From 90599ef760879865e24feedbda30abd7608368e8 Mon Sep 17 00:00:00 2001
From: Nicolas Iooss <nicolas.iooss@m4x.org>
Date: Sat, 19 Mar 2016 10:30:42 +0100
Subject: [PATCH 1/5] Label TexLive scripts bin_t

These scripts can be run by users.
---
 policy/modules/kernel/corecommands.fc | 1 +
 1 file changed, 1 insertion(+)

diff --git a/policy/modules/kernel/corecommands.fc b/policy/modules/kernel/corecommands.fc
index a8516fb0a..0a6672cf5 100644
--- a/policy/modules/kernel/corecommands.fc
+++ b/policy/modules/kernel/corecommands.fc
@@ -319,6 +319,7 @@ ifdef(`distro_gentoo',`
 /usr/share/shorewall-lite(/.*)? 	gen_context(system_u:object_r:bin_t,s0)
 /usr/share/shorewall6-lite(/.*)?	gen_context(system_u:object_r:bin_t,s0)
 /usr/share/spamassassin/sa-update\.cron gen_context(system_u:object_r:bin_t,s0)
+/usr/share/texmf-dist/scripts(/.*)?	gen_context(system_u:object_r:bin_t,s0)
 /usr/share/turboprint/lib(/.*)?	--	gen_context(system_u:object_r:bin_t,s0)
 /usr/share/vhostmd/scripts(/.*)?	gen_context(system_u:object_r:bin_t,s0)
 

From 55f64a8112a3839b443764e6288bbdf99541519b Mon Sep 17 00:00:00 2001
From: Nicolas Iooss <nicolas.iooss@m4x.org>
Date: Sat, 19 Mar 2016 10:30:42 +0100
Subject: [PATCH 2/5] Label system-config-printer applet properly on Arch Linux

It is used by system-config-printer, as shown by these AVC denials:

    avc:  denied  { execute } for  pid=1061 comm="system-config-p"
    name="applet.py" dev="dm-0" ino=9568316
    scontext=sysadm_u:sysadm_r:sysadm_t tcontext=system_u:object_r:usr_t
    tclass=file permissive=1

    avc:  denied  { execute_no_trans } for  pid=1061
    comm="system-config-p"
    path="/usr/share/system-config-printer/applet.py" dev="dm-0"
    ino=9568316 scontext=sysadm_u:sysadm_r:sysadm_t
    tcontext=system_u:object_r:usr_t tclass=file permissive=1
---
 policy/modules/kernel/corecommands.fc | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/policy/modules/kernel/corecommands.fc b/policy/modules/kernel/corecommands.fc
index 0a6672cf5..356d18fcb 100644
--- a/policy/modules/kernel/corecommands.fc
+++ b/policy/modules/kernel/corecommands.fc
@@ -319,6 +319,7 @@ ifdef(`distro_gentoo',`
 /usr/share/shorewall-lite(/.*)? 	gen_context(system_u:object_r:bin_t,s0)
 /usr/share/shorewall6-lite(/.*)?	gen_context(system_u:object_r:bin_t,s0)
 /usr/share/spamassassin/sa-update\.cron gen_context(system_u:object_r:bin_t,s0)
+/usr/share/system-config-printer/applet\.py -- gen_context(system_u:object_r:bin_t,s0)
 /usr/share/texmf-dist/scripts(/.*)?	gen_context(system_u:object_r:bin_t,s0)
 /usr/share/turboprint/lib(/.*)?	--	gen_context(system_u:object_r:bin_t,s0)
 /usr/share/vhostmd/scripts(/.*)?	gen_context(system_u:object_r:bin_t,s0)
@@ -376,7 +377,6 @@ ifdef(`distro_redhat', `
 /usr/share/system-config-network/neat-control\.py -- gen_context(system_u:object_r:bin_t,s0)
 /usr/share/system-config-nfs/nfs-export\.py -- gen_context(system_u:object_r:bin_t,s0)
 /usr/share/system-config-nfs/system-config-nfs\.py -- gen_context(system_u:object_r:bin_t,s0)
-/usr/share/system-config-printer/applet\.py -- gen_context(system_u:object_r:bin_t,s0)
 /usr/share/system-config-rootpassword/system-config-rootpassword -- gen_context(system_u:object_r:bin_t,s0)
 /usr/share/system-config-samba/system-config-samba\.py -- gen_context(system_u:object_r:bin_t,s0)
 /usr/share/system-config-securitylevel/system-config-securitylevel\.py -- gen_context(system_u:object_r:bin_t,s0)

From 2cedfc0ada027edbcbf72bc339dfef65e85247ac Mon Sep 17 00:00:00 2001
From: Nicolas Iooss <nicolas.iooss@m4x.org>
Date: Sat, 19 Mar 2016 10:30:42 +0100
Subject: [PATCH 3/5] Label gedit plugins properly on Arch Linux

---
 policy/modules/kernel/corecommands.fc | 1 +
 1 file changed, 1 insertion(+)

diff --git a/policy/modules/kernel/corecommands.fc b/policy/modules/kernel/corecommands.fc
index 356d18fcb..7da57831d 100644
--- a/policy/modules/kernel/corecommands.fc
+++ b/policy/modules/kernel/corecommands.fc
@@ -296,6 +296,7 @@ ifdef(`distro_gentoo',`
 /usr/share/cluster/svclib_nfslock --	gen_context(system_u:object_r:bin_t,s0)
 /usr/share/cvs/contrib/rcs2log	--	gen_context(system_u:object_r:bin_t,s0)
 /usr/share/e16/misc(/.*)?		gen_context(system_u:object_r:bin_t,s0)
+/usr/share/gedit/plugins/externaltools/tools(/.*)? gen_context(system_u:object_r:bin_t,s0)
 /usr/share/gedit-2/plugins/externaltools/tools(/.*)? gen_context(system_u:object_r:bin_t,s0)
 /usr/share/gitolite/hooks/common/update -- gen_context(system_u:object_r:bin_t,s0)
 /usr/share/gitolite/hooks/gitolite-admin/post-update -- gen_context(system_u:object_r:bin_t,s0)

From 4b1cd5b3693a9f5ad0fd96a1c940817e8a69cff5 Mon Sep 17 00:00:00 2001
From: Nicolas Iooss <nicolas.iooss@m4x.org>
Date: Sat, 19 Mar 2016 10:30:42 +0100
Subject: [PATCH 4/5] Label some user session DBus services as bin_t

---
 policy/modules/kernel/corecommands.fc | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/policy/modules/kernel/corecommands.fc b/policy/modules/kernel/corecommands.fc
index 7da57831d..a098dbbd8 100644
--- a/policy/modules/kernel/corecommands.fc
+++ b/policy/modules/kernel/corecommands.fc
@@ -193,6 +193,7 @@ ifdef(`distro_gentoo',`
 /usr/(.*/)?sbin(/.*)?			gen_context(system_u:object_r:bin_t,s0)
 /usr/lib(.*/)?sbin(/.*)?		gen_context(system_u:object_r:bin_t,s0)
 
+/usr/lib/at-spi2-core(/.*)?		gen_context(system_u:object_r:bin_t,s0)
 /usr/lib/avahi/avahi-daemon-check-dns\.sh	--	gen_context(system_u:object_r:bin_t,s0)
 /usr/lib/ccache/bin(/.*)?		gen_context(system_u:object_r:bin_t,s0)
 /usr/lib/fence(/.*)?			gen_context(system_u:object_r:bin_t,s0)
@@ -206,8 +207,10 @@ ifdef(`distro_gentoo',`
 /usr/lib/cups(/.*)? 			gen_context(system_u:object_r:bin_t,s0)
 /usr/lib/cyrus/.*		--	gen_context(system_u:object_r:bin_t,s0)
 /usr/lib/cyrus-imapd/.*		--	gen_context(system_u:object_r:bin_t,s0)
+/usr/lib/dconf/dconf-service	--	gen_context(system_u:object_r:bin_t,s0)
 /usr/lib/dpkg/.+		--	gen_context(system_u:object_r:bin_t,s0)
 /usr/lib/emacsen-common/.*		gen_context(system_u:object_r:bin_t,s0)
+/usr/lib/evince/evinced		--	gen_context(system_u:object_r:bin_t,s0)
 /usr/lib/getconf(/.*)?			gen_context(system_u:object_r:bin_t,s0)
 /usr/lib/gimp/.*/plug-ins(/.*)?		gen_context(system_u:object_r:bin_t,s0)
 /usr/lib/git-core/git-shell	--	gen_context(system_u:object_r:shell_exec_t,s0)

From e43b1e2ffcd66d47956971f84eb38844c5fd4987 Mon Sep 17 00:00:00 2001
From: Nicolas Iooss <nicolas.iooss@m4x.org>
Date: Sat, 19 Mar 2016 10:30:42 +0100
Subject: [PATCH 5/5] Do not label /usr/lib/gvfs/libgvfscommon.so as bin_t

On Arch Linux, /usr/lib/gvfs directory contains both executable files
(gvfsd, gvfs-udisks2-volume-monitor...) and libraries (libgvfscommon.so
and libgvfsdaemon.so).  As all executable files are prefixed with
"gfvs", so use this to distinguish them with the libraries.

This fixes the following AVC denials, reported from geoclue service
using a library wrongly labelled bin_t:

    avc:  denied  { read } for  pid=14872 comm="geoclue"
    name="libgvfscommon.so" dev="dm-0" ino=3152594
    scontext=system_u:system_r:geoclue_t
    tcontext=system_u:object_r:bin_t tclass=file permissive=1

    avc:  denied  { open } for  pid=14872 comm="geoclue"
    path="/usr/lib/gvfs/libgvfscommon.so" dev="dm-0" ino=3152594
    scontext=system_u:system_r:geoclue_t
    tcontext=system_u:object_r:bin_t tclass=file permissive=1

     avc:  denied  { execute } for  pid=14872 comm="geoclue"
     path="/usr/lib/gvfs/libgvfscommon.so" dev="dm-0" ino=3152594
     scontext=system_u:system_r:geoclue_t
     tcontext=system_u:object_r:bin_t tclass=file permissive=1
---
 policy/modules/kernel/corecommands.fc | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/policy/modules/kernel/corecommands.fc b/policy/modules/kernel/corecommands.fc
index a098dbbd8..1fe35ae1e 100644
--- a/policy/modules/kernel/corecommands.fc
+++ b/policy/modules/kernel/corecommands.fc
@@ -216,7 +216,7 @@ ifdef(`distro_gentoo',`
 /usr/lib/git-core/git-shell	--	gen_context(system_u:object_r:shell_exec_t,s0)
 /usr/lib/git-core(/.*)		--	gen_context(system_u:object_r:bin_t,s0)
 /usr/lib/gnome-settings-daemon/.* --	gen_context(system_u:object_r:bin_t,s0)
-/usr/lib/gvfs/.*		--	gen_context(system_u:object_r:bin_t,s0)
+/usr/lib/gvfs/gvfs.*		--	gen_context(system_u:object_r:bin_t,s0)
 /usr/lib/ipsec/.*		--	gen_context(system_u:object_r:bin_t,s0)
 /usr/lib/kde4/libexec/.*	--	gen_context(system_u:object_r:bin_t,s0)
 /usr/lib/mailman/bin(/.*)?		gen_context(system_u:object_r:bin_t,s0)