From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from pigeon.gentoo.org ([208.92.234.80] helo=lists.gentoo.org) by finch.gentoo.org with esmtp (Exim 4.60) (envelope-from <gentoo-commits+bounces-468708-garchives=archives.gentoo.org@lists.gentoo.org>) id 1SYthJ-0001KH-4j for garchives@archives.gentoo.org; Mon, 28 May 2012 06:44:58 +0000 Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id 7742DE05F1; Mon, 28 May 2012 06:44:48 +0000 (UTC) Received: from smtp.gentoo.org (smtp.gentoo.org [140.211.166.183]) by pigeon.gentoo.org (Postfix) with ESMTP id 361C1E05F1 for <gentoo-commits@lists.gentoo.org>; Mon, 28 May 2012 06:44:47 +0000 (UTC) Received: from hornbill.gentoo.org (hornbill.gentoo.org [94.100.119.163]) (using TLSv1 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by smtp.gentoo.org (Postfix) with ESMTPS id 30CDF1B4034 for <gentoo-commits@lists.gentoo.org>; Mon, 28 May 2012 06:44:47 +0000 (UTC) Received: from localhost.localdomain (localhost [127.0.0.1]) by hornbill.gentoo.org (Postfix) with ESMTP id C4163E5428 for <gentoo-commits@lists.gentoo.org>; Mon, 28 May 2012 06:44:44 +0000 (UTC) From: "Sven Vermeulen" <sven.vermeulen@siphos.be> To: gentoo-commits@lists.gentoo.org Content-type: text/plain; charset=UTF-8 Reply-To: gentoo-dev@lists.gentoo.org, "Sven Vermeulen" <sven.vermeulen@siphos.be> Message-ID: <1338187426.d0b7ac0dd1f6dd606f3f988c2e875bc56ccceba9.SwifT@gentoo> Subject: [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/, policy/modules/kernel/ X-VCS-Repository: proj/hardened-refpolicy X-VCS-Files: policy/modules/kernel/files.if policy/modules/system/init.te X-VCS-Directories: policy/modules/system/ policy/modules/kernel/ X-VCS-Committer: SwifT X-VCS-Committer-Name: Sven Vermeulen X-VCS-Revision: d0b7ac0dd1f6dd606f3f988c2e875bc56ccceba9 X-VCS-Branch: master Date: Mon, 28 May 2012 06:44:44 +0000 (UTC) Precedence: bulk List-Post: <mailto:gentoo-commits@lists.gentoo.org> List-Help: <mailto:gentoo-commits+help@lists.gentoo.org> List-Unsubscribe: <mailto:gentoo-commits+unsubscribe@lists.gentoo.org> List-Subscribe: <mailto:gentoo-commits+subscribe@lists.gentoo.org> List-Id: Gentoo Linux mail <gentoo-commits.gentoo.org> X-BeenThere: gentoo-commits@lists.gentoo.org Content-Transfer-Encoding: quoted-printable X-Archives-Salt: e1871ea2-c500-4c22-8fc2-a603def5c09c X-Archives-Hash: bda9ab0c45016e7d863a4d90fb8c2fb2 commit: d0b7ac0dd1f6dd606f3f988c2e875bc56ccceba9 Author: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be> AuthorDate: Mon May 28 06:43:46 2012 +0000 Commit: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be> CommitDate: Mon May 28 06:43:46 2012 +0000 URL: http://git.overlays.gentoo.org/gitweb/?p=3Dproj/hardened-refp= olicy.git;a=3Dcommit;h=3Dd0b7ac0d Allow initrc_t to create /run/* directories See bug #417857 --- policy/modules/kernel/files.if | 64 ++++++++++++++++++++++++++++++++++= ++++++ policy/modules/system/init.te | 4 ++ 2 files changed, 68 insertions(+), 0 deletions(-) diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files= .if index 1405dc6..36dd117 100644 --- a/policy/modules/kernel/files.if +++ b/policy/modules/kernel/files.if @@ -5648,6 +5648,27 @@ interface(`files_rw_lock_dirs',` =20 ######################################## ## <summary> +## Create lock directories. +## </summary> +## <param name=3D"domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`files_create_lock_dirs',` + gen_require(` + type var_t, var_lock_t; + ') + + allow $1 var_t:dir search_dir_perms; + allow $1 var_lock_t:lnk_file read_lnk_file_perms; + create_dirs_pattern($1, var_lock_t, var_lock_t) +') + + +######################################## +## <summary> ## Relabel to and from all lock directory types. ## </summary> ## <param name=3D"domain"> @@ -5691,6 +5712,24 @@ interface(`files_getattr_generic_locks',` =20 ######################################## ## <summary> +## Set the attributes of generic lock directories +## </summary> +## <param name=3D"domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`files_setattr_generic_dirs',` + gen_require(` + type var_t, var_lock_t; + ') + + setattr_dirs_pattern($1, var_t, var_lock_t) +') + +######################################## +## <summary> ## Delete generic lock files. ## </summary> ## <param name=3D"domain"> @@ -5971,6 +6010,31 @@ interface(`files_write_generic_pid_pipes',` allow $1 var_run_t:lnk_file read_lnk_file_perms; allow $1 var_run_t:fifo_file write; ') +######################################## +## <summary> +## Write files in /var/run with the lock file type +## </summary> +## <param name=3D"domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +## <param name=3D"name" optional=3D"true"> +## <summary> +## Name of the directory that the file transition will work on +## </summary> +## </param> +# +interface(`files_pid_filetrans_generic_lock_dirs',` + gen_require(` + type var_t, var_run_t; + ') + + allow $1 var_t:dir search_dir_perms; + allow $1 var_run_t:lnk_file read_lnk_file_perms; + files_pid_filetrans($1, var_lock_t, dir, $2) +') + =20 ######################################## ## <summary> diff --git a/policy/modules/system/init.te b/policy/modules/system/init.t= e index 820c072..c8452f3 100644 --- a/policy/modules/system/init.te +++ b/policy/modules/system/init.te @@ -276,7 +276,11 @@ kernel_rw_all_sysctls(initrc_t) # for lsof which is used by alsa shutdown: kernel_dontaudit_getattr_message_if(initrc_t) =20 +files_create_lock_dirs(initrc_t) +files_pid_filetrans(initrc_t, initrc_state_t, dir, "openrc") +files_pid_filetrans_generic_lock_dirs(initrc_t, "lock") files_read_kernel_symbol_table(initrc_t) +files_setattr_generic_dirs(initrc_t) files_dontaudit_write_usr_dirs(initrc_t) =20 corecmd_exec_all_executables(initrc_t)