|
 |
c944e2 |
From 609ffa1d2ed490c7d5c77d2dd2dfdc50f415b935 Mon Sep 17 00:00:00 2001
|
|
|
c944e2 |
From: Radovan Sroka <rsroka@redhat.com>
|
|
|
c944e2 |
Date: Thu, 24 Mar 2022 09:59:05 +0100
|
|
|
c944e2 |
Subject: [PATCH] Reorder loop holes with patterns in rules.d
|
|
|
c944e2 |
|
|
|
c944e2 |
- this keeps backwards compatibility with older wersions of rules
|
|
|
c944e2 |
- the ld_so pattern was applied to root
|
|
|
c944e2 |
- it caused problems with running ldd as root(previously unrestricted)
|
|
|
c944e2 |
|
|
|
c944e2 |
Signed-off-by: Radovan Sroka <rsroka@redhat.com>
|
|
|
c944e2 |
---
|
|
|
c944e2 |
fapolicyd.spec | 6 +++---
|
|
|
c944e2 |
rules.d/{30-dracut.rules => 20-dracut.rules} | 0
|
|
|
c944e2 |
rules.d/{30-updaters.rules => 21-updaters.rules} | 0
|
|
|
c944e2 |
rules.d/{20-patterns.rules => 30-patterns.rules} | 0
|
|
|
c944e2 |
rules.d/Makefile.am | 4 ++--
|
|
|
c944e2 |
rules.d/README-rules | 16 ++++++++--------
|
|
|
c944e2 |
6 files changed, 13 insertions(+), 13 deletions(-)
|
|
|
c944e2 |
rename rules.d/{30-dracut.rules => 20-dracut.rules} (100%)
|
|
|
c944e2 |
rename rules.d/{30-updaters.rules => 21-updaters.rules} (100%)
|
|
|
c944e2 |
rename rules.d/{20-patterns.rules => 30-patterns.rules} (100%)
|
|
|
c944e2 |
|
|
|
c944e2 |
diff --git a/fapolicyd.spec b/fapolicyd.spec
|
|
|
c944e2 |
index c2aae21..261b780 100644
|
|
|
c944e2 |
--- a/fapolicyd.spec
|
|
|
c944e2 |
+++ b/fapolicyd.spec
|
|
|
c944e2 |
@@ -66,9 +66,9 @@ if [ ! -e %{_sysconfdir}/%{name}/%{name}.rules ] ; then
|
|
|
c944e2 |
if [ "$files" -eq 0 ] ; then
|
|
|
c944e2 |
## Install the known libs policy
|
|
|
c944e2 |
cp %{_datadir}/%{name}/sample-rules/10-languages.rules %{_sysconfdir}/%{name}/rules.d/
|
|
|
c944e2 |
-cp %{_datadir}/%{name}/sample-rules/20-patterns.rules %{_sysconfdir}/%{name}/rules.d/
|
|
|
c944e2 |
-cp %{_datadir}/%{name}/sample-rules/30-dracut.rules %{_sysconfdir}/%{name}/rules.d/
|
|
|
c944e2 |
-cp %{_datadir}/%{name}/sample-rules/30-updaters.rules %{_sysconfdir}/%{name}/rules.d/
|
|
|
c944e2 |
+cp %{_datadir}/%{name}/sample-rules/20-dracut.rules %{_sysconfdir}/%{name}/rules.d/
|
|
|
c944e2 |
+cp %{_datadir}/%{name}/sample-rules/21-updaters.rules %{_sysconfdir}/%{name}/rules.d/
|
|
|
c944e2 |
+cp %{_datadir}/%{name}/sample-rules/30-patterns.rules %{_sysconfdir}/%{name}/rules.d/
|
|
|
c944e2 |
cp %{_datadir}/%{name}/sample-rules/40-bad-elf.rules %{_sysconfdir}/%{name}/rules.d/
|
|
|
c944e2 |
cp %{_datadir}/%{name}/sample-rules/41-shared-obj.rules %{_sysconfdir}/%{name}/rules.d/
|
|
|
c944e2 |
cp %{_datadir}/%{name}/sample-rules/42-trusted-elf.rules %{_sysconfdir}/%{name}/rules.d/
|
|
|
c944e2 |
diff --git a/rules.d/30-dracut.rules b/rules.d/20-dracut.rules
|
|
|
c944e2 |
similarity index 100%
|
|
|
c944e2 |
rename from rules.d/30-dracut.rules
|
|
|
c944e2 |
rename to rules.d/20-dracut.rules
|
|
|
c944e2 |
diff --git a/rules.d/30-updaters.rules b/rules.d/21-updaters.rules
|
|
|
c944e2 |
similarity index 100%
|
|
|
c944e2 |
rename from rules.d/30-updaters.rules
|
|
|
c944e2 |
rename to rules.d/21-updaters.rules
|
|
|
c944e2 |
diff --git a/rules.d/20-patterns.rules b/rules.d/30-patterns.rules
|
|
|
c944e2 |
similarity index 100%
|
|
|
c944e2 |
rename from rules.d/20-patterns.rules
|
|
|
c944e2 |
rename to rules.d/30-patterns.rules
|
|
|
c944e2 |
diff --git a/rules.d/Makefile.am b/rules.d/Makefile.am
|
|
|
c944e2 |
index 76b5377..9bb61a7 100644
|
|
|
c944e2 |
--- a/rules.d/Makefile.am
|
|
|
c944e2 |
+++ b/rules.d/Makefile.am
|
|
|
c944e2 |
@@ -23,8 +23,8 @@
|
|
|
c944e2 |
|
|
|
c944e2 |
CONFIG_CLEAN_FILES = *.rej *.orig
|
|
|
c944e2 |
|
|
|
c944e2 |
-EXTRA_DIST = README-rules 10-languages.rules 20-patterns.rules \
|
|
|
c944e2 |
- 30-dracut.rules 30-updaters.rules \
|
|
|
c944e2 |
+EXTRA_DIST = README-rules 10-languages.rules 20-dracut.rules \
|
|
|
c944e2 |
+ 21-updaters.rules 30-patterns.rules \
|
|
|
c944e2 |
40-bad-elf.rules 41-shared-obj.rules 42-trusted-elf.rules \
|
|
|
c944e2 |
43-known-elf.rules \
|
|
|
c944e2 |
70-trusted-lang.rules 71-known-python.rules 72-shell.rules \
|
|
|
c944e2 |
diff --git a/rules.d/README-rules b/rules.d/README-rules
|
|
|
c944e2 |
index c03c02b..30fcd01 100644
|
|
|
c944e2 |
--- a/rules.d/README-rules
|
|
|
c944e2 |
+++ b/rules.d/README-rules
|
|
|
c944e2 |
@@ -5,8 +5,8 @@ sort order. To make things easier to use, the files in this directory are
|
|
|
c944e2 |
organized into groups with the following meanings:
|
|
|
c944e2 |
|
|
|
c944e2 |
10 - macros
|
|
|
c944e2 |
-20 - patterns
|
|
|
c944e2 |
-30 - loop holes
|
|
|
c944e2 |
+20 - loop holes
|
|
|
c944e2 |
+30 - patterns
|
|
|
c944e2 |
40 - ELF rules
|
|
|
c944e2 |
50 - user/group access rules
|
|
|
c944e2 |
60 - application access rules
|
|
|
c944e2 |
@@ -25,9 +25,9 @@ You can reconstruct the old policy files by including the following:
|
|
|
c944e2 |
fapolicyd.rules.known-libs
|
|
|
c944e2 |
--------------------------
|
|
|
c944e2 |
10-languages.rules
|
|
|
c944e2 |
-20-patterns.rules
|
|
|
c944e2 |
-30-dracut.rules
|
|
|
c944e2 |
-30-updaters.rules
|
|
|
c944e2 |
+20-dracut.rules
|
|
|
c944e2 |
+21-updaters.rules
|
|
|
c944e2 |
+30-patterns.rules
|
|
|
c944e2 |
40-bad-elf.rules
|
|
|
c944e2 |
41-shared-obj.rules
|
|
|
c944e2 |
42-trusted-elf.rules
|
|
|
c944e2 |
@@ -39,9 +39,9 @@ fapolicyd.rules.known-libs
|
|
|
c944e2 |
fapolicyd.rules.restrictive
|
|
|
c944e2 |
---------------------------
|
|
|
c944e2 |
10-languages.rules
|
|
|
c944e2 |
-20-patterns.rules
|
|
|
c944e2 |
-30-dracut.rules
|
|
|
c944e2 |
-30-updaters.rules
|
|
|
c944e2 |
+20-dracut.rules
|
|
|
c944e2 |
+21-updaters.rules
|
|
|
c944e2 |
+30-patterns.rules
|
|
|
c944e2 |
40-bad-elf.rules
|
|
|
c944e2 |
41-shared-obj.rules
|
|
|
c944e2 |
43-known-elf.rules
|
|
|
c944e2 |
--
|
|
|
c944e2 |
2.35.1
|
|
|
c944e2 |
|