From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <gentoo-commits+bounces-510570-garchives=archives.gentoo.org@lists.gentoo.org>
Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80])
	by finch.gentoo.org (Postfix) with ESMTP id 35E07138010
	for <garchives@archives.gentoo.org>; Tue,  2 Oct 2012 18:24:39 +0000 (UTC)
Received: from pigeon.gentoo.org (localhost [127.0.0.1])
	by pigeon.gentoo.org (Postfix) with SMTP id AB62721C02A;
	Tue,  2 Oct 2012 18:11:18 +0000 (UTC)
Received: from smtp.gentoo.org (smtp.gentoo.org [140.211.166.183])
	by pigeon.gentoo.org (Postfix) with ESMTP id 6CF2721C02A
	for <gentoo-commits@lists.gentoo.org>; Tue,  2 Oct 2012 18:11:18 +0000 (UTC)
Received: from hornbill.gentoo.org (hornbill.gentoo.org [94.100.119.163])
	(using TLSv1 with cipher AECDH-AES256-SHA (256/256 bits))
	(No client certificate requested)
	by smtp.gentoo.org (Postfix) with ESMTPS id 2408733D72A
	for <gentoo-commits@lists.gentoo.org>; Tue,  2 Oct 2012 18:11:05 +0000 (UTC)
Received: from localhost.localdomain (localhost [127.0.0.1])
	by hornbill.gentoo.org (Postfix) with ESMTP id 4C6E8E5456
	for <gentoo-commits@lists.gentoo.org>; Tue,  2 Oct 2012 18:11:01 +0000 (UTC)
From: "Sven Vermeulen" <sven.vermeulen@siphos.be>
To: gentoo-commits@lists.gentoo.org
Content-Transfer-Encoding: 8bit
Content-type: text/plain; charset=UTF-8
Reply-To: gentoo-dev@lists.gentoo.org, "Sven Vermeulen" <sven.vermeulen@siphos.be>
Message-ID: <1349201235.dd202cba6ebbae36b4624a86292253520b1da82b.SwifT@gentoo>
Subject: [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
X-VCS-Repository: proj/hardened-refpolicy
X-VCS-Files: policy/modules/contrib/fprintd.fc policy/modules/contrib/fprintd.if policy/modules/contrib/fprintd.te policy/modules/contrib/policykit.if policy/modules/contrib/policykit.te
X-VCS-Directories: policy/modules/contrib/
X-VCS-Committer: SwifT
X-VCS-Committer-Name: Sven Vermeulen
X-VCS-Revision: dd202cba6ebbae36b4624a86292253520b1da82b
X-VCS-Branch: master
Date: Tue,  2 Oct 2012 18:11:01 +0000 (UTC)
Precedence: bulk
List-Post: <mailto:gentoo-commits@lists.gentoo.org>
List-Help: <mailto:gentoo-commits+help@lists.gentoo.org>
List-Unsubscribe: <mailto:gentoo-commits+unsubscribe@lists.gentoo.org>
List-Subscribe: <mailto:gentoo-commits+subscribe@lists.gentoo.org>
List-Id: Gentoo Linux mail <gentoo-commits.gentoo.org>
X-BeenThere: gentoo-commits@lists.gentoo.org
X-Archives-Salt: efebd144-8581-4087-b778-d314ec42d44a
X-Archives-Hash: 9b8c97af0a8612b68cb9a3e385f38edd

commit:     dd202cba6ebbae36b4624a86292253520b1da82b
Author:     Dominick Grift <dominick.grift <AT> gmail <DOT> com>
AuthorDate: Mon Oct  1 08:59:36 2012 +0000
Commit:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
CommitDate: Tue Oct  2 18:07:15 2012 +0000
URL:        http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=dd202cba

Changes to the fprint policy module and relevant dependencies

Ported from Fedora with changes

Signed-off-by: Dominick Grift <dominick.grift <AT> gmail.com>

---
 policy/modules/contrib/fprintd.fc   |    3 ++-
 policy/modules/contrib/fprintd.if   |    4 ++--
 policy/modules/contrib/fprintd.te   |   28 ++++++++++++++++------------
 policy/modules/contrib/policykit.if |   21 +++++++++++++++++++++
 policy/modules/contrib/policykit.te |    2 +-
 5 files changed, 42 insertions(+), 16 deletions(-)

diff --git a/policy/modules/contrib/fprintd.fc b/policy/modules/contrib/fprintd.fc
index a4f5fb1..d861e88 100644
--- a/policy/modules/contrib/fprintd.fc
+++ b/policy/modules/contrib/fprintd.fc
@@ -1,2 +1,3 @@
 /usr/libexec/fprintd	--	gen_context(system_u:object_r:fprintd_exec_t,s0)
-/var/lib/fprint(/.*)?		gen_context(system_u:object_r:fprintd_var_lib_t,s0)
+
+/var/lib/fprint(/.*)?	gen_context(system_u:object_r:fprintd_var_lib_t,s0)

diff --git a/policy/modules/contrib/fprintd.if b/policy/modules/contrib/fprintd.if
index ebad8c4..8081132 100644
--- a/policy/modules/contrib/fprintd.if
+++ b/policy/modules/contrib/fprintd.if
@@ -1,4 +1,4 @@
-## <summary>DBus fingerprint reader service</summary>
+## <summary>DBus fingerprint reader service.</summary>
 
 ########################################
 ## <summary>
@@ -15,6 +15,7 @@ interface(`fprintd_domtrans',`
 		type fprintd_t, fprintd_exec_t;
 	')
 
+	corecmd_search_bin($1)
 	domtrans_pattern($1, fprintd_exec_t, fprintd_t)
 ')
 
@@ -38,4 +39,3 @@ interface(`fprintd_dbus_chat',`
 	allow $1 fprintd_t:dbus send_msg;
 	allow fprintd_t $1:dbus send_msg;
 ')
-

diff --git a/policy/modules/contrib/fprintd.te b/policy/modules/contrib/fprintd.te
index 7df52c7..c81b6e8 100644
--- a/policy/modules/contrib/fprintd.te
+++ b/policy/modules/contrib/fprintd.te
@@ -1,4 +1,4 @@
-policy_module(fprintd, 1.1.0)
+policy_module(fprintd, 1.1.1)
 
 ########################################
 #
@@ -7,7 +7,7 @@ policy_module(fprintd, 1.1.0)
 
 type fprintd_t;
 type fprintd_exec_t;
-dbus_system_domain(fprintd_t, fprintd_exec_t)
+init_daemon_domain(fprintd_t, fprintd_exec_t)
 
 type fprintd_var_lib_t;
 files_type(fprintd_var_lib_t)
@@ -17,23 +17,19 @@ files_type(fprintd_var_lib_t)
 # Local policy
 #
 
-allow fprintd_t self:capability sys_ptrace;
+allow fprintd_t self:capability sys_nice;
+allow fprintd_t self:process { getsched setsched signal sigkill };
 allow fprintd_t self:fifo_file rw_fifo_file_perms;
-allow fprintd_t self:process { getsched signal };
 
 manage_dirs_pattern(fprintd_t, fprintd_var_lib_t, fprintd_var_lib_t)
 manage_files_pattern(fprintd_t, fprintd_var_lib_t, fprintd_var_lib_t)
-files_var_lib_filetrans(fprintd_t, fprintd_var_lib_t, { dir file })
 
 kernel_read_system_state(fprintd_t)
 
-corecmd_search_bin(fprintd_t)
-
 dev_list_usbfs(fprintd_t)
-dev_rw_generic_usb_dev(fprintd_t)
 dev_read_sysfs(fprintd_t)
+dev_rw_generic_usb_dev(fprintd_t)
 
-files_read_etc_files(fprintd_t)
 files_read_usr_files(fprintd_t)
 
 fs_getattr_all_fs(fprintd_t)
@@ -46,12 +42,20 @@ userdom_use_user_ptys(fprintd_t)
 userdom_read_all_users_state(fprintd_t)
 
 optional_policy(`
-	consolekit_dbus_chat(fprintd_t)
+	dbus_system_domain(fprintd_t, fprintd_exec_t)
+
+	optional_policy(`
+		consolekit_dbus_chat(fprintd_t)
+	')
+
+	optional_policy(`
+		policykit_dbus_chat(fprintd_t)
+		policykit_dbus_chat_auth(fprintd_t)
+	')
 ')
 
 optional_policy(`
+	policykit_domtrans_auth(fprintd_t)
 	policykit_read_reload(fprintd_t)
 	policykit_read_lib(fprintd_t)
-	policykit_dbus_chat(fprintd_t)
-	policykit_domtrans_auth(fprintd_t)
 ')

diff --git a/policy/modules/contrib/policykit.if b/policy/modules/contrib/policykit.if
index 48ff1e8..8aa58e5 100644
--- a/policy/modules/contrib/policykit.if
+++ b/policy/modules/contrib/policykit.if
@@ -23,6 +23,27 @@ interface(`policykit_dbus_chat',`
 
 ########################################
 ## <summary>
+##	Send and receive messages from
+##	policykit auth over dbus.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`policykit_dbus_chat_auth',`
+	gen_require(`
+		type policykit_auth_t;
+		class dbus send_msg;
+	')
+
+	allow $1 policykit_auth_t:dbus send_msg;
+	allow policykit_auth_t $1:dbus send_msg;
+')
+
+########################################
+## <summary>
 ##	Execute a domain transition to run polkit_auth.
 ## </summary>
 ## <param name="domain">

diff --git a/policy/modules/contrib/policykit.te b/policy/modules/contrib/policykit.te
index 2c37cce..e76b78f 100644
--- a/policy/modules/contrib/policykit.te
+++ b/policy/modules/contrib/policykit.te
@@ -1,4 +1,4 @@
-policy_module(policykit, 1.2.2)
+policy_module(policykit, 1.2.3)
 
 ########################################
 #