomain.if @@ -1241,6 +1241,11 @@ template(`userdom_admin_user_template',` optional_policy(` userhelper_exec($1_t) ') + + ifdef(`distro_gentoo',` + # Moved out of files_relabel_non_auth_files as it cannot be used in tunable_policy otherwise + seutil_relabelto_bin_policy($1_t) + ') ') ######################################## @@ -1331,6 +1336,11 @@ template(`userdom_security_admin_template',` optional_policy(` samhain_run($1, $2) ') + + ifdef(`distro_gentoo',` + # Moved out of files_relabel_non_auth_files as it cannot be used in tunable_policy otherwise + seutil_relabelto_bin_policy($1) + ') ') ######################################## |