* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/services/, policy/modules/contrib/
@ 2012-09-08 17:30 Sven Vermeulen
0 siblings, 0 replies; 2+ messages in thread
From: Sven Vermeulen @ 2012-09-08 17:30 UTC (permalink / raw
To: gentoo-commits
commit: d5279a76dc5dc81f060346992cacfae8b96ada36
Author: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Sat Sep 8 16:03:45 2012 +0000
Commit: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
CommitDate: Sat Sep 8 16:03:45 2012 +0000
URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=d5279a76
All booleans are by default off
---
policy/modules/contrib/mcelog.te | 6 +++---
policy/modules/contrib/qemu.te | 8 ++++----
policy/modules/contrib/rpc.te | 4 ++--
policy/modules/contrib/spamassassin.te | 4 ++--
policy/modules/contrib/virt.te | 4 ++--
policy/modules/contrib/xen.te | 6 +++---
policy/modules/contrib/xguest.te | 8 ++++----
policy/modules/services/postgresql.te | 6 +++---
8 files changed, 23 insertions(+), 23 deletions(-)
diff --git a/policy/modules/contrib/mcelog.te b/policy/modules/contrib/mcelog.te
index 6e44f91..bf526d7 100644
--- a/policy/modules/contrib/mcelog.te
+++ b/policy/modules/contrib/mcelog.te
@@ -21,7 +21,7 @@ gen_tunable(mcelog_client, false)
## and/or local scripts.
## </p>
## </desc>
-gen_tunable(mcelog_exec_scripts, true)
+gen_tunable(mcelog_exec_scripts, false)
## <desc>
## <p>
@@ -30,7 +30,7 @@ gen_tunable(mcelog_exec_scripts, true)
## print out usage and version information.
## </p>
## </desc>
-gen_tunable(mcelog_foreground, true)
+gen_tunable(mcelog_foreground, false)
## <desc>
## <p>
@@ -48,7 +48,7 @@ gen_tunable(mcelog_server, false)
## syslog option.
## </p>
## </desc>
-gen_tunable(mcelog_syslog, true)
+gen_tunable(mcelog_syslog, false)
type mcelog_t;
type mcelog_exec_t;
diff --git a/policy/modules/contrib/qemu.te b/policy/modules/contrib/qemu.te
index d76e5ff..f554fc4 100644
--- a/policy/modules/contrib/qemu.te
+++ b/policy/modules/contrib/qemu.te
@@ -1,4 +1,4 @@
-policy_module(qemu, 1.7.0)
+policy_module(qemu, 1.7.1)
########################################
#
@@ -17,7 +17,7 @@ gen_tunable(qemu_full_network, false)
## Allow qemu to use cifs/Samba file systems
## </p>
## </desc>
-gen_tunable(qemu_use_cifs, true)
+gen_tunable(qemu_use_cifs, false)
## <desc>
## <p>
@@ -31,14 +31,14 @@ gen_tunable(qemu_use_comm, false)
## Allow qemu to use nfs file systems
## </p>
## </desc>
-gen_tunable(qemu_use_nfs, true)
+gen_tunable(qemu_use_nfs, false)
## <desc>
## <p>
## Allow qemu to use usb devices
## </p>
## </desc>
-gen_tunable(qemu_use_usb, true)
+gen_tunable(qemu_use_usb, false)
type qemu_exec_t;
virt_domain_template(qemu)
diff --git a/policy/modules/contrib/rpc.te b/policy/modules/contrib/rpc.te
index e131ce3..0f246bb 100644
--- a/policy/modules/contrib/rpc.te
+++ b/policy/modules/contrib/rpc.te
@@ -1,4 +1,4 @@
-policy_module(rpc, 1.14.0)
+policy_module(rpc, 1.14.1)
########################################
#
@@ -10,7 +10,7 @@ policy_module(rpc, 1.14.0)
## Allow gssd to read temp directory. For access to kerberos tgt.
## </p>
## </desc>
-gen_tunable(allow_gssd_read_tmp, true)
+gen_tunable(allow_gssd_read_tmp, false)
## <desc>
## <p>
diff --git a/policy/modules/contrib/spamassassin.te b/policy/modules/contrib/spamassassin.te
index 1bbf73b..3515433 100644
--- a/policy/modules/contrib/spamassassin.te
+++ b/policy/modules/contrib/spamassassin.te
@@ -1,4 +1,4 @@
-policy_module(spamassassin, 2.5.0)
+policy_module(spamassassin, 2.5.1)
########################################
#
@@ -17,7 +17,7 @@ gen_tunable(spamassassin_can_network, false)
## Allow spamd to read/write user home directories.
## </p>
## </desc>
-gen_tunable(spamd_enable_home_dirs, true)
+gen_tunable(spamd_enable_home_dirs, false)
type spamassassin_t;
type spamassassin_exec_t;
diff --git a/policy/modules/contrib/virt.te b/policy/modules/contrib/virt.te
index 947bbc6..e7158e7 100644
--- a/policy/modules/contrib/virt.te
+++ b/policy/modules/contrib/virt.te
@@ -1,4 +1,4 @@
-policy_module(virt, 1.5.0)
+policy_module(virt, 1.5.1)
########################################
#
@@ -45,7 +45,7 @@ gen_tunable(virt_use_sysfs, false)
## Allow virt to use usb devices
## </p>
## </desc>
-gen_tunable(virt_use_usb, true)
+gen_tunable(virt_use_usb, false)
virt_domain_template(svirt)
role system_r types svirt_t;
diff --git a/policy/modules/contrib/xen.te b/policy/modules/contrib/xen.te
index 07033bb..9f1f160 100644
--- a/policy/modules/contrib/xen.te
+++ b/policy/modules/contrib/xen.te
@@ -1,4 +1,4 @@
-policy_module(xen, 1.12.0)
+policy_module(xen, 1.12.1)
########################################
#
@@ -11,7 +11,7 @@ policy_module(xen, 1.12.0)
## Not required if using dedicated logical volumes for disk images.
## </p>
## </desc>
-gen_tunable(xend_run_blktap, true)
+gen_tunable(xend_run_blktap, false)
## <desc>
## <p>
@@ -19,7 +19,7 @@ gen_tunable(xend_run_blktap, true)
## Not required if using paravirt and no vfb.
## </p>
## </desc>
-gen_tunable(xend_run_qemu, true)
+gen_tunable(xend_run_qemu, false)
## <desc>
## <p>
diff --git a/policy/modules/contrib/xguest.te b/policy/modules/contrib/xguest.te
index e88b95f..b885bfc 100644
--- a/policy/modules/contrib/xguest.te
+++ b/policy/modules/contrib/xguest.te
@@ -1,4 +1,4 @@
-policy_module(xguest, 1.1.0)
+policy_module(xguest, 1.1.1)
########################################
#
@@ -10,21 +10,21 @@ policy_module(xguest, 1.1.0)
## Allow xguest users to mount removable media
## </p>
## </desc>
-gen_tunable(xguest_mount_media, true)
+gen_tunable(xguest_mount_media, false)
## <desc>
## <p>
## Allow xguest to configure Network Manager
## </p>
## </desc>
-gen_tunable(xguest_connect_network, true)
+gen_tunable(xguest_connect_network, false)
## <desc>
## <p>
## Allow xguest to use blue tooth devices
## </p>
## </desc>
-gen_tunable(xguest_use_bluetooth, true)
+gen_tunable(xguest_use_bluetooth, false)
role xguest_r;
diff --git a/policy/modules/services/postgresql.te b/policy/modules/services/postgresql.te
index b49c929..0617c72 100644
--- a/policy/modules/services/postgresql.te
+++ b/policy/modules/services/postgresql.te
@@ -1,4 +1,4 @@
-policy_module(postgresql, 1.15.0)
+policy_module(postgresql, 1.15.2)
gen_require(`
class db_database all_db_database_perms;
@@ -23,7 +23,7 @@ gen_require(`
## Allow unprived users to execute DDL statement
## </p>
## </desc>
-gen_tunable(sepgsql_enable_users_ddl, true)
+gen_tunable(sepgsql_enable_users_ddl, false)
## <desc>
## <p>
@@ -37,7 +37,7 @@ gen_tunable(sepgsql_transmit_client_label, false)
## Allow database admins to execute DML statement
## </p>
## </desc>
-gen_tunable(sepgsql_unconfined_dbadm, true)
+gen_tunable(sepgsql_unconfined_dbadm, false)
type postgresql_t;
type postgresql_exec_t;
^ permalink raw reply related [flat|nested] 2+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/services/, policy/modules/contrib/
@ 2012-06-23 13:40 Sven Vermeulen
0 siblings, 0 replies; 2+ messages in thread
From: Sven Vermeulen @ 2012-06-23 13:40 UTC (permalink / raw
To: gentoo-commits
commit: 0148d642f7c71dbbf699a22c9b79d593f22ea7d4
Author: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Sat Jun 23 13:39:11 2012 +0000
Commit: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
CommitDate: Sat Jun 23 13:39:11 2012 +0000
URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=0148d642
Bump for r12
---
policy/modules/contrib/apache.if | 12 ++++++------
policy/modules/contrib/awstats.te | 2 +-
policy/modules/contrib/bitlbee.te | 5 ++++-
policy/modules/contrib/cvs.te | 6 +++++-
policy/modules/contrib/djbdns.te | 4 +++-
policy/modules/contrib/finger.te | 5 ++++-
policy/modules/contrib/modemmanager.te | 4 +++-
policy/modules/contrib/mplayer.te | 5 ++++-
policy/modules/contrib/telnet.te | 7 ++++++-
policy/modules/contrib/webalizer.te | 6 ++++--
policy/modules/services/postgresql.te | 8 ++++----
11 files changed, 44 insertions(+), 20 deletions(-)
diff --git a/policy/modules/contrib/apache.if b/policy/modules/contrib/apache.if
index 53b982e..e97b89f 100644
--- a/policy/modules/contrib/apache.if
+++ b/policy/modules/contrib/apache.if
@@ -450,7 +450,7 @@ interface(`apache_dontaudit_rw_tcp_sockets',`
########################################
## <summary>
-## Read all appendable content.
+## Read all appendable web content files.
## </summary>
## <param name="domain">
## <summary>
@@ -470,7 +470,7 @@ interface(`apache_read_all_ra_content',`
########################################
## <summary>
-## Append to all appendable web content.
+## Append to all appendable web content files.
## </summary>
## <param name="domain">
## <summary>
@@ -490,7 +490,7 @@ interface(`apache_append_all_ra_content',`
########################################
## <summary>
-## Read all read/write content.
+## Read all read/write web content files.
## </summary>
## <param name="domain">
## <summary>
@@ -510,7 +510,7 @@ interface(`apache_read_all_rw_content',`
########################################
## <summary>
-## Manage all read/write content.
+## Manage all read/write web content files and directories.
## </summary>
## <param name="domain">
## <summary>
@@ -531,7 +531,7 @@ interface(`apache_manage_all_rw_content',`
########################################
## <summary>
-## Read all web content.
+## Read all web content files.
## </summary>
## <param name="domain">
## <summary>
@@ -554,7 +554,7 @@ interface(`apache_read_all_content',`
########################################
## <summary>
-## Create, read, write, and delete all web content.
+## Create, read, write, and delete all web content files and directories.
## </summary>
## <param name="domain">
## <summary>
diff --git a/policy/modules/contrib/awstats.te b/policy/modules/contrib/awstats.te
index 6bd3ad3..ce1b3ae 100644
--- a/policy/modules/contrib/awstats.te
+++ b/policy/modules/contrib/awstats.te
@@ -17,7 +17,6 @@ files_tmp_file(awstats_tmp_t)
type awstats_var_lib_t;
files_type(awstats_var_lib_t)
-apache_content_template(awstats)
########################################
#
@@ -59,6 +58,7 @@ miscfiles_read_localization(awstats_t)
sysnet_dns_name_resolve(awstats_t)
+apache_content_template(awstats)
apache_read_log(awstats_t)
optional_policy(`
diff --git a/policy/modules/contrib/bitlbee.te b/policy/modules/contrib/bitlbee.te
index f4e7ad3..021ca4e 100644
--- a/policy/modules/contrib/bitlbee.te
+++ b/policy/modules/contrib/bitlbee.te
@@ -8,7 +8,6 @@ policy_module(bitlbee, 1.4.0)
type bitlbee_t;
type bitlbee_exec_t;
init_daemon_domain(bitlbee_t, bitlbee_exec_t)
-inetd_tcp_service_domain(bitlbee_t, bitlbee_exec_t)
type bitlbee_conf_t;
files_config_file(bitlbee_conf_t)
@@ -89,6 +88,10 @@ miscfiles_read_localization(bitlbee_t)
sysnet_dns_name_resolve(bitlbee_t)
optional_policy(`
+ inetd_tcp_service_domain(bitlbee_t, bitlbee_exec_t)
+')
+
+optional_policy(`
# normally started from inetd using tcpwrappers, so use those entry points
tcpd_wrapped_domain(bitlbee_t, bitlbee_exec_t)
')
diff --git a/policy/modules/contrib/cvs.te b/policy/modules/contrib/cvs.te
index 88e7e97..ce74cfd 100644
--- a/policy/modules/contrib/cvs.te
+++ b/policy/modules/contrib/cvs.te
@@ -14,7 +14,7 @@ gen_tunable(allow_cvs_read_shadow, false)
type cvs_t;
type cvs_exec_t;
-inetd_tcp_service_domain(cvs_t, cvs_exec_t)
+init_daemon_domain(cvs_t, cvs_exec_t)
application_executable_file(cvs_exec_t)
role system_r types cvs_t;
@@ -96,6 +96,10 @@ tunable_policy(`allow_cvs_read_shadow',`
')
optional_policy(`
+ inetd_tcp_service_domain(cvs_t, cvs_exec_t)
+')
+
+optional_policy(`
kerberos_keytab_template(cvs, cvs_t)
kerberos_read_config(cvs_t)
kerberos_dontaudit_write_config(cvs_t)
diff --git a/policy/modules/contrib/djbdns.te b/policy/modules/contrib/djbdns.te
index 03b5286..394a053 100644
--- a/policy/modules/contrib/djbdns.te
+++ b/policy/modules/contrib/djbdns.te
@@ -39,7 +39,9 @@ allow djbdns_axfrdns_t djbdns_tinydns_conf_t:file read_file_perms;
files_search_var(djbdns_axfrdns_t)
-ucspitcp_service_domain(djbdns_axfrdns_t, djbdns_axfrdns_exec_t)
+optional_policy(`
+ ucspitcp_service_domain(djbdns_axfrdns_t, djbdns_axfrdns_exec_t)
+')
########################################
#
diff --git a/policy/modules/contrib/finger.te b/policy/modules/contrib/finger.te
index 9b7036a..f60af2d 100644
--- a/policy/modules/contrib/finger.te
+++ b/policy/modules/contrib/finger.te
@@ -8,7 +8,6 @@ policy_module(finger, 1.9.0)
type fingerd_t;
type fingerd_exec_t;
init_daemon_domain(fingerd_t, fingerd_exec_t)
-inetd_tcp_service_domain(fingerd_t, fingerd_exec_t)
type fingerd_etc_t;
files_config_file(fingerd_etc_t)
@@ -97,6 +96,10 @@ optional_policy(`
')
optional_policy(`
+ inetd_tcp_service_domain(fingerd_t, fingerd_exec_t)
+')
+
+optional_policy(`
logrotate_exec(fingerd_t)
')
diff --git a/policy/modules/contrib/modemmanager.te b/policy/modules/contrib/modemmanager.te
index b3ace16..34d430e 100644
--- a/policy/modules/contrib/modemmanager.te
+++ b/policy/modules/contrib/modemmanager.te
@@ -34,7 +34,9 @@ miscfiles_read_localization(modemmanager_t)
logging_send_syslog_msg(modemmanager_t)
-networkmanager_dbus_chat(modemmanager_t)
+optional_policy(`
+ networkmanager_dbus_chat(modemmanager_t)
+')
optional_policy(`
udev_read_db(modemmanager_t)
diff --git a/policy/modules/contrib/mplayer.te b/policy/modules/contrib/mplayer.te
index 0cdea57..5db940a 100644
--- a/policy/modules/contrib/mplayer.te
+++ b/policy/modules/contrib/mplayer.te
@@ -234,7 +234,6 @@ userdom_read_user_home_content_files(mplayer_t)
userdom_read_user_home_content_symlinks(mplayer_t)
userdom_write_user_tmp_sockets(mplayer_t)
-xserver_user_x_domain_template(mplayer, mplayer_t, mplayer_tmpfs_t)
# Read songs
ifdef(`enable_mls',`',`
@@ -309,3 +308,7 @@ optional_policy(`
pulseaudio_exec(mplayer_t)
pulseaudio_stream_connect(mplayer_t)
')
+
+optional_policy(`
+ xserver_user_x_domain_template(mplayer, mplayer_t, mplayer_tmpfs_t)
+')
diff --git a/policy/modules/contrib/telnet.te b/policy/modules/contrib/telnet.te
index 6de3d82..c39ea8f 100644
--- a/policy/modules/contrib/telnet.te
+++ b/policy/modules/contrib/telnet.te
@@ -7,7 +7,8 @@ policy_module(telnet, 1.10.0)
type telnetd_t;
type telnetd_exec_t;
-inetd_service_domain(telnetd_t, telnetd_exec_t)
+init_daemon_domain(telnetd_t, telnetd_exec_t)
+
role system_r types telnetd_t;
type telnetd_devpts_t; #, userpty_type;
@@ -85,6 +86,10 @@ userdom_search_user_home_dirs(telnetd_t)
userdom_setattr_user_ptys(telnetd_t)
optional_policy(`
+ inetd_service_domain(telnetd_t, telnetd_exec_t)
+')
+
+optional_policy(`
kerberos_keytab_template(telnetd, telnetd_t)
kerberos_manage_host_rcache(telnetd_t)
')
diff --git a/policy/modules/contrib/webalizer.te b/policy/modules/contrib/webalizer.te
index 32b4f76..8ea7478 100644
--- a/policy/modules/contrib/webalizer.te
+++ b/policy/modules/contrib/webalizer.te
@@ -85,8 +85,10 @@ userdom_use_user_terminals(webalizer_t)
userdom_use_unpriv_users_fds(webalizer_t)
userdom_dontaudit_search_user_home_content(webalizer_t)
-apache_read_log(webalizer_t)
-apache_manage_sys_content(webalizer_t)
+optional_policy(`
+ apache_read_log(webalizer_t)
+ apache_manage_sys_content(webalizer_t)
+')
optional_policy(`
cron_system_entry(webalizer_t, webalizer_exec_t)
diff --git a/policy/modules/services/postgresql.te b/policy/modules/services/postgresql.te
index 6c6e9a5..1855595 100644
--- a/policy/modules/services/postgresql.te
+++ b/policy/modules/services/postgresql.te
@@ -136,7 +136,7 @@ postgresql_trusted_procedure_object(sepgsql_trusted_proc_exec_t)
# Ranged Trusted Procedure Domain
type sepgsql_ranged_proc_t;
domain_type(sepgsql_ranged_proc_t)
-role system_r types sepgqsl_ranged_proc_t;
+role system_r types sepgsql_ranged_proc_t;
type sepgsql_ranged_proc_exec_t;
postgresql_trusted_procedure_object(sepgsql_ranged_proc_exec_t)
@@ -455,7 +455,7 @@ allow sepgsql_client_type sepgsql_seq_t:db_sequence { getattr get_value next_val
allow sepgsql_client_type sepgsql_view_t:db_view { getattr expand };
allow sepgsql_client_type sepgsql_proc_exec_t:db_procedure { getattr execute install };
-allow sepgsql_client_type sepgsql_trusted_procedure_exec_t:db_procedure { getattr execute entrypoint };
+allow sepgsql_client_type sepgsql_trusted_procedure_type:db_procedure { getattr execute entrypoint };
allow sepgsql_client_type sepgsql_lang_t:db_language { getattr };
allow sepgsql_client_type sepgsql_safe_lang_t:db_language { getattr execute };
@@ -547,7 +547,7 @@ tunable_policy(`sepgsql_unconfined_dbadm',`
allow sepgsql_admin_type sepgsql_view_type:db_view *;
allow sepgsql_admin_type sepgsql_proc_exec_t:db_procedure *;
- allow sepgsql_admin_type sepgsql_trusted_procedure_exec_t:db_procedure ~install;
+ allow sepgsql_admin_type sepgsql_trusted_procedure_type:db_procedure ~install;
allow sepgsql_admin_type sepgsql_procedure_type:db_procedure ~{ execute install };
allow sepgsql_admin_type sepgsql_language_type:db_language ~implement;
@@ -580,7 +580,7 @@ allow sepgsql_unconfined_type sepgsql_view_type:db_view *;
# unconfined domain is not allowed to invoke user defined procedure directly.
# They have to confirm and relabel it at first.
allow sepgsql_unconfined_type sepgsql_proc_exec_t:db_procedure *;
-allow sepgsql_unconfined_type sepgsql_trusted_procedure_exec_t:db_procedure ~install;
+allow sepgsql_unconfined_type sepgsql_trusted_procedure_type:db_procedure ~install;
allow sepgsql_unconfined_type sepgsql_procedure_type:db_procedure ~{ execute install };
allow sepgsql_unconfined_type sepgsql_language_type:db_language ~implement;
^ permalink raw reply related [flat|nested] 2+ messages in thread
end of thread, other threads:[~2012-09-08 17:31 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2012-09-08 17:30 [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/services/, policy/modules/contrib/ Sven Vermeulen
-- strict thread matches above, loose matches on Subject: below --
2012-06-23 13:40 Sven Vermeulen
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox