From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <gentoo-commits+bounces-510579-garchives=archives.gentoo.org@lists.gentoo.org>
Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80])
	by finch.gentoo.org (Postfix) with ESMTP id 2951B138010
	for <garchives@archives.gentoo.org>; Tue,  2 Oct 2012 18:15:47 +0000 (UTC)
Received: from pigeon.gentoo.org (localhost [127.0.0.1])
	by pigeon.gentoo.org (Postfix) with SMTP id E0CC5E0369;
	Tue,  2 Oct 2012 18:11:23 +0000 (UTC)
Received: from smtp.gentoo.org (smtp.gentoo.org [140.211.166.183])
	by pigeon.gentoo.org (Postfix) with ESMTP id 97E2F21C02C
	for <gentoo-commits@lists.gentoo.org>; Tue,  2 Oct 2012 18:11:18 +0000 (UTC)
Received: from hornbill.gentoo.org (hornbill.gentoo.org [94.100.119.163])
	(using TLSv1 with cipher AECDH-AES256-SHA (256/256 bits))
	(No client certificate requested)
	by smtp.gentoo.org (Postfix) with ESMTPS id 3946E33D777
	for <gentoo-commits@lists.gentoo.org>; Tue,  2 Oct 2012 18:11:05 +0000 (UTC)
Received: from localhost.localdomain (localhost [127.0.0.1])
	by hornbill.gentoo.org (Postfix) with ESMTP id 64B65E5445
	for <gentoo-commits@lists.gentoo.org>; Tue,  2 Oct 2012 18:11:02 +0000 (UTC)
From: "Sven Vermeulen" <sven.vermeulen@siphos.be>
To: gentoo-commits@lists.gentoo.org
Content-Transfer-Encoding: 8bit
Content-type: text/plain; charset=UTF-8
Reply-To: gentoo-dev@lists.gentoo.org, "Sven Vermeulen" <sven.vermeulen@siphos.be>
Message-ID: <1349201285.515972fb2ea44f2c331f09bd61991e46976f1064.SwifT@gentoo>
Subject: [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
X-VCS-Repository: proj/hardened-refpolicy
X-VCS-Files: policy/modules/contrib/gitosis.fc policy/modules/contrib/gitosis.if policy/modules/contrib/gitosis.te
X-VCS-Directories: policy/modules/contrib/
X-VCS-Committer: SwifT
X-VCS-Committer-Name: Sven Vermeulen
X-VCS-Revision: 515972fb2ea44f2c331f09bd61991e46976f1064
X-VCS-Branch: master
Date: Tue,  2 Oct 2012 18:11:02 +0000 (UTC)
Precedence: bulk
List-Post: <mailto:gentoo-commits@lists.gentoo.org>
List-Help: <mailto:gentoo-commits+help@lists.gentoo.org>
List-Unsubscribe: <mailto:gentoo-commits+unsubscribe@lists.gentoo.org>
List-Subscribe: <mailto:gentoo-commits+subscribe@lists.gentoo.org>
List-Id: Gentoo Linux mail <gentoo-commits.gentoo.org>
X-BeenThere: gentoo-commits@lists.gentoo.org
X-Archives-Salt: 3590890a-e6d1-4483-8183-f5e746ab8c32
X-Archives-Hash: a204d6791c498b99399e64fcad9863fe

commit:     515972fb2ea44f2c331f09bd61991e46976f1064
Author:     Dominick Grift <dominick.grift <AT> gmail <DOT> com>
AuthorDate: Tue Oct  2 10:48:22 2012 +0000
Commit:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
CommitDate: Tue Oct  2 18:08:05 2012 +0000
URL:        http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=515972fb

Changes to the gitosis policy module

Ported from Fedora with changes
Use role attributes

Signed-off-by: Dominick Grift <dominick.grift <AT> gmail.com>

---
 policy/modules/contrib/gitosis.fc |   10 ++++------
 policy/modules/contrib/gitosis.if |   17 +++++++++--------
 policy/modules/contrib/gitosis.te |   30 +++++++++++++++++++++++++++---
 3 files changed, 40 insertions(+), 17 deletions(-)

diff --git a/policy/modules/contrib/gitosis.fc b/policy/modules/contrib/gitosis.fc
index 93f5a72..a0d5662 100644
--- a/policy/modules/contrib/gitosis.fc
+++ b/policy/modules/contrib/gitosis.fc
@@ -1,9 +1,7 @@
-ifdef(`distro_debian',`
-/srv/lib/gitosis(/.*)?				gen_context(system_u:object_r:gitosis_var_lib_t,s0)
-')
+/srv/lib/gitosis(/.*)?	gen_context(system_u:object_r:gitosis_var_lib_t,s0)
 
-/usr/bin/gitosis-serve			--	gen_context(system_u:object_r:gitosis_exec_t,s0)
-/usr/bin/gl-auth-command		--	gen_context(system_u:object_r:gitosis_exec_t,s0)
+/usr/bin/gitosis-serve	--	gen_context(system_u:object_r:gitosis_exec_t,s0)
+/usr/bin/gl-auth-command	--	gen_context(system_u:object_r:gitosis_exec_t,s0)
 
-/var/lib/gitosis(/.*)?				gen_context(system_u:object_r:gitosis_var_lib_t,s0)
+/var/lib/gitosis(/.*)?	gen_context(system_u:object_r:gitosis_var_lib_t,s0)
 /var/lib/gitolite(3)?(/.*)?			gen_context(system_u:object_r:gitosis_var_lib_t,s0)

diff --git a/policy/modules/contrib/gitosis.if b/policy/modules/contrib/gitosis.if
index e898b91..f8ca38c 100644
--- a/policy/modules/contrib/gitosis.if
+++ b/policy/modules/contrib/gitosis.if
@@ -15,17 +15,19 @@ interface(`gitosis_domtrans',`
 		type gitosis_t, gitosis_exec_t;
 	')
 
+	corecmd_search_bin($1)
 	domtrans_pattern($1, gitosis_exec_t, gitosis_t)
 ')
 
 #######################################
 ## <summary>
-##	Execute gitosis-serve in the gitosis domain, and
-##	allow the specified role the gitosis domain.
+##	Execute gitosis-serve in the
+##	gitosis domain, and allow the
+##	specified role the gitosis domain.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-##	Domain allowed access
+##	Domain allowed to transition.
 ##	</summary>
 ## </param>
 ## <param name="role">
@@ -36,17 +38,16 @@ interface(`gitosis_domtrans',`
 #
 interface(`gitosis_run',`
 	gen_require(`
-		type gitosis_t;
+		attribute_role gitosis_roles;
 	')
 
 	gitosis_domtrans($1)
-	role $2 types gitosis_t;
+	roleattribute $2 gitosis_roles;
 ')
 
 #######################################
 ## <summary>
-##	Allow the specified domain to read
-##	gitosis lib files.
+##	Read gitosis lib files.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -67,7 +68,7 @@ interface(`gitosis_read_lib_files',`
 
 ######################################
 ## <summary>
-##	Allow the specified domain to manage
+##	Create, read, write, and delete
 ##	gitosis lib files.
 ## </summary>
 ## <param name="domain">

diff --git a/policy/modules/contrib/gitosis.te b/policy/modules/contrib/gitosis.te
index 5c99236..3194b76 100644
--- a/policy/modules/contrib/gitosis.te
+++ b/policy/modules/contrib/gitosis.te
@@ -1,21 +1,31 @@
-policy_module(gitosis, 1.3.1)
+policy_module(gitosis, 1.3.2)
 
 ########################################
 #
 # Declarations
 #
 
+## <desc>
+##	<p>
+##	Determine whether Gitosis can send mail.
+##	</p>
+## </desc>
+gen_tunable(gitosis_can_sendmail, false)
+
+attribute_role gitosis_roles;
+roleattribute system_r gitosis_roles;
+
 type gitosis_t;
 type gitosis_exec_t;
 application_domain(gitosis_t, gitosis_exec_t)
-role system_r types gitosis_t;
+role gitosis_roles types gitosis_t;
 
 type gitosis_var_lib_t;
 files_type(gitosis_var_lib_t)
 
 ########################################
 #
-# gitosis local policy
+# Local policy
 #
 
 allow gitosis_t self:fifo_file rw_fifo_file_perms;
@@ -27,6 +37,16 @@ manage_dirs_pattern(gitosis_t, gitosis_var_lib_t, gitosis_var_lib_t)
 
 kernel_read_system_state(gitosis_t)
 
+corenet_all_recvfrom_unlabeled(gitosis_t)
+corenet_all_recvfrom_netlabel(gitosis_t)
+corenet_tcp_sendrecv_generic_if(gitosis_t)
+corenet_tcp_sendrecv_generic_node(gitosis_t)
+corenet_tcp_bind_generic_node(gitosis_t)
+
+corenet_sendrecv_ssh_server_packets(gitosis_t)
+corenet_tcp_bind_ssh_port(gitosis_t)
+corenet_tcp_sendrecv_ssh_port(gitosis_t)
+
 corecmd_exec_bin(gitosis_t)
 corecmd_exec_shell(gitosis_t)
 
@@ -39,3 +59,7 @@ files_search_var_lib(gitosis_t)
 miscfiles_read_localization(gitosis_t)
 
 sysnet_read_config(gitosis_t)
+
+tunable_policy(`gitosis_can_sendmail',`
+	mta_send_mail(gitosis_t)
+')