From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <gentoo-commits+bounces-511487-garchives=archives.gentoo.org@lists.gentoo.org>
Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80])
	by finch.gentoo.org (Postfix) with ESMTP id 9D600138200
	for <garchives@archives.gentoo.org>; Thu,  4 Oct 2012 17:37:54 +0000 (UTC)
Received: from pigeon.gentoo.org (localhost [127.0.0.1])
	by pigeon.gentoo.org (Postfix) with SMTP id 71F81E0716;
	Thu,  4 Oct 2012 17:36:16 +0000 (UTC)
Received: from smtp.gentoo.org (smtp.gentoo.org [140.211.166.183])
	by pigeon.gentoo.org (Postfix) with ESMTP id 308DBE06FD
	for <gentoo-commits@lists.gentoo.org>; Thu,  4 Oct 2012 17:36:16 +0000 (UTC)
Received: from hornbill.gentoo.org (hornbill.gentoo.org [94.100.119.163])
	(using TLSv1 with cipher AECDH-AES256-SHA (256/256 bits))
	(No client certificate requested)
	by smtp.gentoo.org (Postfix) with ESMTPS id 0B5B433C2F0
	for <gentoo-commits@lists.gentoo.org>; Thu,  4 Oct 2012 17:36:15 +0000 (UTC)
Received: from localhost.localdomain (localhost [127.0.0.1])
	by hornbill.gentoo.org (Postfix) with ESMTP id ACB76E544D
	for <gentoo-commits@lists.gentoo.org>; Thu,  4 Oct 2012 17:36:12 +0000 (UTC)
From: "Sven Vermeulen" <sven.vermeulen@siphos.be>
To: gentoo-commits@lists.gentoo.org
Content-Transfer-Encoding: 8bit
Content-type: text/plain; charset=UTF-8
Reply-To: gentoo-dev@lists.gentoo.org, "Sven Vermeulen" <sven.vermeulen@siphos.be>
Message-ID: <1349371869.47142578517b474f12a0553ba7e8766c34c1d3f4.SwifT@gentoo>
Subject: [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
X-VCS-Repository: proj/hardened-refpolicy
X-VCS-Files: policy/modules/contrib/chronyd.if policy/modules/contrib/chronyd.te policy/modules/contrib/gnomeclock.fc policy/modules/contrib/gnomeclock.if policy/modules/contrib/gnomeclock.te
X-VCS-Directories: policy/modules/contrib/
X-VCS-Committer: SwifT
X-VCS-Committer-Name: Sven Vermeulen
X-VCS-Revision: 47142578517b474f12a0553ba7e8766c34c1d3f4
X-VCS-Branch: master
Date: Thu,  4 Oct 2012 17:36:12 +0000 (UTC)
Precedence: bulk
List-Post: <mailto:gentoo-commits@lists.gentoo.org>
List-Help: <mailto:gentoo-commits+help@lists.gentoo.org>
List-Unsubscribe: <mailto:gentoo-commits+unsubscribe@lists.gentoo.org>
List-Subscribe: <mailto:gentoo-commits+subscribe@lists.gentoo.org>
List-Id: Gentoo Linux mail <gentoo-commits.gentoo.org>
X-BeenThere: gentoo-commits@lists.gentoo.org
X-Archives-Salt: 5a332116-5514-4506-9b80-6c10eb6eecf6
X-Archives-Hash: 9acb8ae5ec138e140665cb41239f8dae

commit:     47142578517b474f12a0553ba7e8766c34c1d3f4
Author:     Dominick Grift <dominick.grift <AT> gmail <DOT> com>
AuthorDate: Thu Oct  4 08:22:58 2012 +0000
Commit:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
CommitDate: Thu Oct  4 17:31:09 2012 +0000
URL:        http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=47142578

Changes to the gnomeclock policy module and relevant dependencies

Ported from Fedora with changes

Signed-off-by: Dominick Grift <dominick.grift <AT> gmail.com>

---
 policy/modules/contrib/chronyd.if    |   21 +++++++++++-
 policy/modules/contrib/chronyd.te    |    2 +-
 policy/modules/contrib/gnomeclock.fc |    3 ++
 policy/modules/contrib/gnomeclock.if |   13 ++++---
 policy/modules/contrib/gnomeclock.te |   61 +++++++++++++++++++++++++++------
 5 files changed, 82 insertions(+), 18 deletions(-)

diff --git a/policy/modules/contrib/chronyd.if b/policy/modules/contrib/chronyd.if
index 2796fc5..b64ec10 100644
--- a/policy/modules/contrib/chronyd.if
+++ b/policy/modules/contrib/chronyd.if
@@ -19,6 +19,25 @@ interface(`chronyd_domtrans',`
 	domtrans_pattern($1, chronyd_exec_t, chronyd_t)
 ')
 
+########################################
+## <summary>
+##	Execute chronyd server in the
+##	chronyd domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to transition.
+##	</summary>
+## </param>
+#
+interface(`chronyd_initrc_domtrans',`
+	gen_require(`
+		type chronyd_initrc_exec_t;
+	')
+
+	init_labeled_script_domtrans($1, chronyd_initrc_exec_t)
+')
+
 ####################################
 ## <summary>
 ##	Execute chronyd in the caller domain.
@@ -84,7 +103,7 @@ interface(`chronyd_admin',`
 	allow $1 chronyd_t:process { ptrace signal_perms };
 	ps_process_pattern($1, chronyd_t)
 
-	init_labeled_script_domtrans($1, chronyd_initrc_exec_t)
+	chronyd_initrc_domtrans($1)
 	domain_system_change_exemption($1)
 	role_transition $2 chronyd_initrc_exec_t system_r;
 	allow $2 system_r;

diff --git a/policy/modules/contrib/chronyd.te b/policy/modules/contrib/chronyd.te
index 4a4fe48..2b4fe4e 100644
--- a/policy/modules/contrib/chronyd.te
+++ b/policy/modules/contrib/chronyd.te
@@ -1,4 +1,4 @@
-policy_module(chronyd, 1.1.1)
+policy_module(chronyd, 1.1.2)
 
 ########################################
 #

diff --git a/policy/modules/contrib/gnomeclock.fc b/policy/modules/contrib/gnomeclock.fc
index 462de63..b687443 100644
--- a/policy/modules/contrib/gnomeclock.fc
+++ b/policy/modules/contrib/gnomeclock.fc
@@ -1,2 +1,5 @@
 /usr/libexec/gnome-clock-applet-mechanism	--	gen_context(system_u:object_r:gnomeclock_exec_t,s0)
 
+/usr/libexec/gsd-datetime-mechanism	--	gen_context(system_u:object_r:gnomeclock_exec_t,s0)
+
+/usr/libexec/kde(3|4)/kcmdatetimehelper	--	gen_context(system_u:object_r:gnomeclock_exec_t,s0)

diff --git a/policy/modules/contrib/gnomeclock.if b/policy/modules/contrib/gnomeclock.if
index 671d8fd..788ff46 100644
--- a/policy/modules/contrib/gnomeclock.if
+++ b/policy/modules/contrib/gnomeclock.if
@@ -2,7 +2,8 @@
 
 ########################################
 ## <summary>
-##	Execute a domain transition to run gnomeclock.
+##	Execute a domain transition to
+##	run gnomeclock.
 ## </summary>
 ## <param name="domain">
 ## <summary>
@@ -15,13 +16,15 @@ interface(`gnomeclock_domtrans',`
 		type gnomeclock_t, gnomeclock_exec_t;
 	')
 
+	corecmd_search_bin($1)
 	domtrans_pattern($1, gnomeclock_exec_t, gnomeclock_t)
 ')
 
 ########################################
 ## <summary>
-##	Execute gnomeclock in the gnomeclock domain, and
-##	allow the specified role the gnomeclock domain.
+##	Execute gnomeclock in the gnomeclock
+##	domain, and allow the specified
+##	role the gnomeclock domain.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -36,11 +39,11 @@ interface(`gnomeclock_domtrans',`
 #
 interface(`gnomeclock_run',`
 	gen_require(`
-		type gnomeclock_t;
+		attribute_role gnomeclock_roles;
 	')
 
 	gnomeclock_domtrans($1)
-	role $2 types gnomeclock_t;
+	roleattribute $2 gnomeclock_roles;
 ')
 
 ########################################

diff --git a/policy/modules/contrib/gnomeclock.te b/policy/modules/contrib/gnomeclock.te
index 4fde46b..06217e8 100644
--- a/policy/modules/contrib/gnomeclock.te
+++ b/policy/modules/contrib/gnomeclock.te
@@ -1,45 +1,84 @@
-policy_module(gnomeclock, 1.0.0)
+policy_module(gnomeclock, 1.0.1)
 
 ########################################
 #
 # Declarations
 #
 
+attribute_role gnomeclock_roles;
+
 type gnomeclock_t;
 type gnomeclock_exec_t;
 dbus_system_domain(gnomeclock_t, gnomeclock_exec_t)
+role gnomeclock_roles types gnomeclock_t;
 
 ########################################
 #
-# gnomeclock local policy
+# Local policy
 #
 
-allow gnomeclock_t self:capability { sys_nice sys_time sys_ptrace };
-allow gnomeclock_t self:process { getattr getsched };
+allow gnomeclock_t self:capability { sys_nice sys_time };
+allow gnomeclock_t self:process { getattr getsched signal };
 allow gnomeclock_t self:fifo_file rw_fifo_file_perms;
-allow gnomeclock_t self:unix_stream_socket create_stream_socket_perms;
+allow gnomeclock_t self:unix_stream_socket { accept listen };
+
+kernel_read_system_state(gnomeclock_t)
 
 corecmd_exec_bin(gnomeclock_t)
+corecmd_exec_shell(gnomeclock_t)
+
+corenet_all_recvfrom_unlabeled(gnomeclock_t)
+corenet_all_recvfrom_netlabel(gnomeclock_t)
+corenet_tcp_sendrecv_generic_if(gnomeclock_t)
+corenet_tcp_sendrecv_generic_node(gnomeclock_t)
+
+# tcp:37 (time)
+corenet_sendrecv_inetd_child_client_packets(gnomeclock_t)
+corenet_tcp_connect_inetd_child_port(gnomeclock_t)
+corenet_tcp_sendrecv_inetd_child_port(gnomeclock_t)
+
+dev_read_sysfs(gnomeclock_t)
 
-files_read_etc_files(gnomeclock_t)
 files_read_usr_files(gnomeclock_t)
 
+fs_getattr_xattr_fs(gnomeclock_t)
+
 auth_use_nsswitch(gnomeclock_t)
 
-clock_domtrans(gnomeclock_t)
+logging_send_syslog_msg(gnomeclock_t)
 
-miscfiles_read_localization(gnomeclock_t)
-miscfiles_manage_localization(gnomeclock_t)
 miscfiles_etc_filetrans_localization(gnomeclock_t)
+miscfiles_manage_localization(gnomeclock_t)
+miscfiles_read_localization(gnomeclock_t)
 
 userdom_read_all_users_state(gnomeclock_t)
 
 optional_policy(`
-	consolekit_dbus_chat(gnomeclock_t)
+	chronyd_initrc_domtrans(gnomeclock_t)
+')
+
+optional_policy(`
+	clock_domtrans(gnomeclock_t)
+')
+
+optional_policy(`
+	dbus_system_domain(gnomeclock_t, gnomeclock_exec_t)
+
+	optional_policy(`
+		consolekit_dbus_chat(gnomeclock_t)
+	')
+
+	optional_policy(`
+		policykit_dbus_chat(gnomeclock_t)
+	')
+')
+
+optional_policy(`
+	ntp_domtrans_ntpdate(gnomeclock_t)
+	ntp_initrc_domtrans(gnomeclock_t)
 ')
 
 optional_policy(`
-	policykit_dbus_chat(gnomeclock_t)
 	policykit_domtrans_auth(gnomeclock_t)
 	policykit_read_lib(gnomeclock_t)
 	policykit_read_reload(gnomeclock_t)