From c9602a0cacd2c94ec816bfe10c5cf91e8019417f Mon Sep 17 00:00:00 2001 From: Nicolas Iooss Date: Tue, 27 Aug 2019 22:39:37 +0200 Subject: [PATCH] files: reduce the scope of the pattern matching /usr/include The pattern that matches /usr/include uses a dot, in order probably to avoid calling m4's function include(). This also matches other paths such as /usr/inclu/e. Such a side-effect can be avoided by inserting an empty string which is removed by m4's preprocessing. Mailing-list discussion: https://lore.kernel.org/selinux-refpolicy/CAJfZ7=krh_TaCBQzFxLM394Sc5-82ZO0DdcfvWON-RXu-wqBVw@mail.gmail.com/t/#u Signed-off-by: Nicolas Iooss --- policy/modules/kernel/files.fc | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/policy/modules/kernel/files.fc b/policy/modules/kernel/files.fc index c3496c218..23fb03b4d 100644 --- a/policy/modules/kernel/files.fc +++ b/policy/modules/kernel/files.fc @@ -197,7 +197,8 @@ HOME_ROOT/lost\+found/.* <> /usr/etc(/.*)? gen_context(system_u:object_r:etc_t,s0) -/usr/inclu.e(/.*)? gen_context(system_u:object_r:usr_t,s0) +# Avoid calling m4's include by using en empty string +/usr/include`'(/.*)? gen_context(system_u:object_r:usr_t,s0) /usr/local/\.journal <>