Commit Graph

25 Commits

Author SHA1 Message Date
Nicolas Iooss f0cade07b2
Remove unescaped single dot from the policy
In a pattern, a dot can match any character, including slash. It makes
sense when it is combined with ?, + or *, but makes little sense when
left alone.

Most of the time, the label was for file containing dots, where the dot
was not escaped. A few times, the dot was really intended to match any
character. In such case, [^/] better suits the intent.

Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
2019-08-27 23:38:09 +02:00
Luis Ressel 75dcc276c0 miscfiles: Label /usr/share/texmf*/fonts/ as fonts_t
fontconfig can be configure to use the TeX Live fonts in addition to
/usr/share/fonts/.
2018-10-14 13:50:27 -04:00
Guido Trentalancia cc91fed88d base: create a type for SSL private keys
Reserve the tls_privkey_t file label for SSL/TLS private keys (e.g.
files in /etc/pki/*/private/).

Create and use appropriate interfaces for such new scenario (so
that SSL/TLS private keys are protected).

This part (1/2) refers to the base policy changes.

Signed-off-by: Guido Trentalancia <guido@trentalancia.com>
2017-11-09 17:28:26 -05:00
Russell Coker d97a1cd3c8 refpolicy and certs
The following patch allows mon_t to set limits for it's children and removes
cert_t labelling from CA public keys (that aren't secret) so that processes
which only need to verify keys (EG https clients) don't need cert_t access.
2017-10-30 21:38:27 -04:00
Luis Ressel 2da36b7d71 system/miscfiles: Generalize the man_t fc's
This won't match subdirectories of /usr/lib, but that shouldn't be a
problem, since we have "allow domain lib_t ..." anyway.

We can't match on "/usr/(.*/)?man(/.*)?", since that'd result in a few
false positives; in particular, the files
  /usr/share/xmlto/format/docbook/man
  /usr/share/bash-completion/completions/man
2017-06-07 19:19:22 -04:00
Laurent Bigonville b963532e7c Label /etc/locale.alias as locale_t on Debian
On Debian, /usr/share/locale/locale.alias is a symlink to
/etc/locale.alias, properly label this file.

https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=707246
2014-04-21 09:02:26 -04:00
Laurent Bigonville d30d36a2fe Label /usr/local/share/ca-certificates(/.*)? as cert_t
On Debian, this directory can contain locally trusted certificates that
will be then be symlinked to /etc/ssl/certs by
update-ca-certificates(8), the files should be labelled as cert_t.
2014-04-11 09:26:12 -04:00
Laurent Bigonville b7bd94f923 Properly label the manpages installed by postgresql
The postgresql manpages are installed under a private directory, some of
them are symlinked to the usual location.

Properly labeling them ensure that mandb can read them.

https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=740591
2014-04-11 09:26:12 -04:00
Chris PeBenito bf0f91c63d Whitespace fix in miscfiles.fc. 2012-11-26 11:07:16 -05:00
Dominick Grift dce8c71b5f Label /var/cache/man with a private man cache type for mandb
Since /var/cache/man was previously labeled man_t, make sure that the old
interfaces with regard to man_t also support man_cache_t

Signed-off-by: Dominick Grift <dominick.grift@gmail.com>
2012-11-26 10:56:12 -05:00
Laurent Bigonville e5c59868be Add Debian location for PKI files 2012-10-02 10:10:59 -04:00
Sven Vermeulen b55726771e Simplify .fc in light of file_contexts.subs_dist
Now that we have file_contexts.subs_dist, translations that were put in the file context definition files can now be
cleaned up.

Differences from v1:
- removes a few duplicate entries in the libraries.fc file, and
- removes the contrib references

Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
2012-05-10 10:09:00 -04:00
Chris PeBenito a2e8969d04 Additional miscfiles tweaks. 2010-11-17 09:30:44 -05:00
Jeremy Solt d19a291e4e system_miscfiles patch from Dan Walsh
"move cobbler, Allow policy to define certs."
2010-11-17 09:30:44 -05:00
Chris PeBenito d0a6df5c47 Miscfiles patch from Dan Walsh. 2010-03-09 10:44:55 -05:00
Chris PeBenito 27eab81f2f Misc fixes for 1031ee6. 2010-02-08 13:38:48 -05:00
Dominick Grift 1031ee6f6a Implement cobblerd policy.
My previous version had a minor bug in admin_role where it was using cobblerd_var_log_t, and cobblerd_var_lib_t instead of cobbler_var_log_t, and cobbler_var_lib_t.

Whilst i was at it, i decided the implement a cobbler_etc_t for cobbler content in /etc. This because you cannot admin a cobbler environment witouth having access to cobbler config files and i dont want to give cobbler_admin access to manage etc_t.

As a consequence if this i also removed the files_read_etc_files(cobblerd_t), as i think that cobbler only needed it to read its own files in /etc. However this is not confirmed, and it may need read access to etc_t afteral.

Also i would like to underscore my reason for using public_content_rw_t. One of the reasons is that i do not want to give cobbler access to manage httpd_sys_content_rw_t. In general i do not want to depend on apache module at all.

Signed-off-by: Dominick Grift <domg472@gmail.com>
Signed-off-by: Chris PeBenito <pebenito@gentoo.org>
2010-02-08 12:56:01 -05:00
Chris PeBenito 244b45d225 trunk: 3 patches from dan. 2009-03-20 13:58:15 +00:00
Chris PeBenito 556556cdd0 trunk: 3 more cherry picked Fedora fixes from David Hrdeman. 2008-07-25 12:11:14 +00:00
Chris PeBenito 8d2c34195e trunk: updates from dan on 9 modules 2007-08-22 20:02:41 +00:00
Chris PeBenito ecc98e19e3 patches for file contexts in networkmanager, miscfiles, corecommands, devices, and java from Dan Walsh. 2007-03-01 15:43:39 +00:00
Chris PeBenito d6d16b9796 patch from dan Wed, 29 Nov 2006 17:06:40 -0500 2006-12-04 20:10:56 +00:00
Chris PeBenito 91dabf4d78 fix up usb.ids per distro 2006-09-05 14:31:27 +00:00
Chris PeBenito a5e2133bc8 patch from dan Wed, 23 Aug 2006 14:03:49 -0400 2006-08-29 02:41:00 +00:00
Chris PeBenito 17de1b790b remove extra level of directory 2006-07-12 20:32:27 +00:00