From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <gentoo-commits+bounces-511493-garchives=archives.gentoo.org@lists.gentoo.org>
Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80])
	by finch.gentoo.org (Postfix) with ESMTP id 50CA8138010
	for <garchives@archives.gentoo.org>; Thu,  4 Oct 2012 17:37:54 +0000 (UTC)
Received: from pigeon.gentoo.org (localhost [127.0.0.1])
	by pigeon.gentoo.org (Postfix) with SMTP id 7B0F6E071E;
	Thu,  4 Oct 2012 17:36:21 +0000 (UTC)
Received: from smtp.gentoo.org (smtp.gentoo.org [140.211.166.183])
	by pigeon.gentoo.org (Postfix) with ESMTP id 37F7CE0713
	for <gentoo-commits@lists.gentoo.org>; Thu,  4 Oct 2012 17:36:16 +0000 (UTC)
Received: from hornbill.gentoo.org (hornbill.gentoo.org [94.100.119.163])
	(using TLSv1 with cipher AECDH-AES256-SHA (256/256 bits))
	(No client certificate requested)
	by smtp.gentoo.org (Postfix) with ESMTPS id 1F23D33C399
	for <gentoo-commits@lists.gentoo.org>; Thu,  4 Oct 2012 17:36:15 +0000 (UTC)
Received: from localhost.localdomain (localhost [127.0.0.1])
	by hornbill.gentoo.org (Postfix) with ESMTP id 02B2AE544F
	for <gentoo-commits@lists.gentoo.org>; Thu,  4 Oct 2012 17:36:13 +0000 (UTC)
From: "Sven Vermeulen" <sven.vermeulen@siphos.be>
To: gentoo-commits@lists.gentoo.org
Content-Transfer-Encoding: 8bit
Content-type: text/plain; charset=UTF-8
Reply-To: gentoo-dev@lists.gentoo.org, "Sven Vermeulen" <sven.vermeulen@siphos.be>
Message-ID: <1349371917.023297f8703dc1920ae9ff150f871d7388e73bf9.SwifT@gentoo>
Subject: [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
X-VCS-Repository: proj/hardened-refpolicy
X-VCS-Files: policy/modules/contrib/gpm.fc policy/modules/contrib/gpm.if policy/modules/contrib/gpm.te
X-VCS-Directories: policy/modules/contrib/
X-VCS-Committer: SwifT
X-VCS-Committer-Name: Sven Vermeulen
X-VCS-Revision: 023297f8703dc1920ae9ff150f871d7388e73bf9
X-VCS-Branch: master
Date: Thu,  4 Oct 2012 17:36:13 +0000 (UTC)
Precedence: bulk
List-Post: <mailto:gentoo-commits@lists.gentoo.org>
List-Help: <mailto:gentoo-commits+help@lists.gentoo.org>
List-Unsubscribe: <mailto:gentoo-commits+unsubscribe@lists.gentoo.org>
List-Subscribe: <mailto:gentoo-commits+subscribe@lists.gentoo.org>
List-Id: Gentoo Linux mail <gentoo-commits.gentoo.org>
X-BeenThere: gentoo-commits@lists.gentoo.org
X-Archives-Salt: a573b025-177e-43cd-ab5f-665da640f423
X-Archives-Hash: 8938107cee9c916c1f59a232a05a3441

commit:     023297f8703dc1920ae9ff150f871d7388e73bf9
Author:     Dominick Grift <dominick.grift <AT> gmail <DOT> com>
AuthorDate: Thu Oct  4 09:46:40 2012 +0000
Commit:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
CommitDate: Thu Oct  4 17:31:57 2012 +0000
URL:        http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=023297f8

Changes to the gpm policy module

Ported from Fedora with changes
Update gpg configuration file context specification
Add init script file and gpm_admin()

Signed-off-by: Dominick Grift <dominick.grift <AT> gmail.com>

---
 policy/modules/contrib/gpm.fc |   12 +++++--
 policy/modules/contrib/gpm.if |   67 +++++++++++++++++++++++++++++++++--------
 policy/modules/contrib/gpm.te |    8 ++++-
 3 files changed, 68 insertions(+), 19 deletions(-)

diff --git a/policy/modules/contrib/gpm.fc b/policy/modules/contrib/gpm.fc
index 6fc9661..fea6fa4 100644
--- a/policy/modules/contrib/gpm.fc
+++ b/policy/modules/contrib/gpm.fc
@@ -1,7 +1,11 @@
+/dev/gpmctl	-s	gen_context(system_u:object_r:gpmctl_t,s0)
+/dev/gpmdata	-p	gen_context(system_u:object_r:gpmctl_t,s0)
 
-/dev/gpmctl		-s	gen_context(system_u:object_r:gpmctl_t,s0)
-/dev/gpmdata		-p	gen_context(system_u:object_r:gpmctl_t,s0)
+/etc/gpm(/.*)?	gen_context(system_u:object_r:gpm_conf_t,s0)
+/etc/gpm-.*\.conf	--	gen_context(system_u:object_r:gpm_conf_t,s0)
 
-/etc/gpm(/.*)?			gen_context(system_u:object_r:gpm_conf_t,s0)
+/etc/rc\.d/init\.d/gpm	--	gen_context(system_u:object_r:gpm_initrc_exec_t,s0)
 
-/usr/sbin/gpm		--	gen_context(system_u:object_r:gpm_exec_t,s0)
+/usr/sbin/gpm	--	gen_context(system_u:object_r:gpm_exec_t,s0)
+
+/var/run/gpm\.pid	--	gen_context(system_u:object_r:gpm_var_run_t,s0)
\ No newline at end of file

diff --git a/policy/modules/contrib/gpm.if b/policy/modules/contrib/gpm.if
index 7d97298..f1528c9 100644
--- a/policy/modules/contrib/gpm.if
+++ b/policy/modules/contrib/gpm.if
@@ -1,4 +1,4 @@
-## <summary>General Purpose Mouse driver</summary>
+## <summary>General Purpose Mouse driver.</summary>
 
 ########################################
 ## <summary>
@@ -16,14 +16,14 @@ interface(`gpm_stream_connect',`
 		type gpmctl_t, gpm_t;
 	')
 
-	allow $1 gpmctl_t:sock_file rw_sock_file_perms;
-	allow $1 gpm_t:unix_stream_socket connectto;
+	dev_list_all_dev_nodes($1)
+	stream_connect_pattern($1, gpmctl_t, gpmctl_t, gpm_t)
 ')
 
 ########################################
 ## <summary>
-##	Get the attributes of the GPM
-##	control channel named socket.
+##	Get attributes of gpm control
+##	channel named sock files.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -37,14 +37,14 @@ interface(`gpm_getattr_gpmctl',`
 	')
 
 	dev_list_all_dev_nodes($1)
-	allow $1 gpmctl_t:sock_file getattr;
+	allow $1 gpmctl_t:sock_file getattr_sock_file_perms;
 ')
 
 ########################################
 ## <summary>
-##	Do not audit attempts to get the 
-##	attributes of the GPM control channel
-##	named socket.
+##	Do not audit attempts to get
+##	attributes of gpm control channel
+##	named sock files.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -57,13 +57,13 @@ interface(`gpm_dontaudit_getattr_gpmctl',`
 		type gpmctl_t;
 	')
 
-	dontaudit $1 gpmctl_t:sock_file getattr;
+	dontaudit $1 gpmctl_t:sock_file getattr_sock_file_perms;
 ')
 
 ########################################
 ## <summary>
-##	Set the attributes of the GPM
-##	control channel named socket.
+##	Set attributes of gpm control
+##	channel named sock files.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -77,5 +77,46 @@ interface(`gpm_setattr_gpmctl',`
 	')
 
 	dev_list_all_dev_nodes($1)
-	allow $1 gpmctl_t:sock_file setattr;
+	allow $1 gpmctl_t:sock_file setattr_sock_file_perms;
+')
+
+########################################
+## <summary>
+##	All of the rules required to
+##	administrate an gpm environment.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <param name="role">
+##	<summary>
+##	Role allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`gpm_admin',`
+	gen_require(`
+		type gpm_t, gpm_conf_t, gpm_initrc_exec_t;
+		type gpm_var_run_t, gpmctl_t;
+	')
+
+	allow $1 gpm_t:process { ptrace signal_perms };
+	ps_process_pattern($1, gpm_t)
+
+	init_labeled_script_domtrans($1, gpm_initrc_exec_t)
+	domain_system_change_exemption($1)
+	role_transition $2 gpm_initrc_exec_t system_r;
+	allow $2 system_r;
+
+	files_search_etc($1)
+	admin_pattern($1, gpm_conf_t)
+
+	dev_list_all_dev_nodes($1)
+	admin_pattern($1, gpmctl_t)
+
+	files_search_pids($1)
+	admin_pattern($1, gpm_var_run_t)
 ')

diff --git a/policy/modules/contrib/gpm.te b/policy/modules/contrib/gpm.te
index a627b34..d1f14c5 100644
--- a/policy/modules/contrib/gpm.te
+++ b/policy/modules/contrib/gpm.te
@@ -1,4 +1,4 @@
-policy_module(gpm, 1.8.0)
+policy_module(gpm, 1.8.1)
 
 ########################################
 #
@@ -9,6 +9,9 @@ type gpm_t;
 type gpm_exec_t;
 init_daemon_domain(gpm_t, gpm_exec_t)
 
+type gpm_initrc_exec_t;
+init_script_file(gpm_initrc_exec_t)
+
 type gpm_conf_t;
 files_type(gpm_conf_t)
 
@@ -28,7 +31,7 @@ files_type(gpmctl_t)
 
 allow gpm_t self:capability { setpcap setuid dac_override sys_admin sys_tty_config };
 allow gpm_t self:process { getcap setcap };
-allow gpm_t self:unix_stream_socket create_stream_socket_perms;
+allow gpm_t self:unix_stream_socket { accept listen };
 
 allow gpm_t gpm_conf_t:dir list_dir_perms;
 read_files_pattern(gpm_t, gpm_conf_t, gpm_conf_t)
@@ -67,6 +70,7 @@ logging_send_syslog_msg(gpm_t)
 
 miscfiles_read_localization(gpm_t)
 
+userdom_use_user_terminals(gpm_t)
 userdom_dontaudit_use_unpriv_user_fds(gpm_t)
 userdom_dontaudit_search_user_home_dirs(gpm_t)