From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from pigeon.gentoo.org ([208.92.234.80] helo=lists.gentoo.org) by finch.gentoo.org with esmtp (Exim 4.60) (envelope-from ) id 1SiQZn-0003GK-Aa for garchives@archives.gentoo.org; Sat, 23 Jun 2012 13:40:43 +0000 Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id 665E3E09D7; Sat, 23 Jun 2012 13:40:13 +0000 (UTC) Received: from smtp.gentoo.org (smtp.gentoo.org [140.211.166.183]) by pigeon.gentoo.org (Postfix) with ESMTP id 28BA8E09D7 for ; Sat, 23 Jun 2012 13:40:13 +0000 (UTC) Received: from hornbill.gentoo.org (hornbill.gentoo.org [94.100.119.163]) (using TLSv1 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by smtp.gentoo.org (Postfix) with ESMTPS id 506CB1B402E for ; Sat, 23 Jun 2012 13:40:12 +0000 (UTC) Received: from localhost.localdomain (localhost [127.0.0.1]) by hornbill.gentoo.org (Postfix) with ESMTP id 502F8E543C for ; Sat, 23 Jun 2012 13:40:03 +0000 (UTC) From: "Sven Vermeulen" To: gentoo-commits@lists.gentoo.org Content-type: text/plain; charset=UTF-8 Reply-To: gentoo-dev@lists.gentoo.org, "Sven Vermeulen" Message-ID: <1340458751.0148d642f7c71dbbf699a22c9b79d593f22ea7d4.SwifT@gentoo> Subject: [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/services/, policy/modules/contrib/ X-VCS-Repository: proj/hardened-refpolicy X-VCS-Files: policy/modules/contrib/apache.if policy/modules/contrib/awstats.te policy/modules/contrib/bitlbee.te policy/modules/contrib/cvs.te policy/modules/contrib/djbdns.te policy/modules/contrib/finger.te policy/modules/contrib/modemmanager.te policy/modules/contrib/mplayer.te policy/modules/contrib/telnet.te policy/modules/contrib/webalizer.te policy/modules/services/postgresql.te X-VCS-Directories: policy/modules/services/ policy/modules/contrib/ X-VCS-Committer: SwifT X-VCS-Committer-Name: Sven Vermeulen X-VCS-Revision: 0148d642f7c71dbbf699a22c9b79d593f22ea7d4 X-VCS-Branch: master Date: Sat, 23 Jun 2012 13:40:03 +0000 (UTC) Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-commits@lists.gentoo.org Content-Transfer-Encoding: quoted-printable X-Archives-Salt: f620e373-4d35-491d-9d28-2923728f6ebe X-Archives-Hash: 2d64f8ce0648ad3dd7e2a97f3e39f4c2 commit: 0148d642f7c71dbbf699a22c9b79d593f22ea7d4 Author: Sven Vermeulen siphos be> AuthorDate: Sat Jun 23 13:39:11 2012 +0000 Commit: Sven Vermeulen siphos be> CommitDate: Sat Jun 23 13:39:11 2012 +0000 URL: http://git.overlays.gentoo.org/gitweb/?p=3Dproj/hardened-refp= olicy.git;a=3Dcommit;h=3D0148d642 Bump for r12 --- policy/modules/contrib/apache.if | 12 ++++++------ policy/modules/contrib/awstats.te | 2 +- policy/modules/contrib/bitlbee.te | 5 ++++- policy/modules/contrib/cvs.te | 6 +++++- policy/modules/contrib/djbdns.te | 4 +++- policy/modules/contrib/finger.te | 5 ++++- policy/modules/contrib/modemmanager.te | 4 +++- policy/modules/contrib/mplayer.te | 5 ++++- policy/modules/contrib/telnet.te | 7 ++++++- policy/modules/contrib/webalizer.te | 6 ++++-- policy/modules/services/postgresql.te | 8 ++++---- 11 files changed, 44 insertions(+), 20 deletions(-) diff --git a/policy/modules/contrib/apache.if b/policy/modules/contrib/ap= ache.if index 53b982e..e97b89f 100644 --- a/policy/modules/contrib/apache.if +++ b/policy/modules/contrib/apache.if @@ -450,7 +450,7 @@ interface(`apache_dontaudit_rw_tcp_sockets',` =20 ######################################## ## -## Read all appendable content. +## Read all appendable web content files. ## ## ## @@ -470,7 +470,7 @@ interface(`apache_read_all_ra_content',` =20 ######################################## ## -## Append to all appendable web content. +## Append to all appendable web content files. ## ## ## @@ -490,7 +490,7 @@ interface(`apache_append_all_ra_content',` =20 ######################################## ## -## Read all read/write content. +## Read all read/write web content files. ## ## ## @@ -510,7 +510,7 @@ interface(`apache_read_all_rw_content',` =20 ######################################## ## -## Manage all read/write content. +## Manage all read/write web content files and directories. ## ## ## @@ -531,7 +531,7 @@ interface(`apache_manage_all_rw_content',` =20 ######################################## ## -## Read all web content. +## Read all web content files. ## ## ## @@ -554,7 +554,7 @@ interface(`apache_read_all_content',` =20 ######################################## ## -## Create, read, write, and delete all web content. +## Create, read, write, and delete all web content files and directories= . ## ## ## diff --git a/policy/modules/contrib/awstats.te b/policy/modules/contrib/a= wstats.te index 6bd3ad3..ce1b3ae 100644 --- a/policy/modules/contrib/awstats.te +++ b/policy/modules/contrib/awstats.te @@ -17,7 +17,6 @@ files_tmp_file(awstats_tmp_t) type awstats_var_lib_t; files_type(awstats_var_lib_t) =20 -apache_content_template(awstats) =20 ######################################## # @@ -59,6 +58,7 @@ miscfiles_read_localization(awstats_t) =20 sysnet_dns_name_resolve(awstats_t) =20 +apache_content_template(awstats) apache_read_log(awstats_t) =20 optional_policy(` diff --git a/policy/modules/contrib/bitlbee.te b/policy/modules/contrib/b= itlbee.te index f4e7ad3..021ca4e 100644 --- a/policy/modules/contrib/bitlbee.te +++ b/policy/modules/contrib/bitlbee.te @@ -8,7 +8,6 @@ policy_module(bitlbee, 1.4.0) type bitlbee_t; type bitlbee_exec_t; init_daemon_domain(bitlbee_t, bitlbee_exec_t) -inetd_tcp_service_domain(bitlbee_t, bitlbee_exec_t) =20 type bitlbee_conf_t; files_config_file(bitlbee_conf_t) @@ -89,6 +88,10 @@ miscfiles_read_localization(bitlbee_t) sysnet_dns_name_resolve(bitlbee_t) =20 optional_policy(` + inetd_tcp_service_domain(bitlbee_t, bitlbee_exec_t) +') + +optional_policy(` # normally started from inetd using tcpwrappers, so use those entry poi= nts tcpd_wrapped_domain(bitlbee_t, bitlbee_exec_t) ') diff --git a/policy/modules/contrib/cvs.te b/policy/modules/contrib/cvs.t= e index 88e7e97..ce74cfd 100644 --- a/policy/modules/contrib/cvs.te +++ b/policy/modules/contrib/cvs.te @@ -14,7 +14,7 @@ gen_tunable(allow_cvs_read_shadow, false) =20 type cvs_t; type cvs_exec_t; -inetd_tcp_service_domain(cvs_t, cvs_exec_t) +init_daemon_domain(cvs_t, cvs_exec_t) application_executable_file(cvs_exec_t) role system_r types cvs_t; =20 @@ -96,6 +96,10 @@ tunable_policy(`allow_cvs_read_shadow',` ') =20 optional_policy(` + inetd_tcp_service_domain(cvs_t, cvs_exec_t) +') + +optional_policy(` kerberos_keytab_template(cvs, cvs_t) kerberos_read_config(cvs_t) kerberos_dontaudit_write_config(cvs_t) diff --git a/policy/modules/contrib/djbdns.te b/policy/modules/contrib/dj= bdns.te index 03b5286..394a053 100644 --- a/policy/modules/contrib/djbdns.te +++ b/policy/modules/contrib/djbdns.te @@ -39,7 +39,9 @@ allow djbdns_axfrdns_t djbdns_tinydns_conf_t:file read_= file_perms; =20 files_search_var(djbdns_axfrdns_t) =20 -ucspitcp_service_domain(djbdns_axfrdns_t, djbdns_axfrdns_exec_t) +optional_policy(` + ucspitcp_service_domain(djbdns_axfrdns_t, djbdns_axfrdns_exec_t) +') =20 ######################################## # diff --git a/policy/modules/contrib/finger.te b/policy/modules/contrib/fi= nger.te index 9b7036a..f60af2d 100644 --- a/policy/modules/contrib/finger.te +++ b/policy/modules/contrib/finger.te @@ -8,7 +8,6 @@ policy_module(finger, 1.9.0) type fingerd_t; type fingerd_exec_t; init_daemon_domain(fingerd_t, fingerd_exec_t) -inetd_tcp_service_domain(fingerd_t, fingerd_exec_t) =20 type fingerd_etc_t; files_config_file(fingerd_etc_t) @@ -97,6 +96,10 @@ optional_policy(` ') =20 optional_policy(` + inetd_tcp_service_domain(fingerd_t, fingerd_exec_t) +') + +optional_policy(` logrotate_exec(fingerd_t) ') =20 diff --git a/policy/modules/contrib/modemmanager.te b/policy/modules/cont= rib/modemmanager.te index b3ace16..34d430e 100644 --- a/policy/modules/contrib/modemmanager.te +++ b/policy/modules/contrib/modemmanager.te @@ -34,7 +34,9 @@ miscfiles_read_localization(modemmanager_t) =20 logging_send_syslog_msg(modemmanager_t) =20 -networkmanager_dbus_chat(modemmanager_t) +optional_policy(` + networkmanager_dbus_chat(modemmanager_t) +') =20 optional_policy(` udev_read_db(modemmanager_t) diff --git a/policy/modules/contrib/mplayer.te b/policy/modules/contrib/m= player.te index 0cdea57..5db940a 100644 --- a/policy/modules/contrib/mplayer.te +++ b/policy/modules/contrib/mplayer.te @@ -234,7 +234,6 @@ userdom_read_user_home_content_files(mplayer_t) userdom_read_user_home_content_symlinks(mplayer_t) userdom_write_user_tmp_sockets(mplayer_t) =20 -xserver_user_x_domain_template(mplayer, mplayer_t, mplayer_tmpfs_t) =20 # Read songs ifdef(`enable_mls',`',` @@ -309,3 +308,7 @@ optional_policy(` pulseaudio_exec(mplayer_t) pulseaudio_stream_connect(mplayer_t) ') + +optional_policy(` + xserver_user_x_domain_template(mplayer, mplayer_t, mplayer_tmpfs_t) +') diff --git a/policy/modules/contrib/telnet.te b/policy/modules/contrib/te= lnet.te index 6de3d82..c39ea8f 100644 --- a/policy/modules/contrib/telnet.te +++ b/policy/modules/contrib/telnet.te @@ -7,7 +7,8 @@ policy_module(telnet, 1.10.0) =20 type telnetd_t; type telnetd_exec_t; -inetd_service_domain(telnetd_t, telnetd_exec_t) +init_daemon_domain(telnetd_t, telnetd_exec_t) + role system_r types telnetd_t; =20 type telnetd_devpts_t; #, userpty_type; @@ -85,6 +86,10 @@ userdom_search_user_home_dirs(telnetd_t) userdom_setattr_user_ptys(telnetd_t) =20 optional_policy(` + inetd_service_domain(telnetd_t, telnetd_exec_t) +') + +optional_policy(` kerberos_keytab_template(telnetd, telnetd_t) kerberos_manage_host_rcache(telnetd_t) ') diff --git a/policy/modules/contrib/webalizer.te b/policy/modules/contrib= /webalizer.te index 32b4f76..8ea7478 100644 --- a/policy/modules/contrib/webalizer.te +++ b/policy/modules/contrib/webalizer.te @@ -85,8 +85,10 @@ userdom_use_user_terminals(webalizer_t) userdom_use_unpriv_users_fds(webalizer_t) userdom_dontaudit_search_user_home_content(webalizer_t) =20 -apache_read_log(webalizer_t) -apache_manage_sys_content(webalizer_t) +optional_policy(` + apache_read_log(webalizer_t) + apache_manage_sys_content(webalizer_t) +') =20 optional_policy(` cron_system_entry(webalizer_t, webalizer_exec_t) diff --git a/policy/modules/services/postgresql.te b/policy/modules/servi= ces/postgresql.te index 6c6e9a5..1855595 100644 --- a/policy/modules/services/postgresql.te +++ b/policy/modules/services/postgresql.te @@ -136,7 +136,7 @@ postgresql_trusted_procedure_object(sepgsql_trusted_p= roc_exec_t) # Ranged Trusted Procedure Domain type sepgsql_ranged_proc_t; domain_type(sepgsql_ranged_proc_t) -role system_r types sepgqsl_ranged_proc_t; +role system_r types sepgsql_ranged_proc_t; =20 type sepgsql_ranged_proc_exec_t; postgresql_trusted_procedure_object(sepgsql_ranged_proc_exec_t) @@ -455,7 +455,7 @@ allow sepgsql_client_type sepgsql_seq_t:db_sequence {= getattr get_value next_val allow sepgsql_client_type sepgsql_view_t:db_view { getattr expand }; =20 allow sepgsql_client_type sepgsql_proc_exec_t:db_procedure { getattr exe= cute install }; -allow sepgsql_client_type sepgsql_trusted_procedure_exec_t:db_procedure = { getattr execute entrypoint }; +allow sepgsql_client_type sepgsql_trusted_procedure_type:db_procedure { = getattr execute entrypoint }; =20 allow sepgsql_client_type sepgsql_lang_t:db_language { getattr }; allow sepgsql_client_type sepgsql_safe_lang_t:db_language { getattr exec= ute }; @@ -547,7 +547,7 @@ tunable_policy(`sepgsql_unconfined_dbadm',` allow sepgsql_admin_type sepgsql_view_type:db_view *; =20 allow sepgsql_admin_type sepgsql_proc_exec_t:db_procedure *; - allow sepgsql_admin_type sepgsql_trusted_procedure_exec_t:db_procedure = ~install; + allow sepgsql_admin_type sepgsql_trusted_procedure_type:db_procedure ~i= nstall; allow sepgsql_admin_type sepgsql_procedure_type:db_procedure ~{ execute= install }; =20 allow sepgsql_admin_type sepgsql_language_type:db_language ~implement; @@ -580,7 +580,7 @@ allow sepgsql_unconfined_type sepgsql_view_type:db_vi= ew *; # unconfined domain is not allowed to invoke user defined procedure dire= ctly. # They have to confirm and relabel it at first. allow sepgsql_unconfined_type sepgsql_proc_exec_t:db_procedure *; -allow sepgsql_unconfined_type sepgsql_trusted_procedure_exec_t:db_proced= ure ~install; +allow sepgsql_unconfined_type sepgsql_trusted_procedure_type:db_procedur= e ~install; allow sepgsql_unconfined_type sepgsql_procedure_type:db_procedure ~{ exe= cute install }; =20 allow sepgsql_unconfined_type sepgsql_language_type:db_language ~impleme= nt;