From: "Jason Zaman" <perfinion@gentoo.org>
To: gentoo-commits@lists.gentoo.org
Subject: [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/services/
Date: Mon, 1 Feb 2021 02:10:08 +0000 (UTC) [thread overview]
Message-ID: <1612142502.d2423ae4bde7048042e80957e3c727eb59e04c8b.perfinion@gentoo> (raw)
commit: d2423ae4bde7048042e80957e3c727eb59e04c8b
Author: Russell Coker <russell <AT> coker <DOT> com <DOT> au>
AuthorDate: Wed Jan 27 03:15:50 2021 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Mon Feb 1 01:21:42 2021 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=d2423ae4
misc services patches with changes Dominick and Chris wanted
I think this one is ready to merge.
Signed-off-by: Russell Coker <russell <AT> coker.com.au>
Signed-off-by: Jason Zaman <perfinion <AT> gentoo.org>
policy/modules/services/apache.fc | 6 +++++-
policy/modules/services/apache.if | 22 ++++++++++++++++++++
policy/modules/services/apache.te | 15 ++++++++++++--
policy/modules/services/aptcacher.fc | 5 ++++-
policy/modules/services/aptcacher.if | 40 ++++++++++++++++++++++++++++++++++++
policy/modules/services/aptcacher.te | 2 ++
policy/modules/services/bind.te | 1 +
policy/modules/services/colord.te | 10 +++++++++
policy/modules/services/cron.te | 12 +++++++++++
policy/modules/services/cups.te | 3 ++-
policy/modules/services/devicekit.te | 2 ++
policy/modules/services/entropyd.te | 1 +
policy/modules/services/fail2ban.te | 2 ++
policy/modules/services/jabber.te | 3 +++
policy/modules/services/l2tp.te | 1 +
policy/modules/services/mon.te | 7 ++++++-
policy/modules/services/mysql.fc | 1 +
policy/modules/services/mysql.te | 7 ++++++-
policy/modules/services/openvpn.te | 10 +++++++++
policy/modules/services/postgrey.te | 1 +
policy/modules/services/rpc.te | 1 +
policy/modules/services/samba.te | 18 ++++++++++++++--
policy/modules/services/smartmon.te | 2 +-
policy/modules/services/squid.te | 2 ++
policy/modules/services/tor.te | 1 +
policy/modules/services/watchdog.te | 2 ++
policy/modules/services/xserver.if | 1 +
27 files changed, 168 insertions(+), 10 deletions(-)
diff --git a/policy/modules/services/apache.fc b/policy/modules/services/apache.fc
index 52879fe1..6c4ddba7 100644
--- a/policy/modules/services/apache.fc
+++ b/policy/modules/services/apache.fc
@@ -80,6 +80,8 @@ ifndef(`distro_gentoo',`
/usr/sbin/hiawatha -- gen_context(system_u:object_r:httpd_exec_t,s0)
/usr/sbin/httpd\.event -- gen_context(system_u:object_r:httpd_exec_t,s0)
/usr/sbin/httpd(\.worker)? -- gen_context(system_u:object_r:httpd_exec_t,s0)
+/usr/sbin/php.*-fpm -- gen_context(system_u:object_r:httpd_exec_t,s0)
+/usr/sbin/php-fpm[^/]+ -- gen_context(system_u:object_r:httpd_exec_t,s0)
/usr/sbin/lighttpd -- gen_context(system_u:object_r:httpd_exec_t,s0)
ifndef(`distro_gentoo',`
/usr/sbin/nginx -- gen_context(system_u:object_r:httpd_exec_t,s0)
@@ -152,7 +154,7 @@ ifndef(`distro_gentoo',`
/var/lib/php/session(/.*)? gen_context(system_u:object_r:httpd_runtime_t,s0)
/var/lib/pootle/po(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
/var/lib/rt3/data/RT-Shredder(/.*)? gen_context(system_u:object_r:httpd_var_lib_t,s0)
-/var/lib/squirrelmail/prefs(/.*)? gen_context(system_u:object_r:httpd_squirrelmail_t,s0)
+/var/lib/squirrelmail(/.*)? gen_context(system_u:object_r:httpd_squirrelmail_t,s0)
/var/lib/stickshift/\.httpd\.d(/.*)? gen_context(system_u:object_r:httpd_config_t,s0)
/var/lib/svn(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
/var/lib/trac(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
@@ -180,6 +182,7 @@ ifndef(`distro_gentoo',`
/var/log/roundcubemail(/.*)? gen_context(system_u:object_r:httpd_log_t,s0)
/var/log/suphp\.log.* -- gen_context(system_u:object_r:httpd_log_t,s0)
/var/log/z-push(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
+/var/log/php7..-fpm.log -- gen_context(system_u:object_r:httpd_log_t,s0)
/run/apache.* gen_context(system_u:object_r:httpd_runtime_t,s0)
/run/cherokee\.pid -- gen_context(system_u:object_r:httpd_runtime_t,s0)
@@ -188,6 +191,7 @@ ifndef(`distro_gentoo',`
/run/httpd.* gen_context(system_u:object_r:httpd_runtime_t,s0)
/run/lighttpd(/.*)? gen_context(system_u:object_r:httpd_runtime_t,s0)
/run/mod_.* gen_context(system_u:object_r:httpd_runtime_t,s0)
+/run/php(/.*)? gen_context(system_u:object_r:httpd_runtime_t,s0)
/run/wsgi.* -s gen_context(system_u:object_r:httpd_runtime_t,s0)
/run/user/apache(/.*)? gen_context(system_u:object_r:httpd_tmp_t,s0)
diff --git a/policy/modules/services/apache.if b/policy/modules/services/apache.if
index f8c6c909..44767359 100644
--- a/policy/modules/services/apache.if
+++ b/policy/modules/services/apache.if
@@ -71,6 +71,7 @@ template(`apache_content_template',`
manage_dirs_pattern(httpd_$1_script_t, httpd_$1_rw_content_t, httpd_$1_rw_content_t)
manage_files_pattern(httpd_$1_script_t, httpd_$1_rw_content_t, httpd_$1_rw_content_t)
+ allow httpd_$1_script_t httpd_$1_rw_content_t:file map;
manage_lnk_files_pattern(httpd_$1_script_t, httpd_$1_rw_content_t, httpd_$1_rw_content_t)
manage_fifo_files_pattern(httpd_$1_script_t, httpd_$1_rw_content_t, httpd_$1_rw_content_t)
manage_sock_files_pattern(httpd_$1_script_t, httpd_$1_rw_content_t, httpd_$1_rw_content_t)
@@ -97,6 +98,8 @@ template(`apache_content_template',`
tunable_policy(`httpd_enable_cgi && httpd_unified && httpd_builtin_scripting',`
filetrans_pattern(httpd_t, httpd_$1_content_t, httpd_$1_rw_content_t, { file dir fifo_file lnk_file sock_file })
+ allow httpd_t httpd_$1_content_t:file map;
+ allow httpd_t httpd_$1_rw_content_t:file map;
')
')
@@ -1023,6 +1026,7 @@ interface(`apache_manage_sys_rw_content',`
apache_search_sys_content($1)
manage_dirs_pattern($1, httpd_sys_rw_content_t, httpd_sys_rw_content_t)
manage_files_pattern($1,httpd_sys_rw_content_t, httpd_sys_rw_content_t)
+ allow $1 httpd_sys_rw_content_t:file map;
manage_lnk_files_pattern($1, httpd_sys_rw_content_t, httpd_sys_rw_content_t)
')
@@ -1149,6 +1153,24 @@ interface(`apache_append_squirrelmail_data',`
allow $1 httpd_squirrelmail_t:file append_file_perms;
')
+########################################
+## <summary>
+## delete httpd squirrelmail spool files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`apache_delete_squirrelmail_spool',`
+ gen_require(`
+ type squirrelmail_spool_t;
+ ')
+
+ delete_files_pattern($1, squirrelmail_spool_t, squirrelmail_spool_t)
+')
+
########################################
## <summary>
## Search httpd system content.
diff --git a/policy/modules/services/apache.te b/policy/modules/services/apache.te
index 39685bef..da43a1d8 100644
--- a/policy/modules/services/apache.te
+++ b/policy/modules/services/apache.te
@@ -381,6 +381,7 @@ manage_dirs_pattern(httpd_t, httpd_cache_t, httpd_cache_t)
manage_files_pattern(httpd_t, httpd_cache_t, httpd_cache_t)
manage_lnk_files_pattern(httpd_t, httpd_cache_t, httpd_cache_t)
files_var_filetrans(httpd_t, httpd_cache_t, dir)
+allow httpd_t httpd_cache_t:file map;
allow httpd_t httpd_config_t:dir list_dir_perms;
read_files_pattern(httpd_t, httpd_config_t, httpd_config_t)
@@ -389,7 +390,7 @@ read_lnk_files_pattern(httpd_t, httpd_config_t, httpd_config_t)
allow httpd_t httpd_htaccess_type:file read_file_perms;
allow httpd_t httpd_ro_content:dir list_dir_perms;
-allow httpd_t httpd_ro_content:file read_file_perms;
+allow httpd_t httpd_ro_content:file { map read_file_perms };
allow httpd_t httpd_ro_content:lnk_file read_lnk_file_perms;
allow httpd_t httpd_keytab_t:file read_file_perms;
@@ -416,6 +417,7 @@ allow httpd_t httpd_rotatelogs_t:process signal_perms;
manage_dirs_pattern(httpd_t, httpd_squirrelmail_t, httpd_squirrelmail_t)
manage_files_pattern(httpd_t, httpd_squirrelmail_t, httpd_squirrelmail_t)
manage_lnk_files_pattern(httpd_t, httpd_squirrelmail_t, httpd_squirrelmail_t)
+allow httpd_t httpd_squirrelmail_t:file map;
allow httpd_t httpd_suexec_exec_t:file read_file_perms;
@@ -425,6 +427,7 @@ allow httpd_t httpd_sys_script_t:process signull;
manage_dirs_pattern(httpd_t, httpd_tmp_t, httpd_tmp_t)
manage_files_pattern(httpd_t, httpd_tmp_t, httpd_tmp_t)
+allow httpd_t httpd_tmp_t:file map;
manage_sock_files_pattern(httpd_t, httpd_tmp_t, httpd_tmp_t)
manage_lnk_files_pattern(httpd_t, httpd_tmp_t, httpd_tmp_t)
files_tmp_filetrans(httpd_t, httpd_tmp_t, { file dir lnk_file sock_file })
@@ -439,6 +442,7 @@ fs_tmpfs_filetrans(httpd_t, httpd_tmpfs_t, { dir file lnk_file sock_file fifo_fi
manage_dirs_pattern(httpd_t, httpd_var_lib_t, httpd_var_lib_t)
manage_files_pattern(httpd_t, httpd_var_lib_t, httpd_var_lib_t)
+allow httpd_t httpd_var_lib_t:file map;
manage_lnk_files_pattern(httpd_t, httpd_var_lib_t, httpd_var_lib_t)
files_var_lib_filetrans(httpd_t, httpd_var_lib_t, { dir file })
@@ -460,6 +464,7 @@ domtrans_pattern(httpd_t, httpd_rotatelogs_exec_t, httpd_rotatelogs_t)
domtrans_pattern(httpd_t, httpd_suexec_exec_t, httpd_suexec_t)
kernel_read_kernel_sysctls(httpd_t)
+kernel_read_crypto_sysctls(httpd_t)
kernel_read_vm_sysctls(httpd_t)
kernel_read_vm_overcommit_sysctl(httpd_t)
kernel_read_network_state(httpd_t)
@@ -484,6 +489,7 @@ dev_read_sysfs(httpd_t)
dev_read_rand(httpd_t)
dev_read_urand(httpd_t)
dev_rw_crypto(httpd_t)
+dev_rwx_zero(httpd_t)
domain_use_interactive_fds(httpd_t)
@@ -492,10 +498,12 @@ fs_search_auto_mountpoints(httpd_t)
fs_read_anon_inodefs_files(httpd_t)
fs_rw_inherited_hugetlbfs_files(httpd_t)
+fs_mmap_rw_hugetlbfs_files(httpd_t)
fs_read_iso9660_files(httpd_t)
files_dontaudit_getattr_all_runtime_files(httpd_t)
files_read_usr_files(httpd_t)
+files_map_usr_files(httpd_t)
files_list_mnt(httpd_t)
files_search_spool(httpd_t)
files_read_var_symlinks(httpd_t)
@@ -504,6 +512,7 @@ files_search_home(httpd_t)
files_getattr_home_dir(httpd_t)
files_read_etc_runtime_files(httpd_t)
files_read_var_lib_symlinks(httpd_t)
+files_map_etc_files(httpd_t)
auth_use_nsswitch(httpd_t)
@@ -573,7 +582,7 @@ tunable_policy(`httpd_builtin_scripting',`
exec_files_pattern(httpd_t, httpd_script_exec_type, httpd_script_exec_type)
allow httpd_t httpdcontent:dir list_dir_perms;
- allow httpd_t httpdcontent:file read_file_perms;
+ allow httpd_t httpdcontent:file { map read_file_perms };
allow httpd_t httpdcontent:lnk_file read_lnk_file_perms;
allow httpd_t httpd_ra_content:dir { list_dir_perms add_entry_dir_perms setattr_dir_perms };
@@ -614,6 +623,7 @@ tunable_policy(`httpd_enable_cgi && httpd_unified && httpd_builtin_scripting',`
manage_dirs_pattern(httpd_t, httpdcontent, httpdcontent)
manage_files_pattern(httpd_t, httpdcontent, httpdcontent)
+ allow httpd_t httpdcontent:file map;
manage_fifo_files_pattern(httpd_t, httpdcontent, httpdcontent)
manage_lnk_files_pattern(httpd_t, httpdcontent, httpdcontent)
manage_sock_files_pattern(httpd_t, httpdcontent, httpdcontent)
@@ -899,6 +909,7 @@ optional_policy(`
#
read_files_pattern(httpd_helper_t, httpd_config_t, httpd_config_t)
+allow httpd_t httpd_config_t:file map;
append_files_pattern(httpd_helper_t, httpd_log_t, httpd_log_t)
read_lnk_files_pattern(httpd_helper_t, httpd_log_t, httpd_log_t)
diff --git a/policy/modules/services/aptcacher.fc b/policy/modules/services/aptcacher.fc
index 5f27bb04..fcdc96a8 100644
--- a/policy/modules/services/aptcacher.fc
+++ b/policy/modules/services/aptcacher.fc
@@ -2,12 +2,15 @@
/usr/lib/apt-cacher-ng/acngtool -- gen_context(system_u:object_r:acngtool_exec_t,s0)
-/usr/sbin/apt-cacher-ng -- gen_context(system_u:object_r:aptcacher_exec_t,s0)
+/usr/sbin/apt-cacher.* -- gen_context(system_u:object_r:aptcacher_exec_t,s0)
+/run/apt-cacher(/.*)? gen_context(system_u:object_r:aptcacher_runtime_t,s0)
/run/apt-cacher-ng(/.*)? gen_context(system_u:object_r:aptcacher_runtime_t,s0)
+/var/cache/apt-cacher(/.*)? gen_context(system_u:object_r:aptcacher_cache_t,s0)
/var/cache/apt-cacher-ng(/.*)? gen_context(system_u:object_r:aptcacher_cache_t,s0)
/var/lib/apt-cacher-ng(/.*)? gen_context(system_u:object_r:aptcacher_lib_t,s0)
+/var/log/apt-cacher(/.*)? gen_context(system_u:object_r:aptcacher_log_t,s0)
/var/log/apt-cacher-ng(/.*)? gen_context(system_u:object_r:aptcacher_log_t,s0)
diff --git a/policy/modules/services/aptcacher.if b/policy/modules/services/aptcacher.if
index 12c1335a..8c99a699 100644
--- a/policy/modules/services/aptcacher.if
+++ b/policy/modules/services/aptcacher.if
@@ -63,3 +63,43 @@ interface(`aptcacher_stream_connect',`
files_search_runtime($1)
stream_connect_pattern($1, aptcacher_runtime_t, aptcacher_runtime_t, aptcacher_t)
')
+
+######################################
+## <summary>
+## read aptcacher config
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to read it.
+## </summary>
+## </param>
+#
+interface(`aptcacher_read_config',`
+ gen_require(`
+ type aptcacher_etc_t;
+ ')
+
+ files_search_etc($1)
+ allow $1 aptcacher_etc_t:dir list_dir_perms;
+ allow $1 aptcacher_etc_t:file read_file_perms;
+')
+
+######################################
+## <summary>
+## mmap and read aptcacher config
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to read it.
+## </summary>
+## </param>
+#
+interface(`aptcacher_mmap_read_config',`
+ gen_require(`
+ type aptcacher_etc_t;
+ ')
+
+ files_search_etc($1)
+ allow $1 aptcacher_etc_t:dir list_dir_perms;
+ allow $1 aptcacher_etc_t:file mmap_read_file_perms;
+')
diff --git a/policy/modules/services/aptcacher.te b/policy/modules/services/aptcacher.te
index 57ceaed5..d9089a77 100644
--- a/policy/modules/services/aptcacher.te
+++ b/policy/modules/services/aptcacher.te
@@ -75,6 +75,8 @@ corenet_tcp_connect_http_port(aptcacher_t)
auth_use_nsswitch(aptcacher_t)
+files_read_etc_files(aptcacher_t)
+
# Uses sd_notify() to inform systemd it has properly started
init_dgram_send(aptcacher_t)
diff --git a/policy/modules/services/bind.te b/policy/modules/services/bind.te
index 1eceba35..57ae7be3 100644
--- a/policy/modules/services/bind.te
+++ b/policy/modules/services/bind.te
@@ -149,6 +149,7 @@ domain_use_interactive_fds(named_t)
files_read_etc_runtime_files(named_t)
files_read_usr_files(named_t)
+files_map_usr_files(named_t)
fs_getattr_all_fs(named_t)
fs_search_auto_mountpoints(named_t)
diff --git a/policy/modules/services/colord.te b/policy/modules/services/colord.te
index 1eba7d63..ca035d5e 100644
--- a/policy/modules/services/colord.te
+++ b/policy/modules/services/colord.te
@@ -31,6 +31,8 @@ allow colord_t self:netlink_kobject_uevent_socket create_socket_perms;
allow colord_t self:tcp_socket { accept listen };
allow colord_t self:shm create_shm_perms;
+can_exec(colord_t, colord_exec_t)
+
manage_dirs_pattern(colord_t, colord_tmp_t, colord_tmp_t)
manage_files_pattern(colord_t, colord_tmp_t, colord_tmp_t)
files_tmp_filetrans(colord_t, colord_tmp_t, { file dir })
@@ -127,6 +129,10 @@ optional_policy(`
policykit_read_reload(colord_t)
')
+optional_policy(`
+ snmp_read_snmp_var_lib_files(colord_t)
+')
+
optional_policy(`
sysnet_exec_ifconfig(colord_t)
')
@@ -135,6 +141,10 @@ optional_policy(`
udev_read_runtime_files(colord_t)
')
+optional_policy(`
+ unconfined_dbus_send(colord_t)
+')
+
optional_policy(`
xserver_read_xdm_lib_files(colord_t)
xserver_use_xdm_fds(colord_t)
diff --git a/policy/modules/services/cron.te b/policy/modules/services/cron.te
index 69de0c54..72e1d8c4 100644
--- a/policy/modules/services/cron.te
+++ b/policy/modules/services/cron.te
@@ -309,6 +309,8 @@ init_start_all_units(system_cronjob_t)
init_get_generic_units_status(system_cronjob_t)
init_get_system_status(system_cronjob_t)
+backup_manage_store_files(system_cronjob_t)
+
auth_manage_var_auth(crond_t)
auth_use_pam(crond_t)
@@ -344,6 +346,11 @@ ifdef(`distro_debian',`
dpkg_manage_db(system_cronjob_t)
')
+ optional_policy(`
+ aptcacher_mmap_read_config(system_cronjob_t)
+ corenet_tcp_connect_aptcacher_port(system_cronjob_t)
+ ')
+
optional_policy(`
logwatch_search_cache_dir(crond_t)
')
@@ -432,6 +439,7 @@ optional_policy(`
init_dbus_chat(crond_t)
init_dbus_chat(system_cronjob_t)
systemd_dbus_chat_logind(system_cronjob_t)
+ systemd_read_journal_files(system_cronjob_t)
systemd_write_inherited_logind_sessions_pipes(system_cronjob_t)
# so cron jobs can restart daemons
init_stream_connect(system_cronjob_t)
@@ -501,6 +509,7 @@ corenet_tcp_sendrecv_generic_if(system_cronjob_t)
corenet_udp_sendrecv_generic_if(system_cronjob_t)
corenet_tcp_sendrecv_generic_node(system_cronjob_t)
corenet_udp_sendrecv_generic_node(system_cronjob_t)
+corenet_udp_bind_generic_node(system_cronjob_t)
dev_getattr_all_blk_files(system_cronjob_t)
dev_getattr_all_chr_files(system_cronjob_t)
@@ -583,6 +592,7 @@ optional_policy(`
apache_read_log(system_cronjob_t)
apache_read_sys_content(system_cronjob_t)
apache_delete_lib_files(system_cronjob_t)
+ apache_delete_squirrelmail_spool(system_cronjob_t)
')
optional_policy(`
@@ -655,6 +665,8 @@ optional_policy(`
optional_policy(`
spamassassin_manage_lib_files(system_cronjob_t)
+ spamassassin_status(system_cronjob_t)
+ spamassassin_reload(system_cronjob_t)
')
optional_policy(`
diff --git a/policy/modules/services/cups.te b/policy/modules/services/cups.te
index 9ead4c30..f6e4a0e6 100644
--- a/policy/modules/services/cups.te
+++ b/policy/modules/services/cups.te
@@ -111,11 +111,12 @@ ifdef(`enable_mls',`
allow cupsd_t self:capability { chown dac_override dac_read_search fowner fsetid ipc_lock kill setgid setuid sys_admin sys_rawio sys_resource sys_tty_config };
dontaudit cupsd_t self:capability { net_admin sys_tty_config };
-allow cupsd_t self:capability2 block_suspend;
+allow cupsd_t self:capability2 { block_suspend wake_alarm };
allow cupsd_t self:process { getpgid setpgid setsched signal_perms };
allow cupsd_t self:fifo_file rw_fifo_file_perms;
allow cupsd_t self:unix_stream_socket { accept connectto listen };
allow cupsd_t self:netlink_selinux_socket create_socket_perms;
+allow cupsd_t self:netlink_kobject_uevent_socket create_socket_perms;
allow cupsd_t self:shm create_shm_perms;
allow cupsd_t self:sem create_sem_perms;
allow cupsd_t self:tcp_socket { accept listen };
diff --git a/policy/modules/services/devicekit.te b/policy/modules/services/devicekit.te
index fcae68a5..b69c8113 100644
--- a/policy/modules/services/devicekit.te
+++ b/policy/modules/services/devicekit.te
@@ -131,6 +131,8 @@ fs_mount_all_fs(devicekit_disk_t)
fs_unmount_all_fs(devicekit_disk_t)
fs_search_all(devicekit_disk_t)
+mount_rw_runtime_files(devicekit_disk_t)
+
mls_file_read_all_levels(devicekit_disk_t)
mls_file_write_to_clearance(devicekit_disk_t)
diff --git a/policy/modules/services/entropyd.te b/policy/modules/services/entropyd.te
index aa404773..f2405692 100644
--- a/policy/modules/services/entropyd.te
+++ b/policy/modules/services/entropyd.te
@@ -55,6 +55,7 @@ files_read_usr_files(entropyd_t)
fs_getattr_all_fs(entropyd_t)
fs_search_auto_mountpoints(entropyd_t)
+fs_search_tmpfs(entropyd_t)
domain_use_interactive_fds(entropyd_t)
diff --git a/policy/modules/services/fail2ban.te b/policy/modules/services/fail2ban.te
index 352b4ca8..1e97cdfa 100644
--- a/policy/modules/services/fail2ban.te
+++ b/policy/modules/services/fail2ban.te
@@ -63,6 +63,7 @@ manage_files_pattern(fail2ban_t, fail2ban_runtime_t, fail2ban_runtime_t)
files_runtime_filetrans(fail2ban_t, fail2ban_runtime_t, file)
kernel_read_system_state(fail2ban_t)
+kernel_search_fs_sysctls(fail2ban_t)
corecmd_exec_bin(fail2ban_t)
corecmd_exec_shell(fail2ban_t)
@@ -90,6 +91,7 @@ fs_getattr_all_fs(fail2ban_t)
auth_use_nsswitch(fail2ban_t)
logging_read_all_logs(fail2ban_t)
+logging_read_audit_log(fail2ban_t)
logging_send_syslog_msg(fail2ban_t)
miscfiles_read_localization(fail2ban_t)
diff --git a/policy/modules/services/jabber.te b/policy/modules/services/jabber.te
index 7d028b8d..06273d09 100644
--- a/policy/modules/services/jabber.te
+++ b/policy/modules/services/jabber.te
@@ -110,8 +110,11 @@ files_read_etc_runtime_files(jabberd_t)
# usr for lua modules
files_read_usr_files(jabberd_t)
+files_search_var_lib(jabberd_t)
+
fs_search_auto_mountpoints(jabberd_t)
+miscfiles_read_generic_tls_privkey(jabberd_t)
miscfiles_read_all_certs(jabberd_t)
sysnet_read_config(jabberd_t)
diff --git a/policy/modules/services/l2tp.te b/policy/modules/services/l2tp.te
index 0fa4d8dd..6a429835 100644
--- a/policy/modules/services/l2tp.te
+++ b/policy/modules/services/l2tp.te
@@ -35,6 +35,7 @@ allow l2tpd_t self:socket create_socket_perms;
allow l2tpd_t self:tcp_socket { accept listen };
allow l2tpd_t self:unix_dgram_socket sendto;
allow l2tpd_t self:unix_stream_socket { accept listen };
+allow l2tpd_t self:pppox_socket create;
read_files_pattern(l2tpd_t, l2tp_conf_t, l2tp_conf_t)
diff --git a/policy/modules/services/mon.te b/policy/modules/services/mon.te
index 08f1b0a0..74a94b89 100644
--- a/policy/modules/services/mon.te
+++ b/policy/modules/services/mon.te
@@ -147,6 +147,10 @@ optional_policy(`
bind_read_zone(mon_net_test_t)
')
+optional_policy(`
+ mysql_stream_connect(mon_net_test_t)
+')
+
########################################
#
# Local policy
@@ -156,7 +160,8 @@ optional_policy(`
# try not to use dontaudit rules for this
#
-allow mon_local_test_t self:capability sys_admin;
+# sys_ptrace is for reading /proc/1/maps etc
+allow mon_local_test_t self:capability { sys_ptrace sys_admin };
allow mon_local_test_t self:fifo_file rw_fifo_file_perms;
allow mon_local_test_t self:process getsched;
diff --git a/policy/modules/services/mysql.fc b/policy/modules/services/mysql.fc
index 7739d36d..d23f2636 100644
--- a/policy/modules/services/mysql.fc
+++ b/policy/modules/services/mysql.fc
@@ -20,6 +20,7 @@ HOME_DIR/\.my\.cnf -- gen_context(system_u:object_r:mysqld_home_t,s0)
/usr/sbin/mysqld(-max)? -- gen_context(system_u:object_r:mysqld_exec_t,s0)
/usr/sbin/mysqlmanager -- gen_context(system_u:object_r:mysqlmanagerd_exec_t,s0)
/usr/sbin/ndbd -- gen_context(system_u:object_r:mysqld_exec_t,s0)
+/usr/sbin/mariadbd -- gen_context(system_u:object_r:mysqld_exec_t,s0)
/var/lib/mysql(/.*)? gen_context(system_u:object_r:mysqld_db_t,s0)
/var/lib/mysql/mysql.* -s gen_context(system_u:object_r:mysqld_runtime_t,s0)
diff --git a/policy/modules/services/mysql.te b/policy/modules/services/mysql.te
index f88f458b..5a264e2f 100644
--- a/policy/modules/services/mysql.te
+++ b/policy/modules/services/mysql.te
@@ -65,7 +65,7 @@ files_runtime_file(mysqlmanagerd_runtime_t)
# Local policy
#
-allow mysqld_t self:capability { dac_override ipc_lock setgid setuid sys_resource };
+allow mysqld_t self:capability { dac_override dac_read_search ipc_lock setgid setuid sys_resource };
dontaudit mysqld_t self:capability sys_tty_config;
allow mysqld_t self:process { setsched getsched setrlimit signal_perms rlimitinh };
allow mysqld_t self:fifo_file rw_fifo_file_perms;
@@ -75,6 +75,7 @@ allow mysqld_t self:tcp_socket { accept listen };
manage_dirs_pattern(mysqld_t, mysqld_db_t, mysqld_db_t)
manage_files_pattern(mysqld_t, mysqld_db_t, mysqld_db_t)
+allow mysqld_t mysqld_db_t:file map;
manage_lnk_files_pattern(mysqld_t, mysqld_db_t, mysqld_db_t)
files_var_lib_filetrans(mysqld_t, mysqld_db_t, { dir file lnk_file })
@@ -91,6 +92,7 @@ logging_log_filetrans(mysqld_t, mysqld_log_t, { dir file })
manage_dirs_pattern(mysqld_t, mysqld_tmp_t, mysqld_tmp_t)
manage_files_pattern(mysqld_t, mysqld_tmp_t, mysqld_tmp_t)
+allow mysqld_t mysqld_tmp_t:file map;
files_tmp_filetrans(mysqld_t, mysqld_tmp_t, { file dir })
manage_dirs_pattern(mysqld_t, mysqld_runtime_t, mysqld_runtime_t)
@@ -102,6 +104,7 @@ kernel_read_kernel_sysctls(mysqld_t)
kernel_read_network_state(mysqld_t)
kernel_read_system_state(mysqld_t)
kernel_read_vm_sysctls(mysqld_t)
+kernel_read_vm_overcommit_sysctl(mysqld_t)
corenet_all_recvfrom_netlabel(mysqld_t)
corenet_tcp_sendrecv_generic_if(mysqld_t)
@@ -123,6 +126,7 @@ domain_use_interactive_fds(mysqld_t)
fs_getattr_all_fs(mysqld_t)
fs_search_auto_mountpoints(mysqld_t)
+fs_search_tmpfs(mysqld_t)
fs_rw_hugetlbfs_files(mysqld_t)
files_read_etc_runtime_files(mysqld_t)
@@ -132,6 +136,7 @@ auth_use_nsswitch(mysqld_t)
logging_send_syslog_msg(mysqld_t)
+miscfiles_read_generic_certs(mysqld_t)
miscfiles_read_localization(mysqld_t)
userdom_search_user_home_dirs(mysqld_t)
diff --git a/policy/modules/services/openvpn.te b/policy/modules/services/openvpn.te
index 76bdae5a..9aa0afaf 100644
--- a/policy/modules/services/openvpn.te
+++ b/policy/modules/services/openvpn.te
@@ -131,6 +131,8 @@ fs_search_auto_mountpoints(openvpn_t)
auth_use_pam(openvpn_t)
+init_read_state(openvpn_t)
+
miscfiles_read_localization(openvpn_t)
miscfiles_read_all_certs(openvpn_t)
@@ -162,6 +164,10 @@ optional_policy(`
daemontools_service_domain(openvpn_t, openvpn_exec_t)
')
+optional_policy(`
+ dpkg_script_rw_inherited_pipes(openvpn_t)
+')
+
optional_policy(`
dbus_system_bus_client(openvpn_t)
dbus_connect_system_bus(openvpn_t)
@@ -174,3 +180,7 @@ optional_policy(`
optional_policy(`
systemd_use_passwd_agent(openvpn_t)
')
+
+optional_policy(`
+ unconfined_use_fds(openvpn_t)
+')
diff --git a/policy/modules/services/postgrey.te b/policy/modules/services/postgrey.te
index 169dab12..a96e9dd9 100644
--- a/policy/modules/services/postgrey.te
+++ b/policy/modules/services/postgrey.te
@@ -47,6 +47,7 @@ manage_fifo_files_pattern(postgrey_t, postgrey_spool_t, postgrey_spool_t)
manage_sock_files_pattern(postgrey_t, postgrey_spool_t, postgrey_spool_t)
manage_files_pattern(postgrey_t, postgrey_var_lib_t, postgrey_var_lib_t)
+allow postgrey_t postgrey_var_lib_t:file map;
files_var_lib_filetrans(postgrey_t, postgrey_var_lib_t, file)
manage_dirs_pattern(postgrey_t, postgrey_runtime_t, postgrey_runtime_t)
diff --git a/policy/modules/services/rpc.te b/policy/modules/services/rpc.te
index 9e95d8dc..844a8038 100644
--- a/policy/modules/services/rpc.te
+++ b/policy/modules/services/rpc.te
@@ -218,6 +218,7 @@ allow nfsd_t { nfsd_rw_t nfsd_ro_t }:dir list_dir_perms;
kernel_read_network_state(nfsd_t)
kernel_dontaudit_getattr_core_if(nfsd_t)
+kernel_search_debugfs(nfsd_t)
kernel_setsched(nfsd_t)
kernel_request_load_module(nfsd_t)
# kernel_mounton_proc(nfsd_t)
diff --git a/policy/modules/services/samba.te b/policy/modules/services/samba.te
index 2f0fefef..855d846d 100644
--- a/policy/modules/services/samba.te
+++ b/policy/modules/services/samba.te
@@ -201,11 +201,14 @@ files_tmp_file(winbind_tmp_t)
allow samba_net_t self:capability { dac_override dac_read_search sys_chroot sys_nice };
allow samba_net_t self:capability2 block_suspend;
-allow samba_net_t self:process { getsched setsched };
+allow samba_net_t self:process { sigkill getsched setsched };
allow samba_net_t self:unix_stream_socket { accept listen };
+allow samba_net_t self:fifo_file rw_file_perms;
allow samba_net_t samba_etc_t:file read_file_perms;
+allow samba_net_t samba_var_run_t:file { map read_file_perms };
+
manage_files_pattern(samba_net_t, samba_etc_t, samba_secrets_t)
filetrans_pattern(samba_net_t, samba_etc_t, samba_secrets_t, file)
@@ -215,6 +218,7 @@ files_tmp_filetrans(samba_net_t, samba_net_tmp_t, { file dir })
manage_dirs_pattern(samba_net_t, samba_var_t, samba_var_t)
manage_files_pattern(samba_net_t, samba_var_t, samba_var_t)
+allow samba_net_t samba_var_t:file map;
manage_lnk_files_pattern(samba_net_t, samba_var_t, samba_var_t)
files_var_filetrans(samba_net_t, samba_var_t, dir, "samba")
@@ -300,6 +304,7 @@ allow smbd_t samba_share_t:filesystem { getattr quotaget };
manage_dirs_pattern(smbd_t, samba_var_t, samba_var_t)
manage_files_pattern(smbd_t, samba_var_t, samba_var_t)
+allow smbd_t samba_var_t:file map;
manage_lnk_files_pattern(smbd_t, samba_var_t, samba_var_t)
manage_sock_files_pattern(smbd_t, samba_var_t, samba_var_t)
files_var_filetrans(smbd_t, samba_var_t, dir, "samba")
@@ -310,6 +315,7 @@ files_tmp_filetrans(smbd_t, smbd_tmp_t, { file dir })
manage_dirs_pattern(smbd_t, samba_runtime_t, samba_runtime_t)
manage_files_pattern(smbd_t, samba_runtime_t, samba_runtime_t)
+allow smbd_t samba_runtime_t:file map;
manage_sock_files_pattern(smbd_t, samba_runtime_t, samba_runtime_t)
files_runtime_filetrans(smbd_t, samba_runtime_t, { dir file })
@@ -317,6 +323,7 @@ allow smbd_t winbind_runtime_t:sock_file read_sock_file_perms;
stream_connect_pattern(smbd_t, winbind_runtime_t, winbind_runtime_t, winbind_t)
stream_connect_pattern(smbd_t, samba_runtime_t, samba_runtime_t, nmbd_t)
+allow smbd_t nmbd_t:unix_dgram_socket sendto;
kernel_getattr_core_if(smbd_t)
kernel_getattr_message_if(smbd_t)
@@ -479,6 +486,10 @@ optional_policy(`
cups_stream_connect(smbd_t)
')
+optional_policy(`
+ dbus_system_bus_client(smbd_t)
+')
+
optional_policy(`
kerberos_read_keytab(smbd_t)
kerberos_use(smbd_t)
@@ -520,6 +531,7 @@ allow nmbd_t self:unix_stream_socket { accept connectto listen };
manage_dirs_pattern(nmbd_t, samba_runtime_t, samba_runtime_t)
manage_files_pattern(nmbd_t, samba_runtime_t, samba_runtime_t)
+allow nmbd_t samba_runtime_t:file map;
manage_sock_files_pattern(nmbd_t, samba_runtime_t, samba_runtime_t)
files_runtime_filetrans(nmbd_t, samba_runtime_t, { dir file sock_file })
@@ -532,7 +544,7 @@ create_files_pattern(nmbd_t, samba_log_t, samba_log_t)
setattr_files_pattern(nmbd_t, samba_log_t, samba_log_t)
manage_files_pattern(nmbd_t, samba_var_t, samba_var_t)
-manage_files_pattern(nmbd_t, samba_var_t, samba_var_t)
+allow nmbd_t samba_var_t:file map;
manage_lnk_files_pattern(nmbd_t, samba_var_t, samba_var_t)
manage_sock_files_pattern(nmbd_t, samba_var_t, samba_var_t)
files_var_filetrans(nmbd_t, samba_var_t, dir, "nmbd")
@@ -613,6 +625,8 @@ allow smbcontrol_t self:process { signal signull };
allow smbcontrol_t { winbind_t nmbd_t smbd_t }:process { signal signull };
read_files_pattern(smbcontrol_t, samba_runtime_t, samba_runtime_t)
+allow smbcontrol_t samba_runtime_t:dir rw_dir_perms;
+init_use_fds(smbcontrol_t)
manage_files_pattern(smbcontrol_t, samba_var_t, samba_var_t)
diff --git a/policy/modules/services/smartmon.te b/policy/modules/services/smartmon.te
index fc3f9502..a6351969 100644
--- a/policy/modules/services/smartmon.te
+++ b/policy/modules/services/smartmon.te
@@ -38,7 +38,7 @@ ifdef(`enable_mls',`
# Local policy
#
-allow fsdaemon_t self:capability { dac_override kill setgid setpcap sys_admin sys_rawio };
+allow fsdaemon_t self:capability { dac_override kill setgid setuid setpcap sys_admin sys_rawio };
dontaudit fsdaemon_t self:capability sys_tty_config;
allow fsdaemon_t self:process { getcap setcap signal_perms };
allow fsdaemon_t self:fifo_file rw_fifo_file_perms;
diff --git a/policy/modules/services/squid.te b/policy/modules/services/squid.te
index f7b3a5a3..f9890df1 100644
--- a/policy/modules/services/squid.te
+++ b/policy/modules/services/squid.te
@@ -71,6 +71,7 @@ allow squid_t self:msg { send receive };
allow squid_t self:unix_dgram_socket sendto;
allow squid_t self:unix_stream_socket { accept connectto listen };
allow squid_t self:tcp_socket { accept listen };
+allow squid_t self:netlink_netfilter_socket create_socket_perms;
manage_dirs_pattern(squid_t, squid_cache_t, squid_cache_t)
manage_files_pattern(squid_t, squid_cache_t, squid_cache_t)
@@ -91,6 +92,7 @@ manage_files_pattern(squid_t, squid_tmp_t, squid_tmp_t)
files_tmp_filetrans(squid_t, squid_tmp_t, { file dir })
manage_files_pattern(squid_t, squid_tmpfs_t, squid_tmpfs_t)
+allow squid_t squid_tmpfs_t:file map;
fs_tmpfs_filetrans(squid_t, squid_tmpfs_t, file)
manage_files_pattern(squid_t, squid_runtime_t, squid_runtime_t)
diff --git a/policy/modules/services/tor.te b/policy/modules/services/tor.te
index 445ab87f..0da1a599 100644
--- a/policy/modules/services/tor.te
+++ b/policy/modules/services/tor.te
@@ -74,6 +74,7 @@ files_runtime_filetrans(tor_t, tor_runtime_t, { dir file sock_file })
kernel_read_kernel_sysctls(tor_t)
kernel_read_net_sysctls(tor_t)
kernel_read_system_state(tor_t)
+kernel_read_vm_overcommit_sysctl(tor_t)
corenet_all_recvfrom_netlabel(tor_t)
corenet_tcp_sendrecv_generic_if(tor_t)
diff --git a/policy/modules/services/watchdog.te b/policy/modules/services/watchdog.te
index e1e9d9a9..4a677a3f 100644
--- a/policy/modules/services/watchdog.te
+++ b/policy/modules/services/watchdog.te
@@ -76,6 +76,8 @@ auth_append_login_records(watchdog_t)
logging_send_syslog_msg(watchdog_t)
+mcs_killall(watchdog_t)
+
miscfiles_read_localization(watchdog_t)
sysnet_dns_name_resolve(watchdog_t)
diff --git a/policy/modules/services/xserver.if b/policy/modules/services/xserver.if
index 0e76767f..8ba496cd 100644
--- a/policy/modules/services/xserver.if
+++ b/policy/modules/services/xserver.if
@@ -1643,6 +1643,7 @@ interface(`xserver_rw_mesa_shader_cache',`
rw_dirs_pattern($1, mesa_shader_cache_t, mesa_shader_cache_t)
rw_files_pattern($1, mesa_shader_cache_t, mesa_shader_cache_t)
+ allow $1 mesa_shader_cache_t:file map;
xdg_search_cache_dirs($1)
')
next reply other threads:[~2021-02-01 2:10 UTC|newest]
Thread overview: 329+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-02-01 2:10 Jason Zaman [this message]
-- strict thread matches above, loose matches on Subject: below --
2025-09-02 22:15 [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/services/ Jason Zaman
2025-09-02 22:15 Jason Zaman
2025-09-02 22:15 Jason Zaman
2025-07-15 8:05 Jason Zaman
2025-07-15 8:05 Jason Zaman
2025-07-15 8:05 Jason Zaman
2025-07-15 8:05 Jason Zaman
2025-07-15 8:05 Jason Zaman
2025-07-15 8:05 Jason Zaman
2025-07-15 8:05 Jason Zaman
2025-07-15 8:05 Jason Zaman
2025-07-15 7:54 Jason Zaman
2025-07-15 7:54 Jason Zaman
2025-07-15 7:54 Jason Zaman
2025-07-15 7:54 Jason Zaman
2025-07-15 7:54 Jason Zaman
2025-07-15 7:54 Jason Zaman
2025-07-15 7:54 Jason Zaman
2025-07-15 7:54 Jason Zaman
2025-07-15 7:54 Jason Zaman
2025-07-15 7:54 Jason Zaman
2025-07-15 7:54 Jason Zaman
2025-05-27 19:47 Kenton Groombridge
2025-03-08 23:55 Jason Zaman
2025-03-08 23:55 Jason Zaman
2025-03-08 23:55 Jason Zaman
2025-03-08 23:55 Jason Zaman
2025-03-08 23:55 Jason Zaman
2025-03-08 23:55 Jason Zaman
2025-03-08 23:55 Jason Zaman
2025-01-06 22:49 Kenton Groombridge
2025-01-06 21:08 Kenton Groombridge
2024-09-22 0:03 Jason Zaman
2024-09-22 0:03 Jason Zaman
2024-09-22 0:03 Jason Zaman
2024-09-22 0:03 Jason Zaman
2024-09-22 0:03 Jason Zaman
2024-09-22 0:03 Jason Zaman
2024-09-22 0:03 Jason Zaman
2024-09-22 0:03 Jason Zaman
2024-05-14 19:42 Kenton Groombridge
2024-05-14 19:42 Kenton Groombridge
2024-05-14 19:42 Kenton Groombridge
2024-05-14 19:42 Kenton Groombridge
2024-05-14 19:42 Kenton Groombridge
2024-05-14 19:42 Kenton Groombridge
2024-05-14 19:42 Kenton Groombridge
2024-05-14 19:42 Kenton Groombridge
2024-05-14 19:42 Kenton Groombridge
2024-05-14 19:42 Kenton Groombridge
2024-05-14 19:42 Kenton Groombridge
2024-03-01 19:56 Kenton Groombridge
2024-03-01 19:56 Kenton Groombridge
2024-03-01 19:56 Kenton Groombridge
2023-10-20 22:05 Kenton Groombridge
2023-10-06 16:44 Kenton Groombridge
2023-10-06 16:44 Kenton Groombridge
2023-10-06 16:44 Kenton Groombridge
2023-10-06 16:44 Kenton Groombridge
2023-10-06 16:44 Kenton Groombridge
2023-10-06 16:44 Kenton Groombridge
2023-03-31 23:07 Kenton Groombridge
2023-03-31 23:07 Kenton Groombridge
2023-03-31 23:07 Kenton Groombridge
2023-03-31 23:07 Kenton Groombridge
2023-02-13 15:35 Kenton Groombridge
2023-02-13 15:35 Kenton Groombridge
2023-02-13 15:35 Kenton Groombridge
2023-02-13 15:35 Kenton Groombridge
2023-02-13 15:35 Kenton Groombridge
2022-12-13 20:55 Kenton Groombridge
2022-12-13 20:55 Kenton Groombridge
2022-12-13 20:55 Kenton Groombridge
2022-12-13 20:55 Kenton Groombridge
2022-12-13 20:55 Kenton Groombridge
2022-12-13 20:55 Kenton Groombridge
2022-12-13 20:55 Kenton Groombridge
2022-12-13 20:55 Kenton Groombridge
2022-11-02 14:42 Kenton Groombridge
2022-11-02 14:42 Kenton Groombridge
2022-11-02 14:42 Kenton Groombridge
2022-11-02 14:42 Kenton Groombridge
2022-11-02 14:42 Kenton Groombridge
2022-11-02 14:42 Kenton Groombridge
2022-11-02 14:42 Kenton Groombridge
2022-09-03 20:04 Kenton Groombridge
2022-09-03 19:54 Jason Zaman
2022-09-03 19:54 Jason Zaman
2022-09-03 19:54 Jason Zaman
2022-09-03 19:54 Jason Zaman
2022-09-03 19:54 Jason Zaman
2022-09-03 19:54 Jason Zaman
2022-09-03 19:54 Jason Zaman
2022-09-03 19:54 Jason Zaman
2022-09-03 19:10 Jason Zaman
2022-09-03 19:10 Jason Zaman
2022-09-03 19:10 Jason Zaman
2022-09-03 19:10 Jason Zaman
2022-09-03 19:10 Jason Zaman
2022-09-03 19:10 Jason Zaman
2022-09-03 19:10 Jason Zaman
2022-09-03 19:10 Jason Zaman
2022-09-03 19:10 Jason Zaman
2022-09-03 19:10 Jason Zaman
2022-09-03 19:10 Jason Zaman
2022-09-03 19:10 Jason Zaman
2022-09-03 19:10 Jason Zaman
2022-09-03 19:10 Jason Zaman
2022-04-09 19:28 Jason Zaman
2022-04-09 19:28 Jason Zaman
2022-04-09 19:28 Jason Zaman
2022-04-09 19:28 Jason Zaman
2022-04-09 19:28 Jason Zaman
2022-04-09 19:28 Jason Zaman
2022-04-09 19:28 Jason Zaman
2022-04-09 19:28 Jason Zaman
2022-03-31 3:31 Jason Zaman
2022-03-31 3:31 Jason Zaman
2022-03-31 3:31 Jason Zaman
2022-03-31 3:31 Jason Zaman
2022-03-31 3:31 Jason Zaman
2022-02-27 2:52 Jason Zaman
2022-02-27 2:52 Jason Zaman
2022-02-27 2:52 Jason Zaman
2022-02-27 2:52 Jason Zaman
2022-02-27 2:52 Jason Zaman
2022-02-07 2:14 Jason Zaman
2022-02-07 2:14 Jason Zaman
2022-02-07 2:14 Jason Zaman
2022-01-31 19:31 Jason Zaman
2022-01-30 1:22 Jason Zaman
2022-01-30 1:22 Jason Zaman
2022-01-30 1:22 Jason Zaman
2022-01-30 1:22 Jason Zaman
2022-01-30 1:22 Jason Zaman
2022-01-30 1:22 Jason Zaman
2022-01-30 1:22 Jason Zaman
2022-01-30 1:22 Jason Zaman
2022-01-30 1:22 Jason Zaman
2022-01-30 1:22 Jason Zaman
2022-01-30 1:22 Jason Zaman
2022-01-30 1:22 Jason Zaman
2022-01-30 1:22 Jason Zaman
2022-01-30 1:22 Jason Zaman
2022-01-30 1:22 Jason Zaman
2021-11-21 23:02 Jason Zaman
2021-11-11 21:27 Jason Zaman
2021-11-11 21:27 Jason Zaman
2021-11-11 21:27 Jason Zaman
2021-11-11 21:27 Jason Zaman
2021-11-11 21:27 Jason Zaman
2021-11-11 21:27 Jason Zaman
2021-11-11 21:27 Jason Zaman
2021-11-11 21:27 Jason Zaman
2021-11-11 21:27 Jason Zaman
2021-11-11 21:27 Jason Zaman
2021-11-11 21:27 Jason Zaman
2021-11-11 21:27 Jason Zaman
2021-09-05 16:00 Jason Zaman
2021-09-05 16:00 Jason Zaman
2021-09-05 16:00 Jason Zaman
2021-09-05 16:00 Jason Zaman
2021-09-05 16:00 Jason Zaman
2021-09-05 16:00 Jason Zaman
2021-09-05 16:00 Jason Zaman
2021-09-05 16:00 Jason Zaman
2021-09-05 16:00 Jason Zaman
2021-09-05 16:00 Jason Zaman
2021-09-05 16:00 Jason Zaman
2021-09-05 16:00 Jason Zaman
2021-09-05 16:00 Jason Zaman
2021-09-05 16:00 Jason Zaman
2021-09-05 16:00 Jason Zaman
2021-09-05 16:00 Jason Zaman
2021-03-22 0:21 Jason Zaman
2021-03-21 22:10 Jason Zaman
2021-03-21 22:10 Jason Zaman
2021-03-21 22:10 Jason Zaman
2021-03-21 22:10 Jason Zaman
2021-02-07 3:21 Jason Zaman
2021-02-07 3:21 Jason Zaman
2021-02-07 3:21 Jason Zaman
2021-02-07 3:20 Jason Zaman
2021-02-07 3:20 Jason Zaman
2021-02-01 2:10 Jason Zaman
2021-02-01 2:10 Jason Zaman
2021-02-01 2:10 Jason Zaman
2021-02-01 2:10 Jason Zaman
2021-02-01 2:10 Jason Zaman
2021-02-01 2:10 Jason Zaman
2021-02-01 2:10 Jason Zaman
2021-02-01 2:10 Jason Zaman
2021-02-01 2:10 Jason Zaman
2021-02-01 2:10 Jason Zaman
2021-02-01 2:10 Jason Zaman
2021-02-01 2:10 Jason Zaman
2021-02-01 2:10 Jason Zaman
2020-11-28 23:09 Jason Zaman
2020-11-28 23:09 Jason Zaman
2020-11-28 23:09 Jason Zaman
2020-11-28 23:09 Jason Zaman
2020-11-28 23:09 Jason Zaman
2020-11-28 23:09 Jason Zaman
2020-11-28 23:09 Jason Zaman
2020-10-13 3:02 Jason Zaman
2020-10-13 3:02 Jason Zaman
2020-10-13 3:02 Jason Zaman
2020-10-13 3:02 Jason Zaman
2020-10-13 3:02 Jason Zaman
2020-10-13 3:02 Jason Zaman
2020-02-15 7:33 Jason Zaman
2019-12-16 17:48 Jason Zaman
2019-12-16 17:48 Jason Zaman
2019-12-16 17:48 Jason Zaman
2019-12-16 17:48 Jason Zaman
2019-12-16 17:48 Jason Zaman
2019-07-13 7:01 Jason Zaman
2019-07-13 7:01 Jason Zaman
2019-07-13 7:01 Jason Zaman
2019-03-26 10:17 Jason Zaman
2019-03-26 10:17 Jason Zaman
2019-03-26 10:17 Jason Zaman
2019-03-26 10:17 Jason Zaman
2019-02-10 4:14 Jason Zaman
2019-02-10 4:14 Jason Zaman
2019-02-10 4:14 Jason Zaman
2019-02-10 4:14 Jason Zaman
2019-02-10 4:14 Jason Zaman
2019-02-10 4:14 Jason Zaman
2019-02-10 4:14 Jason Zaman
2018-12-09 11:48 Jason Zaman
2018-12-09 11:48 Jason Zaman
2018-12-09 11:48 Jason Zaman
2018-12-09 11:48 Jason Zaman
2018-12-09 11:48 Jason Zaman
2018-12-09 11:48 Jason Zaman
2018-12-09 11:48 Jason Zaman
2018-11-11 23:29 Jason Zaman
2018-11-11 23:29 Jason Zaman
2018-11-11 23:29 Jason Zaman
2018-11-11 23:29 Jason Zaman
2018-11-11 23:29 Jason Zaman
2018-11-11 23:29 Jason Zaman
2018-11-11 23:29 Jason Zaman
2018-11-11 23:29 Jason Zaman
2018-11-11 23:29 Jason Zaman
2018-11-11 23:29 Jason Zaman
2018-07-12 14:37 Jason Zaman
2018-06-25 5:33 Jason Zaman
2018-06-24 8:46 Jason Zaman
2017-12-14 5:15 Jason Zaman
2017-12-12 7:59 Jason Zaman
2017-12-12 7:59 Jason Zaman
2017-12-12 7:59 Jason Zaman
2017-11-17 14:59 Jason Zaman
2017-10-29 20:42 Jason Zaman
2017-02-05 6:29 Jason Zaman
2017-01-26 3:32 Jason Zaman
2017-01-13 18:43 Sven Vermeulen
2017-01-13 18:43 Sven Vermeulen
2017-01-01 16:37 [gentoo-commits] proj/hardened-refpolicy:next " Jason Zaman
2017-01-01 16:36 ` [gentoo-commits] proj/hardened-refpolicy:master " Jason Zaman
2017-01-01 16:36 Jason Zaman
2017-01-01 16:36 Jason Zaman
2016-12-06 14:24 [gentoo-commits] proj/hardened-refpolicy:next " Jason Zaman
2016-12-06 13:39 ` [gentoo-commits] proj/hardened-refpolicy:master " Jason Zaman
2016-12-06 13:39 Jason Zaman
2016-12-06 13:39 Jason Zaman
2016-12-06 13:39 Jason Zaman
2016-12-06 13:39 Jason Zaman
2016-08-17 16:59 Jason Zaman
2016-01-30 17:21 Jason Zaman
2016-01-30 17:21 Jason Zaman
2016-01-30 17:21 Jason Zaman
2016-01-30 17:21 Jason Zaman
2015-10-10 16:11 Jason Zaman
2015-08-02 19:26 [gentoo-commits] proj/hardened-refpolicy:next " Jason Zaman
2015-08-02 19:23 ` [gentoo-commits] proj/hardened-refpolicy:master " Jason Zaman
2015-08-02 19:26 [gentoo-commits] proj/hardened-refpolicy:next " Jason Zaman
2015-08-02 19:23 ` [gentoo-commits] proj/hardened-refpolicy:master " Jason Zaman
2015-05-27 20:00 Jason Zaman
2015-03-04 17:03 [gentoo-commits] proj/hardened-refpolicy:next " Sven Vermeulen
2015-03-04 16:45 ` [gentoo-commits] proj/hardened-refpolicy:master " Sven Vermeulen
2014-08-21 17:31 Sven Vermeulen
2014-08-21 17:31 Sven Vermeulen
2014-08-21 17:31 Sven Vermeulen
2014-08-13 20:02 Sven Vermeulen
2014-08-13 20:02 Sven Vermeulen
2014-06-10 18:17 Sven Vermeulen
2014-06-10 18:17 Sven Vermeulen
2014-04-18 20:06 Sven Vermeulen
2014-04-17 19:04 Sven Vermeulen
2014-04-17 19:04 Sven Vermeulen
2014-03-25 20:41 Sven Vermeulen
2014-03-17 8:24 Sven Vermeulen
2014-03-17 8:24 Sven Vermeulen
2014-03-17 8:24 Sven Vermeulen
2014-03-17 8:24 Sven Vermeulen
2014-03-17 8:24 Sven Vermeulen
2014-03-17 8:24 Sven Vermeulen
2014-02-09 10:54 Sven Vermeulen
2014-02-09 10:54 Sven Vermeulen
2014-02-09 10:54 Sven Vermeulen
2014-02-09 10:54 Sven Vermeulen
2014-02-09 10:54 Sven Vermeulen
2014-02-09 10:54 Sven Vermeulen
2014-02-09 10:54 Sven Vermeulen
2014-01-19 19:01 Sven Vermeulen
2014-01-19 19:01 Sven Vermeulen
2013-12-09 14:37 Sven Vermeulen
2013-12-06 17:33 Sven Vermeulen
2013-09-27 13:27 Sven Vermeulen
2013-09-27 13:27 Sven Vermeulen
2013-09-27 13:27 Sven Vermeulen
2013-09-27 13:27 Sven Vermeulen
2013-09-24 17:10 Sven Vermeulen
2013-09-24 17:10 Sven Vermeulen
2013-07-23 12:02 Sven Vermeulen
2013-01-03 16:49 Sven Vermeulen
2012-12-07 15:36 Sven Vermeulen
2012-12-07 15:36 Sven Vermeulen
2012-12-07 15:36 Sven Vermeulen
2012-11-27 19:14 Sven Vermeulen
2012-11-27 19:14 Sven Vermeulen
2012-11-25 21:39 Sven Vermeulen
2012-10-19 15:06 Sven Vermeulen
2012-10-19 15:06 Sven Vermeulen
2012-10-19 15:06 Sven Vermeulen
2012-10-19 15:06 Sven Vermeulen
2012-10-10 19:52 Sven Vermeulen
2012-08-21 17:52 Sven Vermeulen
2012-08-21 17:52 Sven Vermeulen
2012-05-28 12:39 Sven Vermeulen
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1612142502.d2423ae4bde7048042e80957e3c727eb59e04c8b.perfinion@gentoo \
--to=perfinion@gentoo.org \
--cc=gentoo-commits@lists.gentoo.org \
--cc=gentoo-dev@lists.gentoo.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox