* [gentoo-commits] proj/hardened-refpolicy:master commit in: /
@ 2012-09-27 18:05 Sven Vermeulen
0 siblings, 0 replies; 101+ messages in thread
From: Sven Vermeulen @ 2012-09-27 18:05 UTC (permalink / raw
To: gentoo-commits
commit: 5e4308f800b9859fcb9654e8242e8fa6ffe059fb
Author: Dominick Grift <dominick.grift <AT> gmail <DOT> com>
AuthorDate: Mon Sep 24 10:40:58 2012 +0000
Commit: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
CommitDate: Thu Sep 27 17:15:38 2012 +0000
URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=5e4308f8
Initial collectd policy module
collectd is a daemon which collects system performance statistics
periodically and provides mechanisms to store the values in a variety of
ways, for example in RRD files.
Ported from Fedora with changes
Signed-off-by: Dominick Grift <dominick.grift <AT> gmail.com>
Signed-off-by: Sven Vermeulen <sven.vermeulen <AT> siphos.be>
---
collectd.fc | 9 ++++++
collectd.if | 39 +++++++++++++++++++++++++
collectd.te | 90 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
3 files changed, 138 insertions(+), 0 deletions(-)
diff --git a/collectd.fc b/collectd.fc
new file mode 100644
index 0000000..79a3abe
--- /dev/null
+++ b/collectd.fc
@@ -0,0 +1,9 @@
+/etc/rc\.d/init\.d/collectd -- gen_context(system_u:object_r:collectd_initrc_exec_t,s0)
+
+/usr/sbin/collectd -- gen_context(system_u:object_r:collectd_exec_t,s0)
+
+/var/lib/collectd(/.*)? gen_context(system_u:object_r:collectd_var_lib_t,s0)
+
+/var/run/collectd\.pid -- gen_context(system_u:object_r:collectd_var_run_t,s0)
+
+/usr/share/collectd/collection3/bin/.*\.cgi -- gen_context(system_u:object_r:httpd_collectd_script_exec_t,s0)
diff --git a/collectd.if b/collectd.if
new file mode 100644
index 0000000..954309e
--- /dev/null
+++ b/collectd.if
@@ -0,0 +1,39 @@
+## <summary>Statistics collection daemon for filling RRD files.</summary>
+
+########################################
+## <summary>
+## All of the rules required to
+## administrate an collectd environment.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <param name="role">
+## <summary>
+## Role allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`collectd_admin',`
+ gen_require(`
+ type collectd_t, collectd_initrc_exec_t, collectd_var_run_t;
+ type collectd_var_lib_t;
+ ')
+
+ allow $1 collectd_t:process { ptrace signal_perms };
+ ps_process_pattern($1, collectd_t)
+
+ init_labeled_script_domtrans($1, collectd_initrc_exec_t)
+ domain_system_change_exemption($1)
+ role_transition $2 collectd_initrc_exec_t system_r;
+ allow $2 system_r;
+
+ files_search_pids($1)
+ admin_pattern($1, collectd_var_run_t)
+
+ files_search_var_lib($1)
+ admin_pattern($1, collectd_var_lib_t)
+')
diff --git a/collectd.te b/collectd.te
new file mode 100644
index 0000000..6471fa8
--- /dev/null
+++ b/collectd.te
@@ -0,0 +1,90 @@
+policy_module(collectd, 1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+## <desc>
+## <p>
+## Determine whether collectd can connect
+## to the network using TCP.
+## </p>
+## </desc>
+gen_tunable(collectd_tcp_network_connect, false)
+
+type collectd_t;
+type collectd_exec_t;
+init_daemon_domain(collectd_t, collectd_exec_t)
+
+type collectd_initrc_exec_t;
+init_script_file(collectd_initrc_exec_t)
+
+type collectd_var_lib_t;
+files_type(collectd_var_lib_t)
+
+type collectd_var_run_t;
+files_pid_file(collectd_var_run_t)
+
+apache_content_template(collectd)
+
+########################################
+#
+# Local policy
+#
+
+allow collectd_t self:capability { ipc_lock sys_nice };
+allow collectd_t self:process { getsched setsched signal };
+allow collectd_t self:fifo_file rw_fifo_file_perms;
+allow collectd_t self:packet_socket create_socket_perms;
+allow collectd_t self:unix_stream_socket { accept listen };
+
+manage_dirs_pattern(collectd_t, collectd_var_lib_t, collectd_var_lib_t)
+manage_files_pattern(collectd_t, collectd_var_lib_t, collectd_var_lib_t)
+files_var_lib_filetrans(collectd_t, collectd_var_lib_t, dir)
+
+manage_files_pattern(collectd_t, collectd_var_run_t, collectd_var_run_t)
+files_pid_filetrans(collectd_t, collectd_var_run_t, file)
+
+domain_use_interactive_fds(collectd_t)
+
+kernel_read_network_state(collectd_t)
+kernel_read_net_sysctls(collectd_t)
+kernel_read_system_state(collectd_t)
+
+dev_read_rand(collectd_t)
+dev_read_sysfs(collectd_t)
+dev_read_urand(collectd_t)
+
+files_getattr_all_dirs(collectd_t)
+files_read_etc_files(collectd_t)
+files_read_usr_files(collectd_t)
+
+fs_getattr_all_fs(collectd_t)
+
+miscfiles_read_localization(collectd_t)
+
+logging_send_syslog_msg(collectd_t)
+
+sysnet_dns_name_resolve(collectd_t)
+
+tunable_policy(`collectd_tcp_network_connect',`
+ corenet_sendrecv_all_client_packets(collectd_t)
+ corenet_tcp_connect_all_ports(collectd_t)
+ corenet_tcp_sendrecv_all_ports(collectd_t)
+')
+
+optional_policy(`
+ virt_read_config(collectd_t)
+')
+
+########################################
+#
+# Web local policy
+#
+
+optional_policy(`
+ read_files_pattern(httpd_collectd_script_t, collectd_var_lib_t, collectd_var_lib_t)
+ list_dirs_pattern(httpd_collectd_script_t, collectd_var_lib_t, collectd_var_lib_t)
+ miscfiles_setattr_fonts_cache_dirs(httpd_collectd_script_t)
+')
^ permalink raw reply related [flat|nested] 101+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: /
@ 2012-09-27 18:05 Sven Vermeulen
0 siblings, 0 replies; 101+ messages in thread
From: Sven Vermeulen @ 2012-09-27 18:05 UTC (permalink / raw
To: gentoo-commits
commit: e0d71e8891249c8f1f3581753f4a94bab73d89f3
Author: Dominick Grift <dominick.grift <AT> gmail <DOT> com>
AuthorDate: Tue Sep 25 10:10:46 2012 +0000
Commit: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
CommitDate: Thu Sep 27 17:16:16 2012 +0000
URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=e0d71e88
Clean up couchdb network rules
Signed-off-by: Dominick Grift <dominick.grift <AT> gmail.com>
Signed-off-by: Sven Vermeulen <sven.vermeulen <AT> siphos.be>
---
couchdb.te | 6 +-----
1 files changed, 1 insertions(+), 5 deletions(-)
diff --git a/couchdb.te b/couchdb.te
index a9da236..503adab 100644
--- a/couchdb.te
+++ b/couchdb.te
@@ -1,4 +1,4 @@
-policy_module(couchdb, 1.0.1)
+policy_module(couchdb, 1.0.2)
########################################
#
@@ -68,12 +68,8 @@ corecmd_exec_shell(couchdb_t)
corenet_all_recvfrom_unlabeled(couchdb_t)
corenet_all_recvfrom_netlabel(couchdb_t)
corenet_tcp_sendrecv_generic_if(couchdb_t)
-corenet_udp_sendrecv_generic_if(couchdb_t)
corenet_tcp_sendrecv_generic_node(couchdb_t)
-corenet_udp_sendrecv_generic_node(couchdb_t)
-corenet_udp_sendrecv_all_ports(couchdb_t)
corenet_tcp_bind_generic_node(couchdb_t)
-corenet_udp_bind_generic_node(couchdb_t)
corenet_sendrecv_couchdb_server_packets(couchdb_t)
corenet_tcp_bind_couchdb_port(couchdb_t)
^ permalink raw reply related [flat|nested] 101+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: /
@ 2012-10-02 18:11 Sven Vermeulen
0 siblings, 0 replies; 101+ messages in thread
From: Sven Vermeulen @ 2012-10-02 18:11 UTC (permalink / raw
To: gentoo-commits
commit: 126f937fbf4b9c5dc0a11d3fa5bddae6d8049851
Author: Dominick Grift <dominick.grift <AT> gmail <DOT> com>
AuthorDate: Mon Oct 1 08:26:16 2012 +0000
Commit: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
CommitDate: Tue Oct 2 18:06:03 2012 +0000
URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=126f937f
Initial firewalld policy module
FirewallD is a service daemon with a D-BUS interface that provides a
dynamic managed firewall.
Ported from Fedora
Signed-off-by: Dominick Grift <dominick.grift <AT> gmail.com>
---
firewalld.fc | 10 +++++++
firewalld.if | 43 +++++++++++++++++++++++++++++
firewalld.te | 85 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
3 files changed, 138 insertions(+), 0 deletions(-)
diff --git a/firewalld.fc b/firewalld.fc
new file mode 100644
index 0000000..21d7b84
--- /dev/null
+++ b/firewalld.fc
@@ -0,0 +1,10 @@
+/etc/rc\.d/init\.d/firewalld -- gen_context(system_u:object_r:firewalld_initrc_exec_t,s0)
+
+/etc/firewalld(/.*)? gen_context(system_u:object_r:firewalld_etc_rw_t,s0)
+
+/usr/sbin/firewalld -- gen_context(system_u:object_r:firewalld_exec_t,s0)
+
+/var/log/firewalld.* -- gen_context(system_u:object_r:firewalld_var_log_t,s0)
+
+/var/run/firewalld(/.*)? gen_context(system_u:object_r:firewalld_var_run_t,s0)
+/var/run/firewalld\.pid -- gen_context(system_u:object_r:firewalld_var_run_t,s0)
diff --git a/firewalld.if b/firewalld.if
new file mode 100644
index 0000000..82a225a
--- /dev/null
+++ b/firewalld.if
@@ -0,0 +1,43 @@
+## <summary>Service daemon with a D-BUS interface that provides a dynamic managed firewall.</summary>
+
+########################################
+## <summary>
+## All of the rules required to
+## administrate an firewalld environment.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <param name="role">
+## <summary>
+## Role allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`firewalld_admin',`
+ gen_require(`
+ type firewalld_t, firewalld_initrc_exec_t;
+ type firewall_etc_rw_t, firewalld_var_run_t;
+ type firewalld_var_log_t;
+ ')
+
+ allow $1 firewalld_t:process { ptrace signal_perms };
+ ps_process_pattern($1, firewalld_t)
+
+ init_labeled_script_domtrans($1, firewalld_initrc_exec_t)
+ domain_system_change_exemption($1)
+ role_transition $2 firewalld_initrc_exec_t system_r;
+ allow $2 system_r;
+
+ files_search_pids($1)
+ admin_pattern($1, firewalld_var_run_t)
+
+ logging_search_logs($1)
+ admin_pattern($1, firewalld_var_log_t)
+
+ files_search_etc($1)
+ admin_pattern($1, firewall_etc_rw_t)
+')
diff --git a/firewalld.te b/firewalld.te
new file mode 100644
index 0000000..0010122
--- /dev/null
+++ b/firewalld.te
@@ -0,0 +1,85 @@
+policy_module(firewalld, 1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+type firewalld_t;
+type firewalld_exec_t;
+init_daemon_domain(firewalld_t, firewalld_exec_t)
+
+type firewalld_initrc_exec_t;
+init_script_file(firewalld_initrc_exec_t)
+
+type firewalld_etc_rw_t;
+files_config_file(firewalld_etc_rw_t)
+
+type firewalld_var_log_t;
+logging_log_file(firewalld_var_log_t)
+
+type firewalld_var_run_t;
+files_pid_file(firewalld_var_run_t)
+
+########################################
+#
+# Local policy
+#
+
+dontaudit firewalld_t self:capability sys_tty_config;
+allow firewalld_t self:fifo_file rw_fifo_file_perms;
+allow firewalld_t self:unix_stream_socket create_stream_socket_perms;
+
+manage_dirs_pattern(firewalld_t, firewalld_etc_rw_t, firewalld_etc_rw_t)
+manage_files_pattern(firewalld_t, firewalld_etc_rw_t, firewalld_etc_rw_t)
+
+allow firewalld_t firewalld_var_log_t:file append_file_perms;
+allow firewalld_t firewalld_var_log_t:file create_file_perms;
+allow firewalld_t firewalld_var_log_t:file read_file_perms;
+allow firewalld_t firewalld_var_log_t:file setattr_file_perms;
+logging_log_filetrans(firewalld_t, firewalld_var_log_t, file)
+
+manage_files_pattern(firewalld_t, firewalld_var_run_t, firewalld_var_run_t)
+files_pid_filetrans(firewalld_t, firewalld_var_run_t, file)
+
+kernel_read_network_state(firewalld_t)
+kernel_read_system_state(firewalld_t)
+
+corecmd_exec_bin(firewalld_t)
+corecmd_exec_shell(firewalld_t)
+
+dev_read_urand(firewalld_t)
+
+domain_use_interactive_fds(firewalld_t)
+
+files_read_etc_files(firewalld_t)
+files_read_usr_files(firewalld_t)
+
+fs_getattr_xattr_fs(firewalld_t)
+
+logging_send_syslog_msg(firewalld_t)
+
+miscfiles_read_localization(firewalld_t)
+
+seutil_exec_setfiles(firewalld_t)
+seutil_read_file_contexts(firewalld_t)
+
+optional_policy(`
+ dbus_system_domain(firewalld_t, firewalld_exec_t)
+
+ optional_policy(`
+ policykit_dbus_chat(firewalld_t)
+ ')
+
+ optional_policy(`
+ networkmanager_dbus_chat(firewalld_t)
+ ')
+')
+
+optional_policy(`
+ iptables_domtrans(firewalld_t)
+')
+
+optional_policy(`
+ modutils_domtrans_insmod(firewalld_t)
+')
^ permalink raw reply related [flat|nested] 101+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: /
@ 2012-10-02 18:11 Sven Vermeulen
0 siblings, 0 replies; 101+ messages in thread
From: Sven Vermeulen @ 2012-10-02 18:11 UTC (permalink / raw
To: gentoo-commits
commit: 7833917670767f7c534363c93f0e22a06394ea90
Author: Dominick Grift <dominick.grift <AT> gmail <DOT> com>
AuthorDate: Tue Oct 2 12:23:04 2012 +0000
Commit: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
CommitDate: Tue Oct 2 18:09:11 2012 +0000
URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=78339176
Initial glusterfs policy module
Glusterfs binary, the glusterfsd daemon and the gluster command line,
libglusterfs and glusterfs translator modules common to both GlusterFS
server and client framework.
Ported from Fedora with changes
Signed-off-by: Dominick Grift <dominick.grift <AT> gmail.com>
---
glusterfs.fc | 16 +++++++++
glusterfs.if | 49 ++++++++++++++++++++++++++++
glusterfs.te | 102 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
3 files changed, 167 insertions(+), 0 deletions(-)
diff --git a/glusterfs.fc b/glusterfs.fc
new file mode 100644
index 0000000..4bd6ade
--- /dev/null
+++ b/glusterfs.fc
@@ -0,0 +1,16 @@
+/etc/rc\.d/init\.d/gluster.* -- gen_context(system_u:object_r:glusterd_initrc_exec_t,s0)
+
+/etc/glusterfs(/.*)? gen_context(system_u:object_r:glusterd_conf_t,s0)
+/etc/glusterd(/.*)? gen_context(system_u:object_r:glusterd_conf_t,s0)
+
+/usr/sbin/glusterd -- gen_context(system_u:object_r:glusterd_initrc_exec_t,s0)
+/usr/sbin/glusterfsd -- gen_context(system_u:object_r:glusterd_exec_t,s0)
+
+/opt/glusterfs/[^/]+/sbin/glusterfsd -- gen_context(system_u:object_r:glusterd_exec_t,s0)
+
+/var/lib/gluster.* gen_context(system_u:object_r:glusterd_var_lib_t,s0)
+
+/var/log/glusterfs(/.*)? gen_context(system_u:object_r:glusterd_log_t,s0)
+
+/var/run/glusterd(/.*)? gen_context(system_u:object_r:glusterd_var_run_t,s0)
+/var/run/glusterd\.pid -- gen_context(system_u:object_r:glusterd_var_run_t,s0)
diff --git a/glusterfs.if b/glusterfs.if
new file mode 100644
index 0000000..bb2101d
--- /dev/null
+++ b/glusterfs.if
@@ -0,0 +1,49 @@
+## <summary>Cluster File System binary, daemon and command line.</summary>
+
+########################################
+## <summary>
+## All of the rules required to
+## administrate an glusterd environment.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <param name="role">
+## <summary>
+## Role allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`glusterd_admin',`
+ gen_require(`
+ type glusterd_t, glusterd_initrc_exec_t, glusterd_log_t;
+ type glusterd_tmp_t, glusterd_conf_t, glusterd_var_lib_t;
+ type glusterd_var_run_t;
+ ')
+
+ init_labeled_script_domtrans($1, glusterd_initrc_exec_t)
+ domain_system_change_exemption($1)
+ role_transition $2 glusterd_initrc_exec_t system_r;
+ allow $2 system_r;
+
+ allow $1 glusterd_t:process { ptrace signal_perms };
+ ps_process_pattern($1, glusterd_t)
+
+ files_search_etc($1)
+ admin_pattern($1, glusterd_conf_t)
+
+ logging_search_logs($1)
+ admin_pattern($1, glusterd_log_t)
+
+ files_search_tmp($1)
+ admin_pattern($1, glusterd_tmp_t)
+
+ files_search_var_lib($1)
+ admin_pattern($1, glusterd_var_lib_t)
+
+ files_search_pids($1)
+ admin_pattern($1, glusterd_var_run_t)
+')
diff --git a/glusterfs.te b/glusterfs.te
new file mode 100644
index 0000000..6c815e1
--- /dev/null
+++ b/glusterfs.te
@@ -0,0 +1,102 @@
+policy_module(glusterfs, 1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+type glusterd_t;
+type glusterd_exec_t;
+init_daemon_domain(glusterd_t, glusterd_exec_t)
+
+type glusterd_conf_t;
+files_type(glusterd_conf_t)
+
+type glusterd_initrc_exec_t;
+init_script_file(glusterd_initrc_exec_t)
+
+type glusterd_tmp_t;
+files_tmp_file(glusterd_tmp_t)
+
+type glusterd_log_t;
+logging_log_file(glusterd_log_t)
+
+type glusterd_var_run_t;
+files_pid_file(glusterd_var_run_t)
+
+type glusterd_var_lib_t;
+files_type(glusterd_var_lib_t);
+
+########################################
+#
+# Local policy
+#
+
+allow glusterd_t self:capability { net_bind_service sys_admin sys_resource dac_override chown dac_read_search fowner };
+allow glusterd_t self:process { setrlimit signal };
+allow glusterd_t self:fifo_file rw_fifo_file_perms;
+allow glusterd_t self:tcp_socket { accept listen };
+allow glusterd_t self:unix_stream_socket { accept listen };
+
+manage_dirs_pattern(glusterd_t, glusterd_conf_t, glusterd_conf_t)
+manage_files_pattern(glusterd_t, glusterd_conf_t, glusterd_conf_t)
+files_etc_filetrans(glusterd_t, glusterd_conf_t, dir)
+
+manage_dirs_pattern(glusterd_t, glusterd_tmp_t, glusterd_tmp_t)
+manage_files_pattern(glusterd_t, glusterd_tmp_t, glusterd_tmp_t)
+manage_sock_files_pattern(glusterd_t, glusterd_tmp_t, glusterd_tmp_t)
+files_tmp_filetrans(glusterd_t, glusterd_tmp_t, { dir file sock_file })
+
+manage_dirs_pattern(glusterd_t, glusterd_log_t, glusterd_log_t)
+append_files_pattern(glusterd_t, glusterd_log_t, glusterd_log_t)
+create_files_pattern(glusterd_t, glusterd_log_t, glusterd_log_t)
+setattr_files_pattern(glusterd_t, glusterd_log_t, glusterd_log_t)
+logging_log_filetrans(glusterd_t, glusterd_log_t, dir)
+
+manage_dirs_pattern(glusterd_t, glusterd_var_run_t, glusterd_var_run_t)
+manage_files_pattern(glusterd_t, glusterd_var_run_t, glusterd_var_run_t)
+files_pid_filetrans(glusterd_t, glusterd_var_run_t, { dir file })
+
+manage_dirs_pattern(glusterd_t, glusterd_var_lib_t, glusterd_var_lib_t)
+manage_files_pattern(glusterd_t, glusterd_var_lib_t, glusterd_var_lib_t)
+files_var_lib_filetrans(glusterd_t, glusterd_var_lib_t, dir)
+
+can_exec(glusterd_t, glusterd_exec_t)
+
+kernel_read_system_state(glusterd_t)
+
+corecmd_exec_bin(glusterd_t)
+corecmd_exec_shell(glusterd_t)
+
+corenet_all_recvfrom_unlabeled(glusterd_t)
+corenet_all_recvfrom_netlabel(glusterd_t)
+corenet_tcp_sendrecv_generic_if(glusterd_t)
+corenet_udp_sendrecv_generic_if(glusterd_t)
+corenet_tcp_sendrecv_generic_node(glusterd_t)
+corenet_udp_sendrecv_generic_node(glusterd_t)
+corenet_tcp_sendrecv_all_ports(glusterd_t)
+corenet_udp_sendrecv_all_ports(glusterd_t)
+corenet_tcp_bind_generic_node(glusterd_t)
+corenet_udp_bind_generic_node(glusterd_t)
+
+# Too coarse?
+corenet_sendrecv_all_server_packets(glusterd_t)
+corenet_tcp_bind_all_reserved_ports(glusterd_t)
+corenet_udp_bind_all_rpc_ports(glusterd_t)
+corenet_udp_bind_ipp_port(glusterd_t)
+
+corenet_sendrecv_all_client_packets(glusterd_t)
+corenet_tcp_connect_all_unreserved_ports(glusterd_t)
+
+dev_read_sysfs(glusterd_t)
+dev_read_urand(glusterd_t)
+
+domain_use_interactive_fds(glusterd_t)
+
+files_read_usr_files(glusterd_t)
+
+auth_use_nsswitch(glusterd_t)
+
+logging_send_syslog_msg(glusterd_t)
+
+miscfiles_read_localization(glusterd_t)
^ permalink raw reply related [flat|nested] 101+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: /
@ 2012-10-04 17:36 Sven Vermeulen
0 siblings, 0 replies; 101+ messages in thread
From: Sven Vermeulen @ 2012-10-04 17:36 UTC (permalink / raw
To: gentoo-commits
commit: be1634a14a7a7fa585bd825b0aa835808d536ac9
Author: Dominick Grift <dominick.grift <AT> gmail <DOT> com>
AuthorDate: Tue Oct 2 12:45:25 2012 +0000
Commit: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
CommitDate: Thu Oct 4 17:30:25 2012 +0000
URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=be1634a1
Deprecate glusterd_admin() use glusterfs_admin() instead
Signed-off-by: Dominick Grift <dominick.grift <AT> gmail.com>
---
glusterfs.if | 24 +++++++++++++++++++++++-
1 files changed, 23 insertions(+), 1 deletions(-)
diff --git a/glusterfs.if b/glusterfs.if
index bb2101d..05233c8 100644
--- a/glusterfs.if
+++ b/glusterfs.if
@@ -3,7 +3,7 @@
########################################
## <summary>
## All of the rules required to
-## administrate an glusterd environment.
+## administrate an glusterfs environment.
## </summary>
## <param name="domain">
## <summary>
@@ -18,6 +18,28 @@
## <rolecap/>
#
interface(`glusterd_admin',`
+ refpolicywarn(`$0($*) has been deprecated, use glusterfs_admin() instead.')
+ glusterfs_admin($1, $2)
+')
+
+########################################
+## <summary>
+## All of the rules required to
+## administrate an glusterfs environment.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <param name="role">
+## <summary>
+## Role allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`glusterfs_admin',`
gen_require(`
type glusterd_t, glusterd_initrc_exec_t, glusterd_log_t;
type glusterd_tmp_t, glusterd_conf_t, glusterd_var_lib_t;
^ permalink raw reply related [flat|nested] 101+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: /
@ 2012-10-04 17:36 Sven Vermeulen
0 siblings, 0 replies; 101+ messages in thread
From: Sven Vermeulen @ 2012-10-04 17:36 UTC (permalink / raw
To: gentoo-commits
commit: 8370bc20f89c6a83a6e0fc44ed97e9565403cfe7
Author: Dominick Grift <dominick.grift <AT> gmail <DOT> com>
AuthorDate: Tue Oct 2 15:15:21 2012 +0000
Commit: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
CommitDate: Thu Oct 4 17:30:53 2012 +0000
URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=8370bc20
cfengine: This location is now labeled with a cfengine private type
Signed-off-by: Dominick Grift <dominick.grift <AT> gmail.com>
---
cfengine.fc | 5 ++---
1 files changed, 2 insertions(+), 3 deletions(-)
diff --git a/cfengine.fc b/cfengine.fc
index 7635eb9..5b605d6 100644
--- a/cfengine.fc
+++ b/cfengine.fc
@@ -5,6 +5,5 @@
/usr/sbin/cf-monitord -- gen_context(system_u:object_r:cfengine_monitord_exec_t,s0)
/var/cfengine(/.*)? gen_context(system_u:object_r:cfengine_var_lib_t,s0)
-# remove comment as soon as existing conflicting file context spec for this location
-# is removed from the logging module
-# /var/cfengine/outputs(/.*)? gen_context(system_u:object_r:cfengine_log_t,s0)
+
+/var/cfengine/outputs(/.*)? gen_context(system_u:object_r:cfengine_log_t,s0)
^ permalink raw reply related [flat|nested] 101+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: /
@ 2012-10-04 17:36 Sven Vermeulen
0 siblings, 0 replies; 101+ messages in thread
From: Sven Vermeulen @ 2012-10-04 17:36 UTC (permalink / raw
To: gentoo-commits
commit: 2ca6f8970270ce50dfa7e34f337b9ac8ded1e004
Author: Dominick Grift <dominick.grift <AT> gmail <DOT> com>
AuthorDate: Thu Oct 4 14:04:41 2012 +0000
Commit: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
CommitDate: Thu Oct 4 17:32:33 2012 +0000
URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=2ca6f897
Changes to the cachefilesd policy module
Remove comments from two interface calls that are now added and
available
Signed-off-by: Dominick Grift <dominick.grift <AT> gmail.com>
---
cachefilesd.te | 6 +++---
1 files changed, 3 insertions(+), 3 deletions(-)
diff --git a/cachefilesd.te b/cachefilesd.te
index c0f8a66..581c8ef 100644
--- a/cachefilesd.te
+++ b/cachefilesd.te
@@ -1,4 +1,4 @@
-policy_module(cachefilesd, 1.0.0)
+policy_module(cachefilesd, 1.0.1)
########################################
#
@@ -31,9 +31,9 @@ files_pid_filetrans(cachefilesd_t, cachefilesd_var_run_t, file)
manage_dirs_pattern(cachefilesd_t, cachefilesd_cache_t, cachefilesd_cache_t)
manage_files_pattern(cachefilesd_t, cachefilesd_cache_t, cachefilesd_cache_t)
-# dev_rw_cachefiles(cachefilesd_t)
+dev_rw_cachefiles(cachefilesd_t)
-# files_create_all_files_as(cachefilesd_t)
+files_create_all_files_as(cachefilesd_t)
files_read_etc_files(cachefilesd_t)
fs_getattr_xattr_fs(cachefilesd_t)
^ permalink raw reply related [flat|nested] 101+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: /
@ 2012-10-06 15:56 Sven Vermeulen
0 siblings, 0 replies; 101+ messages in thread
From: Sven Vermeulen @ 2012-10-06 15:56 UTC (permalink / raw
To: gentoo-commits
commit: f1ab4e539476b17c72be5a09cec39ec1b457d894
Author: Dominick Grift <dominick.grift <AT> gmail <DOT> com>
AuthorDate: Fri Oct 5 12:42:46 2012 +0000
Commit: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
CommitDate: Sat Oct 6 15:52:57 2012 +0000
URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=f1ab4e53
changes to the mandb policy module
Add verious interfaces to be used by miscfiles
Signed-off-by: Dominick Grift <dominick.grift <AT> gmail.com>
---
mandb.if | 83 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
mandb.te | 2 +-
2 files changed, 84 insertions(+), 1 deletions(-)
diff --git a/mandb.if b/mandb.if
index 56306c6..35988b0 100644
--- a/mandb.if
+++ b/mandb.if
@@ -48,6 +48,89 @@ interface(`mandb_run',`
########################################
## <summary>
+## Search mandb cache directories.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`mandb_search_cache',`
+ gen_require(`
+ type mandb_cache_t;
+ ')
+
+ files_search_var($1)
+ allow $1 mandb_cache_t:dir search_dir_perms;
+')
+
+########################################
+## <summary>
+## Delete mandb cache content.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`mandb_delete_cache_content',`
+ gen_require(`
+ type mandb_cache_t;
+ ')
+
+ files_search_var($1)
+ allow $1 mandb_cache_t:dir delete_dir_perms;
+ allow $1 mandb_cache_t:file delete_file_perms;
+ allow $1 mandb_cache_t:lnk_file delete_lnk_file_perms;
+')
+
+########################################
+## <summary>
+## Read mandb cache content.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`mandb_read_cache_content',`
+ gen_require(`
+ type mandb_cache_t;
+ ')
+
+ files_search_var($1)
+ allow $1 mandb_cache_t:dir list_dir_perms;
+ allow $1 mandb_cache_t:file read_file_perms;
+ allow $1 mandb_cache_t:lnk_file read_lnk_file_perms;
+')
+
+########################################
+## <summary>
+## Create, read, write, and delete
+## mandb cache files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`mandb_manage_cache_content',`
+ gen_require(`
+ type mandb_cache_t;
+ ')
+
+ files_search_var($1)
+ allow $1 mandb_cache_t:dir manage_dir_perms;
+ allow $1 mandb_cache_t:file manage_file_perms;
+ allow $1 mandb_cache_t:lnk_file manage_lnk_file_perms;
+')
+
+########################################
+## <summary>
## All of the rules required to
## administrate an mandb environment.
## </summary>
diff --git a/mandb.te b/mandb.te
index 3009005..8db8613 100644
--- a/mandb.te
+++ b/mandb.te
@@ -1,4 +1,4 @@
-policy_module(mandb, 1.0.0)
+policy_module(mandb, 1.0.1)
########################################
#
^ permalink raw reply related [flat|nested] 101+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: /
@ 2012-10-06 15:56 Sven Vermeulen
0 siblings, 0 replies; 101+ messages in thread
From: Sven Vermeulen @ 2012-10-06 15:56 UTC (permalink / raw
To: gentoo-commits
commit: c51d33d0f6eb4b63d5da3f715de2933df0ecbd53
Author: Dominick Grift <dominick.grift <AT> gmail <DOT> com>
AuthorDate: Fri Oct 5 07:15:49 2012 +0000
Commit: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
CommitDate: Sat Oct 6 15:35:03 2012 +0000
URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=c51d33d0
Initial mandb policy module
man-db is an implementation of the standard Unix documentation system
accessed using the man command. It uses a Berkeley DB database in place
of the traditional flat-text whatis databases.
Ported from Fedora with changes
Signed-off-by: Dominick Grift <dominick.grift <AT> gmail.com>
---
mandb.fc | 4 +++
mandb.if | 78 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
mandb.te | 42 +++++++++++++++++++++++++++++++++
3 files changed, 124 insertions(+), 0 deletions(-)
diff --git a/mandb.fc b/mandb.fc
new file mode 100644
index 0000000..e4864f3
--- /dev/null
+++ b/mandb.fc
@@ -0,0 +1,4 @@
+/etc/cron.daily/man-db\.cron -- gen_context(system_u:object_r:mandb_exec_t,s0)
+
+# file context conflict with spec in miscfiles. remove comment when the spec in miscfiles is removed
+# /var/cache/man(/.*)? gen_context(system_u:object_r:mandb_cache_t,s0)
diff --git a/mandb.if b/mandb.if
new file mode 100644
index 0000000..56306c6
--- /dev/null
+++ b/mandb.if
@@ -0,0 +1,78 @@
+## <summary>On-line manual database.</summary>
+
+########################################
+## <summary>
+## Execute the mandb program in
+## the mandb domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`mandb_domtrans',`
+ gen_require(`
+ type mandb_t, mandb_exec_t;
+ ')
+
+ corecmd_search_bin($1)
+ domtrans_pattern($1, mandb_exec_t, mandb_t)
+')
+
+########################################
+## <summary>
+## Execute mandb in the mandb
+## domain, and allow the specified
+## role the mandb domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+## <param name="role">
+## <summary>
+## Role allowed access.
+## </summary>
+## </param>
+#
+interface(`mandb_run',`
+ gen_require(`
+ attribute_role mandb_roles;
+ ')
+
+ lightsquid_domtrans($1)
+ roleattribute $2 mandb_roles;
+')
+
+########################################
+## <summary>
+## All of the rules required to
+## administrate an mandb environment.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <param name="role">
+## <summary>
+## Role allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`mandb_admin',`
+ gen_require(`
+ type mandb_t, mandb_cache_t;
+ ')
+
+ allow $1 mandb_t:process { ptrace signal_perms };
+ ps_process_pattern($1, mandb_t)
+
+ mandb_run($1, $2)
+
+ files_search_var($1)
+ admin_pattern($1, mandb_cache_t)
+')
diff --git a/mandb.te b/mandb.te
new file mode 100644
index 0000000..3009005
--- /dev/null
+++ b/mandb.te
@@ -0,0 +1,42 @@
+policy_module(mandb, 1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+attribute_role mandb_roles;
+roleattribute system_r mandb_roles;
+
+type mandb_t;
+type mandb_exec_t;
+application_domain(mandb_t, mandb_exec_t)
+role mandb_roles types mandb_t;
+
+type mandb_cache_t;
+files_type(mandb_cache_t)
+
+########################################
+#
+# Local policy
+#
+
+allow mandb_t self:process signal;
+allow mandb_t self:fifo_file rw_fifo_file_perms;
+allow mandb_t self:unix_stream_socket create_stream_socket_perms;
+
+manage_dirs_pattern(mandb_t, mandb_cache_t, mandb_cache_t)
+manage_files_pattern(mandb_t, mandb_cache_t, mandb_cache_t)
+manage_lnk_files_pattern(mandb_t, mandb_cache_t, mandb_cache_t)
+
+kernel_read_system_state(mandb_t)
+
+corecmd_exec_bin(mandb_t)
+
+domain_use_interactive_fds(mandb_t)
+
+files_read_etc_files(mandb_t)
+
+optional_policy(`
+ cron_system_entry(mandb_t, mandb_exec_t)
+')
^ permalink raw reply related [flat|nested] 101+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: /
@ 2012-10-06 17:05 Sven Vermeulen
0 siblings, 0 replies; 101+ messages in thread
From: Sven Vermeulen @ 2012-10-06 17:05 UTC (permalink / raw
To: gentoo-commits
commit: e592a2a8011ac03fd2fab1539983de735f798306
Author: Dominick Grift <dominick.grift <AT> gmail <DOT> com>
AuthorDate: Sat Oct 6 14:22:39 2012 +0000
Commit: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
CommitDate: Sat Oct 6 17:02:45 2012 +0000
URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=e592a2a8
Changes to the dnssectrigger policy module
Remove duplicate rules
Needs to be able to create /etc/resolv.conf with a type transition
Signed-off-by: Dominick Grift <dominick.grift <AT> gmail.com>
---
dnssectrigger.te | 6 +++---
1 files changed, 3 insertions(+), 3 deletions(-)
diff --git a/dnssectrigger.te b/dnssectrigger.te
index a87128f..ef36d73 100644
--- a/dnssectrigger.te
+++ b/dnssectrigger.te
@@ -1,4 +1,4 @@
-policy_module(dnssectrigger, 1.0.0)
+policy_module(dnssectrigger, 1.0.1)
########################################
#
@@ -30,8 +30,7 @@ allow dnssec_triggerd_t self:capability linux_immutable;
allow dnssec_triggerd_t self:process signal;
allow dnssec_triggerd_t self:fifo_file rw_fifo_file_perms;
allow dnssec_triggerd_t self:unix_stream_socket { accept listen };
-allow dnssec_triggerd_t self:tcp_socket create_stream_socket_perms;
-allow dnssec_triggerd_t self:udp_socket create_socket_perms;
+allow dnssec_triggerd_t self:tcp_socket { accept listen };
allow dnssec_triggerd_t dnssec_trigger_conf_t:file read_file_perms;
@@ -72,6 +71,7 @@ miscfiles_read_localization(dnssec_triggerd_t)
sysnet_dns_name_resolve(dnssec_triggerd_t)
sysnet_manage_config(dnssec_triggerd_t)
+sysnet_etc_filetrans_config(dnssec_triggerd_t)
optional_policy(`
bind_read_config(dnssec_triggerd_t)
^ permalink raw reply related [flat|nested] 101+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: /
@ 2012-10-06 17:05 Sven Vermeulen
0 siblings, 0 replies; 101+ messages in thread
From: Sven Vermeulen @ 2012-10-06 17:05 UTC (permalink / raw
To: gentoo-commits
commit: f8fff796563e4543e15899980c9071cac8895272
Author: Dominick Grift <dominick.grift <AT> gmail <DOT> com>
AuthorDate: Sat Oct 6 14:37:21 2012 +0000
Commit: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
CommitDate: Sat Oct 6 17:03:23 2012 +0000
URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=f8fff796
Changes to the firewalld policy module
Remove duplciate rules
Signed-off-by: Dominick Grift <dominick.grift <AT> gmail.com>
---
firewalld.te | 4 ++--
1 files changed, 2 insertions(+), 2 deletions(-)
diff --git a/firewalld.te b/firewalld.te
index 0010122..6bd2271 100644
--- a/firewalld.te
+++ b/firewalld.te
@@ -1,4 +1,4 @@
-policy_module(firewalld, 1.0.0)
+policy_module(firewalld, 1.0.1)
########################################
#
@@ -28,7 +28,7 @@ files_pid_file(firewalld_var_run_t)
dontaudit firewalld_t self:capability sys_tty_config;
allow firewalld_t self:fifo_file rw_fifo_file_perms;
-allow firewalld_t self:unix_stream_socket create_stream_socket_perms;
+allow firewalld_t self:unix_stream_socket { accept listen };
manage_dirs_pattern(firewalld_t, firewalld_etc_rw_t, firewalld_etc_rw_t)
manage_files_pattern(firewalld_t, firewalld_etc_rw_t, firewalld_etc_rw_t)
^ permalink raw reply related [flat|nested] 101+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: /
@ 2012-10-06 17:14 Sven Vermeulen
0 siblings, 0 replies; 101+ messages in thread
From: Sven Vermeulen @ 2012-10-06 17:14 UTC (permalink / raw
To: gentoo-commits
commit: 2b1a0f348ea30a39fbad574598dfef85a8886302
Author: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Sat Oct 6 17:12:31 2012 +0000
Commit: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
CommitDate: Sat Oct 6 17:12:31 2012 +0000
URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=2b1a0f34
Move from root - misbehavior of git am
---
boinc.fc | 9 ---
boinc.if | 44 -------------
boinc.te | 177 ------------------------------------------------------
cachefilesd.fc | 9 ---
cachefilesd.if | 39 ------------
cachefilesd.te | 52 ----------------
callweaver.fc | 11 ----
callweaver.if | 42 -------------
callweaver.te | 91 ----------------------------
cfengine.fc | 9 ---
cfengine.if | 99 ------------------------------
cfengine.te | 42 -------------
collectd.fc | 9 ---
collectd.if | 39 ------------
collectd.te | 90 ---------------------------
couchdb.fc | 11 ----
couchdb.if | 49 ---------------
couchdb.te | 88 ---------------------------
ctdb.fc | 11 ----
ctdb.if | 45 --------------
ctdb.te | 116 -----------------------------------
dnssectrigger.fc | 9 ---
dnssectrigger.if | 42 -------------
dnssectrigger.te | 79 ------------------------
firewalld.fc | 10 ---
firewalld.if | 43 -------------
firewalld.te | 85 --------------------------
glusterfs.fc | 16 -----
glusterfs.if | 71 ----------------------
glusterfs.te | 102 -------------------------------
isns.fc | 8 ---
isns.if | 39 ------------
isns.te | 55 -----------------
keystone.fc | 7 --
keystone.if | 42 -------------
keystone.te | 76 -----------------------
l2tp.fc | 11 ----
l2tp.if | 42 -------------
l2tp.te | 95 -----------------------------
man2html.fc | 5 --
man2html.if | 1 -
man2html.te | 26 --------
mandb.fc | 4 -
mandb.if | 161 -------------------------------------------------
mandb.te | 42 -------------
mongodb.fc | 9 ---
mongodb.if | 42 -------------
mongodb.te | 58 ------------------
openhpi.fc | 7 --
openhpi.if | 39 ------------
openhpi.te | 57 -----------------
pkcs.fc | 7 --
pkcs.if | 45 --------------
pkcs.te | 58 ------------------
54 files changed, 0 insertions(+), 2475 deletions(-)
diff --git a/boinc.fc b/boinc.fc
deleted file mode 100644
index 6d3ccad..0000000
--- a/boinc.fc
+++ /dev/null
@@ -1,9 +0,0 @@
-/etc/rc\.d/init\.d/boinc-client -- gen_context(system_u:object_r:boinc_initrc_exec_t,s0)
-
-/usr/bin/boinc_client -- gen_context(system_u:object_r:boinc_exec_t,s0)
-
-/var/lib/boinc(/.*)? gen_context(system_u:object_r:boinc_var_lib_t,s0)
-/var/lib/boinc/projects(/.*)? gen_context(system_u:object_r:boinc_project_var_lib_t,s0)
-/var/lib/boinc/slots(/.*)? gen_context(system_u:object_r:boinc_project_var_lib_t,s0)
-
-/var/log/boinc\.log.* -- gen_context(system_u:object_r:boinc_log_t,s0)
diff --git a/boinc.if b/boinc.if
deleted file mode 100644
index 02fefaa..0000000
--- a/boinc.if
+++ /dev/null
@@ -1,44 +0,0 @@
-## <summary>Platform for computing using volunteered resources.</summary>
-
-########################################
-## <summary>
-## All of the rules required to
-## administrate an boinc environment.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-## <param name="role">
-## <summary>
-## Role allowed access.
-## </summary>
-## </param>
-## <rolecap/>
-#
-interface(`boinc_admin',`
- gen_require(`
-
- type boinc_t, boinc_project_t, boinc_log_t;
- type boinc_var_lib_t, boinc_tmp_t, boinc_initrc_exec_t;
- type boinc_project_var_lib_t, boinc_project_tmp_t;
- ')
-
- allow $1 { boinc_t boinc_project_t }:process { ptrace signal_perms };
- ps_process_pattern($1, { boinc_t boinc_project_t })
-
- init_labeled_script_domtrans($1, boinc_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 boinc_initrc_exec_t system_r;
- allow $2 system_r;
-
- logging_search_logs($1)
- admin_pattern($1, boinc_log_t)
-
- files_search_tmp($1)
- admin_pattern($1, { boinc_project_tmp_t boinc_tmp_t })
-
- files_search_var_lib($1)
- admin_pattern($1, { boinc_project_var_lib_t boinc_var_lib_t })
-')
diff --git a/boinc.te b/boinc.te
deleted file mode 100644
index d1f8289..0000000
--- a/boinc.te
+++ /dev/null
@@ -1,177 +0,0 @@
-policy_module(boinc, 1.0.0)
-
-########################################
-#
-# Declarations
-#
-
-type boinc_t;
-type boinc_exec_t;
-init_daemon_domain(boinc_t, boinc_exec_t)
-
-type boinc_initrc_exec_t;
-init_script_file(boinc_initrc_exec_t)
-
-type boinc_tmp_t;
-files_tmp_file(boinc_tmp_t)
-
-type boinc_tmpfs_t;
-files_tmpfs_file(boinc_tmpfs_t)
-
-type boinc_var_lib_t;
-files_type(boinc_var_lib_t)
-
-type boinc_project_var_lib_t;
-files_type(boinc_project_var_lib_t)
-
-type boinc_log_t;
-logging_log_file(boinc_log_t)
-
-type boinc_project_t;
-domain_type(boinc_project_t)
-domain_entry_file(boinc_project_t, boinc_project_var_lib_t)
-role system_r types boinc_project_t;
-
-type boinc_project_tmp_t;
-files_tmp_file(boinc_project_tmp_t)
-
-########################################
-#
-# Local policy
-#
-
-allow boinc_t self:process { setsched setpgid signull sigkill };
-allow boinc_t self:unix_stream_socket { accept listen };
-allow boinc_t self:tcp_socket create_stream_socket_perms;
-allow boinc_t self:shm create_shm_perms;
-allow boinc_t self:fifo_file rw_fifo_file_perms;
-allow boinc_t self:sem create_sem_perms;
-
-manage_dirs_pattern(boinc_t, boinc_tmp_t, boinc_tmp_t)
-manage_files_pattern(boinc_t, boinc_tmp_t, boinc_tmp_t)
-files_tmp_filetrans(boinc_t, boinc_tmp_t, { dir file })
-
-manage_files_pattern(boinc_t, boinc_tmpfs_t, boinc_tmpfs_t)
-fs_tmpfs_filetrans(boinc_t, boinc_tmpfs_t, file)
-
-manage_dirs_pattern(boinc_t, boinc_var_lib_t, boinc_var_lib_t)
-manage_files_pattern(boinc_t, boinc_var_lib_t, boinc_var_lib_t)
-manage_lnk_files_pattern(boinc_t, boinc_var_lib_t, boinc_var_lib_t)
-
-# entry files to the boinc_project_t domain
-manage_dirs_pattern(boinc_t, boinc_project_var_lib_t, boinc_project_var_lib_t)
-manage_files_pattern(boinc_t, boinc_project_var_lib_t, boinc_project_var_lib_t)
-filetrans_pattern(boinc_t, boinc_var_lib_t, boinc_project_var_lib_t, dir, "slots")
-filetrans_pattern(boinc_t, boinc_var_lib_t, boinc_project_var_lib_t, dir, "projects")
-
-append_files_pattern(boinc_t, boinc_log_t, boinc_log_t)
-create_files_pattern(boinc_t, boinc_log_t, boinc_log_t)
-setattr_files_pattern(boinc_t, boinc_log_t, boinc_log_t)
-logging_log_filetrans(boinc_t, boinc_log_t, file)
-
-can_exec(boinc_t, boinc_var_lib_t)
-
-domtrans_pattern(boinc_t, boinc_project_var_lib_t, boinc_project_t)
-
-kernel_read_system_state(boinc_t)
-kernel_search_vm_sysctl(boinc_t)
-
-corenet_all_recvfrom_unlabeled(boinc_t)
-corenet_all_recvfrom_netlabel(boinc_t)
-corenet_tcp_sendrecv_generic_if(boinc_t)
-corenet_tcp_sendrecv_generic_node(boinc_t)
-corenet_tcp_sendrecv_all_ports(boinc_t)
-corenet_tcp_bind_generic_node(boinc_t)
-
-corenet_sendrecv_boinc_client_packets(boinc_t)
-corenet_sendrecv_boinc_server_packets(boinc_t)
-corenet_tcp_bind_boinc_port(boinc_t)
-corenet_tcp_connect_boinc_port(boinc_t)
-
-corenet_sendrecv_boinc_client_server_packets(boinc_t)
-corenet_tcp_bind_boinc_client_port(boinc_t)
-
-corenet_sendrecv_http_client_packets(boinc_t)
-corenet_tcp_connect_http_port(boinc_t)
-
-corenet_sendrecv_http_cache_client_packets(boinc_t)
-corenet_tcp_connect_http_cache_port(boinc_t)
-
-corecmd_exec_bin(boinc_t)
-corecmd_exec_shell(boinc_t)
-
-dev_read_rand(boinc_t)
-dev_read_urand(boinc_t)
-dev_read_sysfs(boinc_t)
-dev_rw_xserver_misc(boinc_t)
-
-domain_read_all_domains_state(boinc_t)
-
-files_dontaudit_getattr_boot_dirs(boinc_t)
-files_getattr_all_dirs(boinc_t)
-files_getattr_all_files(boinc_t)
-files_read_etc_files(boinc_t)
-files_read_etc_runtime_files(boinc_t)
-files_read_usr_files(boinc_t)
-
-fs_getattr_all_fs(boinc_t)
-
-term_getattr_all_ptys(boinc_t)
-term_getattr_unallocated_ttys(boinc_t)
-
-init_read_utmp(boinc_t)
-
-logging_send_syslog_msg(boinc_t)
-
-miscfiles_read_fonts(boinc_t)
-miscfiles_read_localization(boinc_t)
-
-optional_policy(`
- mta_send_mail(boinc_t)
-')
-
-optional_policy(`
- sysnet_dns_name_resolve(boinc_t)
-')
-
-########################################
-#
-# Project local policy
-#
-
-allow boinc_project_t self:capability { setuid setgid };
-allow boinc_project_t self:process { execmem execstack noatsecure ptrace setcap getcap setpgid setsched signal_perms };
-
-manage_dirs_pattern(boinc_project_t, boinc_project_tmp_t, boinc_project_tmp_t)
-manage_files_pattern(boinc_project_t, boinc_project_tmp_t, boinc_project_tmp_t)
-manage_sock_files_pattern(boinc_project_t, boinc_project_tmp_t, boinc_project_tmp_t)
-files_tmp_filetrans(boinc_project_t, boinc_project_tmp_t, { dir file sock_file})
-
-manage_dirs_pattern(boinc_project_t, boinc_project_var_lib_t, boinc_project_var_lib_t)
-manage_files_pattern(boinc_project_t, boinc_project_var_lib_t, boinc_project_var_lib_t)
-
-allow boinc_project_t boinc_project_var_lib_t:file execmod;
-can_exec(boinc_project_t, boinc_project_var_lib_t)
-
-allow boinc_project_t boinc_t:shm rw_shm_perms;
-allow boinc_project_t boinc_tmpfs_t:file { read write };
-
-kernel_read_kernel_sysctls(boinc_project_t)
-kernel_read_network_state(boinc_project_t)
-kernel_search_vm_sysctl(boinc_project_t)
-
-corenet_all_recvfrom_unlabeled(boinc_project_t)
-corenet_all_recvfrom_netlabel(boinc_project_t)
-corenet_tcp_sendrecv_generic_if(boinc_project_t)
-corenet_tcp_sendrecv_generic_node(boinc_project_t)
-corenet_tcp_bind_generic_node(boinc_project_t)
-
-corenet_sendrecv_boinc_client_packets(boinc_project_t)
-corenet_tcp_connect_boinc_port(boinc_project_t)
-corenet_tcp_sendrecv_boinc_port(boinc_project_t)
-
-files_dontaudit_search_home(boinc_project_t)
-
-optional_policy(`
- java_exec(boinc_project_t)
-')
diff --git a/cachefilesd.fc b/cachefilesd.fc
deleted file mode 100644
index 648c790..0000000
--- a/cachefilesd.fc
+++ /dev/null
@@ -1,9 +0,0 @@
-/etc/rc\.d/init\.d/cachefilesd -- gen_context(system_u:object_r:cachefilesd_initrc_exec_t,s0)
-
-/sbin/cachefilesd -- gen_context(system_u:object_r:cachefilesd_exec_t,s0)
-
-/usr/sbin/cachefilesd -- gen_context(system_u:object_r:cachefilesd_exec_t,s0)
-
-/var/cache/fscache(/.*)? gen_context(system_u:object_r:cachefilesd_cache_t,s0)
-
-/var/run/cachefilesd\.pid -- gen_context(system_u:object_r:cachefilesd_var_run_t,s0)
diff --git a/cachefilesd.if b/cachefilesd.if
deleted file mode 100644
index 8de2ab9..0000000
--- a/cachefilesd.if
+++ /dev/null
@@ -1,39 +0,0 @@
-## <summary>CacheFiles user-space management daemon.</summary>
-
-########################################
-## <summary>
-## All of the rules required to
-## administrate an cachefilesd environment.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-## <param name="role">
-## <summary>
-## Role allowed access.
-## </summary>
-## </param>
-## <rolecap/>
-#
-interface(`cachefilesd_admin',`
- gen_require(`
- type cachefilesd_t, cachefilesd_initrc_exec_t, cachefilesd_cache_t;
- type cachefilesd_var_run_t;
- ')
-
- allow $1 cachefilesd_t:process { ptrace signal_perms };
- ps_process_pattern($1, cachefilesd_t)
-
- init_labeled_script_domtrans($1, cachefilesd_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 cachefilesd_initrc_exec_t system_r;
- allow $2 system_r;
-
- files_search_var($1)
- admin_pattern($1, cachefilesd_cache_t)
-
- files_search_pids($1)
- admin_pattern($1, cachefilesd_var_run_t)
-')
diff --git a/cachefilesd.te b/cachefilesd.te
deleted file mode 100644
index 581c8ef..0000000
--- a/cachefilesd.te
+++ /dev/null
@@ -1,52 +0,0 @@
-policy_module(cachefilesd, 1.0.1)
-
-########################################
-#
-# Declarations
-#
-
-type cachefilesd_t;
-type cachefilesd_exec_t;
-init_daemon_domain(cachefilesd_t, cachefilesd_exec_t)
-
-type cachefilesd_initrc_exec_t;
-init_script_file(cachefilesd_initrc_exec_t)
-
-type cachefilesd_cache_t;
-files_type(cachefilesd_cache_t)
-
-type cachefilesd_var_run_t;
-files_pid_file(cachefilesd_var_run_t)
-
-########################################
-#
-# Local policy
-#
-
-allow cachefilesd_t self:capability { setuid setgid sys_admin dac_override };
-
-manage_files_pattern(cachefilesd_t, cachefilesd_var_run_t, cachefilesd_var_run_t)
-files_pid_filetrans(cachefilesd_t, cachefilesd_var_run_t, file)
-
-manage_dirs_pattern(cachefilesd_t, cachefilesd_cache_t, cachefilesd_cache_t)
-manage_files_pattern(cachefilesd_t, cachefilesd_cache_t, cachefilesd_cache_t)
-
-dev_rw_cachefiles(cachefilesd_t)
-
-files_create_all_files_as(cachefilesd_t)
-files_read_etc_files(cachefilesd_t)
-
-fs_getattr_xattr_fs(cachefilesd_t)
-
-term_dontaudit_use_generic_ptys(cachefilesd_t)
-term_dontaudit_getattr_unallocated_ttys(cachefilesd_t)
-
-logging_send_syslog_msg(cachefilesd_t)
-
-miscfiles_read_localization(cachefilesd_t)
-
-init_dontaudit_use_script_ptys(cachefilesd_t)
-
-optional_policy(`
- rpm_use_script_fds(cachefilesd_t)
-')
diff --git a/callweaver.fc b/callweaver.fc
deleted file mode 100644
index 70397fb..0000000
--- a/callweaver.fc
+++ /dev/null
@@ -1,11 +0,0 @@
-/etc/rc\.d/init\.d/callweaver -- gen_context(system_u:object_r:callweaver_initrc_exec_t,s0)
-
-/usr/sbin/callweaver -- gen_context(system_u:object_r:callweaver_exec_t,s0)
-
-/var/lib/callweaver(/.*)? gen_context(system_u:object_r:callweaver_var_lib_t,s0)
-
-/var/log/callweaver(/.*)? gen_context(system_u:object_r:callweaver_log_t,s0)
-
-/var/run/callweaver(/.*)? gen_context(system_u:object_r:callweaver_var_run_t,s0)
-
-/var/spool/callweaver(/.*)? gen_context(system_u:object_r:callweaver_spool_t,s0)
diff --git a/callweaver.if b/callweaver.if
deleted file mode 100644
index fcf96f9..0000000
--- a/callweaver.if
+++ /dev/null
@@ -1,42 +0,0 @@
-## <summary>PBX software.</summary>
-
-########################################
-## <summary>
-## All of the rules required to
-## administrate an callweaver environment.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-## <param name="role">
-## <summary>
-## Role allowed access.
-## </summary>
-## </param>
-## <rolecap/>
-#
-interface(`callweaver_admin',`
- gen_require(`
- type callweaver_t, callweaver_initrc_exec_t, callweaver_log_t;
- type callweaver_var_lib_t, callweaver_var_run_t, callweaver_spool_t;
- ')
-
- allow $1 callweaver_t:process { ptrace signal_perms };
- ps_process_pattern($1, callweaver_t)
-
- init_labeled_script_domtrans($1, callweaver_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 callweaver_initrc_exec_t system_r;
- allow $2 system_r;
-
- logging_search_logs($1)
- admin_pattern($1, callweaver_log_t)
-
- files_search_pids($1)
- admin_pattern($1, callweaver_var_run_t)
-
- files_search_var_lib($1)
- admin_pattern($1, { callweaver_spool_t callweaver_var_lib_t })
-')
diff --git a/callweaver.te b/callweaver.te
deleted file mode 100644
index 8eeb0ed..0000000
--- a/callweaver.te
+++ /dev/null
@@ -1,91 +0,0 @@
-policy_module(callweaver, 1.0.0)
-
-########################################
-#
-# Declarations
-#
-
-type callweaver_t;
-type callweaver_exec_t;
-init_daemon_domain(callweaver_t, callweaver_exec_t)
-
-type callweaver_initrc_exec_t;
-init_script_file(callweaver_initrc_exec_t)
-
-type callweaver_log_t;
-logging_log_file(callweaver_log_t)
-
-type callweaver_var_lib_t;
-files_type(callweaver_var_lib_t)
-
-type callweaver_var_run_t;
-files_pid_file(callweaver_var_run_t)
-
-type callweaver_spool_t;
-files_type(callweaver_spool_t)
-
-########################################
-#
-# Local policy
-#
-
-allow callweaver_t self:capability { setuid sys_nice setgid };
-allow callweaver_t self:process { setsched signal };
-allow callweaver_t self:fifo_file rw_fifo_file_perms;
-allow callweaver_t self:tcp_socket { accept listen };
-allow callweaver_t self:unix_stream_socket create_stream_socket_perms;
-
-manage_dirs_pattern(callweaver_t, callweaver_log_t, callweaver_log_t)
-append_files_pattern(callweaver_t, callweaver_log_t, callweaver_log_t)
-create_files_pattern(callweaver_t, callweaver_log_t, callweaver_log_t)
-setattr_files_pattern(callweaver_t, callweaver_log_t, callweaver_log_t)
-logging_log_filetrans(callweaver_t, callweaver_log_t, { dir file })
-
-manage_dirs_pattern(callweaver_t, callweaver_var_lib_t, callweaver_var_lib_t)
-manage_files_pattern(callweaver_t, callweaver_var_lib_t, callweaver_var_lib_t)
-files_var_lib_filetrans(callweaver_t, callweaver_var_lib_t, { dir file })
-
-manage_dirs_pattern(callweaver_t, callweaver_var_run_t, callweaver_var_run_t)
-manage_files_pattern(callweaver_t, callweaver_var_run_t, callweaver_var_run_t)
-manage_sock_files_pattern(callweaver_t, callweaver_var_run_t, callweaver_var_run_t)
-files_pid_filetrans(callweaver_t, callweaver_var_run_t, { dir file sock_file })
-
-manage_dirs_pattern(callweaver_t, callweaver_spool_t, callweaver_spool_t)
-manage_files_pattern(callweaver_t, callweaver_spool_t, callweaver_spool_t)
-manage_lnk_files_pattern(callweaver_t, callweaver_spool_t, callweaver_spool_t)
-files_spool_filetrans(callweaver_t, callweaver_spool_t, { dir file })
-
-kernel_read_kernel_sysctls(callweaver_t)
-kernel_read_sysctl(callweaver_t)
-
-corenet_all_recvfrom_unlabeled(callweaver_t)
-corenet_all_recvfrom_netlabel(callweaver_t)
-corenet_tcp_sendrecv_generic_if(callweaver_t)
-corenet_udp_sendrecv_generic_if(callweaver_t)
-corenet_tcp_sendrecv_generic_node(callweaver_t)
-corenet_udp_sendrecv_generic_node(callweaver_t)
-corenet_tcp_sendrecv_all_ports(callweaver_t)
-corenet_udp_sendrecv_all_ports(callweaver_t)
-corenet_tcp_bind_generic_node(callweaver_t)
-corenet_udp_bind_generic_node(callweaver_t)
-
-corenet_sendrecv_asterisk_server_packets(callweaver_t)
-corenet_udp_bind_asterisk_port(callweaver_t)
-
-corenet_sendrecv_generic_server_packets(callweaver_t)
-corenet_udp_bind_generic_port(callweaver_t)
-
-corenet_sendrecv_sip_server_packets(callweaver_t)
-corenet_udp_bind_sip_port(callweaver_t)
-
-dev_manage_generic_symlinks(callweaver_t)
-
-domain_use_interactive_fds(callweaver_t)
-
-term_getattr_pty_fs(callweaver_t)
-term_use_generic_ptys(callweaver_t)
-term_use_ptmx(callweaver_t)
-
-auth_use_nsswitch(callweaver_t)
-
-miscfiles_read_localization(callweaver_t)
diff --git a/cfengine.fc b/cfengine.fc
deleted file mode 100644
index 5b605d6..0000000
--- a/cfengine.fc
+++ /dev/null
@@ -1,9 +0,0 @@
-/etc/rc\.d/init\.d/((cf-serverd)|(cf-monitord)|(cf-execd)) -- gen_context(system_u:object_r:cfengine_initrc_exec_t,s0)
-
-/usr/sbin/cf-serverd -- gen_context(system_u:object_r:cfengine_serverd_exec_t,s0)
-/usr/sbin/cf-execd -- gen_context(system_u:object_r:cfengine_execd_exec_t,s0)
-/usr/sbin/cf-monitord -- gen_context(system_u:object_r:cfengine_monitord_exec_t,s0)
-
-/var/cfengine(/.*)? gen_context(system_u:object_r:cfengine_var_lib_t,s0)
-
-/var/cfengine/outputs(/.*)? gen_context(system_u:object_r:cfengine_log_t,s0)
diff --git a/cfengine.if b/cfengine.if
deleted file mode 100644
index 55ff4cc..0000000
--- a/cfengine.if
+++ /dev/null
@@ -1,99 +0,0 @@
-## <summary>System administration tool for networks.</summary>
-
-#######################################
-## <summary>
-## The template to define a cfengine domain.
-## </summary>
-## <param name="domain_prefix">
-## <summary>
-## Domain prefix to be used.
-## </summary>
-## </param>
-#
-template(`cfengine_domain_template',`
- gen_require(`
- attribute cfengine_domain;
- type cfengine_log_t, cfengine_var_lib_t;
- ')
-
- ########################################
- #
- # Shared declarations
- #
-
- type cfengine_$1_t, cfengine_domain;
- type cfengine_$1_exec_t;
- init_daemon_domain(cfengine_$1_t, cfengine_$1_exec_t)
-
- ########################################
- #
- # Shared policy
- #
-
- allow cfengine_$1_t self:capability { chown kill setgid setuid sys_chroot };
- allow cfengine_$1_t self:process { setfscreate signal };
- allow cfengine_$1_t self:fifo_file rw_fifo_file_perms;
- allow cfengine_$1_t self:unix_stream_socket { accept listen };
-
- manage_dirs_pattern(cfengine_$1_t, cfengine_var_lib_t, cfengine_var_lib_t)
- manage_files_pattern(cfengine_$1_t, cfengine_var_lib_t, cfengine_var_lib_t)
- manage_lnk_files_pattern(cfengine_$1_t, cfengine_var_lib_t, cfengine_var_lib_t)
- files_var_lib_filetrans(cfengine_$1_t, cfengine_var_lib_t, dir)
-
- manage_dirs_pattern(cfengine_$1_t, cfengine_log_t, cfengine_log_t)
- append_files_pattern(cfengine_$1_t, cfengine_log_t, cfengine_log_t)
- create_files_pattern(cfengine_$1_t, cfengine_log_t, cfengine_log_t)
- setattr_files_pattern(cfengine_$1_t, cfengine_log_t, cfengine_log_t)
- logging_log_filetrans(cfengine_$1_t, cfengine_log_t, dir)
-
- kernel_read_system_state(cfengine_$1_t)
-
- corecmd_exec_bin(cfengine_$1_t)
- corecmd_exec_shell(cfengine_$1_t)
-
- dev_read_urand(cfengine_$1_t)
- dev_read_sysfs(cfengine_$1_t)
-
- auth_use_nsswitch(cfengine_$1_t)
-
- logging_send_syslog_msg(cfengine_$1_t)
-
- miscfiles_read_localization(cfengine_$1_t)
-
- sysnet_domtrans_ifconfig(cfengine_$1_t)
-')
-
-########################################
-## <summary>
-## All of the rules required to
-## administrate an cfengine environment.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-## <param name="role">
-## <summary>
-## Role allowed access.
-## </summary>
-## </param>
-## <rolecap/>
-#
-interface(`cfengine_admin',`
- gen_require(`
- attribute cfengine_domain;
- type cfengine_initrc_exec_t, cfengine_log_t, cfengine_var_lib_t;
- ')
-
- allow $1 cfengine_domain:process { ptrace signal_perms };
- ps_process_pattern($1, cfengine_domain)
-
- init_labeled_script_domtrans($1, cfengine_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 cfengine_initrc_exec_t system_r;
- allow $2 system_r;
-
- files_search_var_lib($1)
- admin_pattern($1, { cfengine_log_t cfengine_var_lib_t })
-')
diff --git a/cfengine.te b/cfengine.te
deleted file mode 100644
index cedf81a..0000000
--- a/cfengine.te
+++ /dev/null
@@ -1,42 +0,0 @@
-policy_module(cfengine, 1.0.0)
-
-########################################
-#
-# Declarations
-#
-
-attribute cfengine_domain;
-
-cfengine_domain_template(serverd)
-cfengine_domain_template(execd)
-cfengine_domain_template(monitord)
-
-type cfengine_initrc_exec_t;
-init_script_file(cfengine_initrc_exec_t)
-
-type cfengine_var_lib_t;
-files_type(cfengine_var_lib_t)
-
-type cfengine_log_t;
-logging_log_file(cfengine_log_t)
-
-########################################
-#
-# Exec local policy
-#
-
-kernel_read_sysctl(cfengine_execd_t)
-
-domain_read_all_domains_state(cfengine_execd_t)
-
-########################################
-#
-# Monitord local policy
-#
-
-kernel_read_hotplug_sysctls(cfengine_monitord_t)
-kernel_read_network_state(cfengine_monitord_t)
-
-domain_read_all_domains_state(cfengine_monitord_t)
-
-fs_getattr_xattr_fs(cfengine_monitord_t)
diff --git a/collectd.fc b/collectd.fc
deleted file mode 100644
index 79a3abe..0000000
--- a/collectd.fc
+++ /dev/null
@@ -1,9 +0,0 @@
-/etc/rc\.d/init\.d/collectd -- gen_context(system_u:object_r:collectd_initrc_exec_t,s0)
-
-/usr/sbin/collectd -- gen_context(system_u:object_r:collectd_exec_t,s0)
-
-/var/lib/collectd(/.*)? gen_context(system_u:object_r:collectd_var_lib_t,s0)
-
-/var/run/collectd\.pid -- gen_context(system_u:object_r:collectd_var_run_t,s0)
-
-/usr/share/collectd/collection3/bin/.*\.cgi -- gen_context(system_u:object_r:httpd_collectd_script_exec_t,s0)
diff --git a/collectd.if b/collectd.if
deleted file mode 100644
index 954309e..0000000
--- a/collectd.if
+++ /dev/null
@@ -1,39 +0,0 @@
-## <summary>Statistics collection daemon for filling RRD files.</summary>
-
-########################################
-## <summary>
-## All of the rules required to
-## administrate an collectd environment.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-## <param name="role">
-## <summary>
-## Role allowed access.
-## </summary>
-## </param>
-## <rolecap/>
-#
-interface(`collectd_admin',`
- gen_require(`
- type collectd_t, collectd_initrc_exec_t, collectd_var_run_t;
- type collectd_var_lib_t;
- ')
-
- allow $1 collectd_t:process { ptrace signal_perms };
- ps_process_pattern($1, collectd_t)
-
- init_labeled_script_domtrans($1, collectd_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 collectd_initrc_exec_t system_r;
- allow $2 system_r;
-
- files_search_pids($1)
- admin_pattern($1, collectd_var_run_t)
-
- files_search_var_lib($1)
- admin_pattern($1, collectd_var_lib_t)
-')
diff --git a/collectd.te b/collectd.te
deleted file mode 100644
index 6471fa8..0000000
--- a/collectd.te
+++ /dev/null
@@ -1,90 +0,0 @@
-policy_module(collectd, 1.0.0)
-
-########################################
-#
-# Declarations
-#
-
-## <desc>
-## <p>
-## Determine whether collectd can connect
-## to the network using TCP.
-## </p>
-## </desc>
-gen_tunable(collectd_tcp_network_connect, false)
-
-type collectd_t;
-type collectd_exec_t;
-init_daemon_domain(collectd_t, collectd_exec_t)
-
-type collectd_initrc_exec_t;
-init_script_file(collectd_initrc_exec_t)
-
-type collectd_var_lib_t;
-files_type(collectd_var_lib_t)
-
-type collectd_var_run_t;
-files_pid_file(collectd_var_run_t)
-
-apache_content_template(collectd)
-
-########################################
-#
-# Local policy
-#
-
-allow collectd_t self:capability { ipc_lock sys_nice };
-allow collectd_t self:process { getsched setsched signal };
-allow collectd_t self:fifo_file rw_fifo_file_perms;
-allow collectd_t self:packet_socket create_socket_perms;
-allow collectd_t self:unix_stream_socket { accept listen };
-
-manage_dirs_pattern(collectd_t, collectd_var_lib_t, collectd_var_lib_t)
-manage_files_pattern(collectd_t, collectd_var_lib_t, collectd_var_lib_t)
-files_var_lib_filetrans(collectd_t, collectd_var_lib_t, dir)
-
-manage_files_pattern(collectd_t, collectd_var_run_t, collectd_var_run_t)
-files_pid_filetrans(collectd_t, collectd_var_run_t, file)
-
-domain_use_interactive_fds(collectd_t)
-
-kernel_read_network_state(collectd_t)
-kernel_read_net_sysctls(collectd_t)
-kernel_read_system_state(collectd_t)
-
-dev_read_rand(collectd_t)
-dev_read_sysfs(collectd_t)
-dev_read_urand(collectd_t)
-
-files_getattr_all_dirs(collectd_t)
-files_read_etc_files(collectd_t)
-files_read_usr_files(collectd_t)
-
-fs_getattr_all_fs(collectd_t)
-
-miscfiles_read_localization(collectd_t)
-
-logging_send_syslog_msg(collectd_t)
-
-sysnet_dns_name_resolve(collectd_t)
-
-tunable_policy(`collectd_tcp_network_connect',`
- corenet_sendrecv_all_client_packets(collectd_t)
- corenet_tcp_connect_all_ports(collectd_t)
- corenet_tcp_sendrecv_all_ports(collectd_t)
-')
-
-optional_policy(`
- virt_read_config(collectd_t)
-')
-
-########################################
-#
-# Web local policy
-#
-
-optional_policy(`
- read_files_pattern(httpd_collectd_script_t, collectd_var_lib_t, collectd_var_lib_t)
- list_dirs_pattern(httpd_collectd_script_t, collectd_var_lib_t, collectd_var_lib_t)
- miscfiles_setattr_fonts_cache_dirs(httpd_collectd_script_t)
-')
diff --git a/couchdb.fc b/couchdb.fc
deleted file mode 100644
index c086302..0000000
--- a/couchdb.fc
+++ /dev/null
@@ -1,11 +0,0 @@
-/etc/couchdb(/.*)? gen_context(system_u:object_r:couchdb_conf_t,s0)
-
-/etc/rc\.d/init\.d/couchdb -- gen_context(system_u:object_r:couchdb_initrc_exec_t,s0)
-
-/usr/bin/couchdb -- gen_context(system_u:object_r:couchdb_exec_t,s0)
-
-/var/lib/couchdb(/.*)? gen_context(system_u:object_r:couchdb_var_lib_t,s0)
-
-/var/log/couchdb(/.*)? gen_context(system_u:object_r:couchdb_log_t,s0)
-
-/var/run/couchdb(/.*)? gen_context(system_u:object_r:couchdb_var_run_t,s0)
diff --git a/couchdb.if b/couchdb.if
deleted file mode 100644
index 83d6744..0000000
--- a/couchdb.if
+++ /dev/null
@@ -1,49 +0,0 @@
-## <summary>Document database server.</summary>
-
-########################################
-## <summary>
-## All of the rules required to
-## administrate an couchdb environment.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-## <param name="role">
-## <summary>
-## Role allowed access.
-## </summary>
-## </param>
-## <rolecap/>
-#
-interface(`couchdb_admin',`
- gen_require(`
- type couchdb_t, couchdb_conf_t, couchdb_initrc_exec_t;
- type couchdb_log_t, couchdb_var_lib_t, couchdb_var_run_t;
- type couchdb_tmp_t;
- ')
-
- allow $1 couchdb_t:process { ptrace signal_perms };
- ps_process_pattern($1, couchdb_t)
-
- init_labeled_script_domtrans($1, couchdb_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 couchdb_initrc_exec_t system_r;
- allow $2 system_r;
-
- files_search_etc($1)
- admin_pattern($1, couchdb_conf_t)
-
- logging_search_logs($1)
- admin_pattern($1, couchdb_log_t)
-
- files_search_tmp($1)
- admin_pattern($1, couchdb_tmp_t)
-
- files_search_var_lib($1)
- admin_pattern($1, couchdb_var_lib_t)
-
- files_search_pids($1)
- admin_pattern($1, couchdb_var_run_t)
-')
diff --git a/couchdb.te b/couchdb.te
deleted file mode 100644
index 503adab..0000000
--- a/couchdb.te
+++ /dev/null
@@ -1,88 +0,0 @@
-policy_module(couchdb, 1.0.2)
-
-########################################
-#
-# Declarations
-#
-
-type couchdb_t;
-type couchdb_exec_t;
-init_daemon_domain(couchdb_t, couchdb_exec_t)
-
-type couchdb_initrc_exec_t;
-init_script_file(couchdb_initrc_exec_t)
-
-type couchdb_conf_t;
-files_config_file(couchdb_conf_t)
-
-type couchdb_log_t;
-logging_log_file(couchdb_log_t)
-
-type couchdb_tmp_t;
-files_tmp_file(couchdb_tmp_t)
-
-type couchdb_var_lib_t;
-files_type(couchdb_var_lib_t)
-
-type couchdb_var_run_t;
-files_pid_file(couchdb_var_run_t)
-
-########################################
-#
-# Local policy
-#
-
-allow couchdb_t self:process { setsched signal signull sigkill };
-allow couchdb_t self:fifo_file rw_fifo_file_perms;
-allow couchdb_t self:unix_stream_socket create_stream_socket_perms;
-allow couchdb_t self:tcp_socket { accept listen };
-
-allow couchdb_t couchdb_conf_t:dir list_dir_perms;
-allow couchdb_t couchdb_conf_t:file read_file_perms;
-
-manage_dirs_pattern(couchdb_t, couchdb_log_t, couchdb_log_t)
-append_files_pattern(couchdb_t, couchdb_log_t, couchdb_log_t)
-create_files_pattern(couchdb_t, couchdb_log_t, couchdb_log_t)
-setattr_files_pattern(couchdb_t, couchdb_log_t, couchdb_log_t)
-logging_log_filetrans(couchdb_t, couchdb_log_t, dir)
-
-manage_dirs_pattern(couchdb_t, couchdb_tmp_t, couchdb_tmp_t)
-manage_files_pattern(couchdb_t, couchdb_tmp_t, couchdb_tmp_t)
-files_tmp_filetrans(couchdb_t, couchdb_tmp_t, { dir file })
-
-manage_dirs_pattern(couchdb_t, couchdb_var_lib_t, couchdb_var_lib_t)
-manage_files_pattern(couchdb_t, couchdb_var_lib_t, couchdb_var_lib_t)
-files_var_lib_filetrans(couchdb_t, couchdb_var_lib_t, dir)
-
-manage_dirs_pattern(couchdb_t, couchdb_var_run_t, couchdb_var_run_t)
-manage_files_pattern(couchdb_t, couchdb_var_run_t, couchdb_var_run_t)
-files_pid_filetrans(couchdb_t, couchdb_var_run_t, dir)
-
-can_exec(couchdb_t, couchdb_exec_t)
-
-kernel_read_system_state(couchdb_t)
-
-corecmd_exec_bin(couchdb_t)
-corecmd_exec_shell(couchdb_t)
-
-corenet_all_recvfrom_unlabeled(couchdb_t)
-corenet_all_recvfrom_netlabel(couchdb_t)
-corenet_tcp_sendrecv_generic_if(couchdb_t)
-corenet_tcp_sendrecv_generic_node(couchdb_t)
-corenet_tcp_bind_generic_node(couchdb_t)
-
-corenet_sendrecv_couchdb_server_packets(couchdb_t)
-corenet_tcp_bind_couchdb_port(couchdb_t)
-corenet_tcp_sendrecv_couchdb_port(couchdb_t)
-
-dev_list_sysfs(couchdb_t)
-dev_read_sysfs(couchdb_t)
-dev_read_urand(couchdb_t)
-
-files_read_usr_files(couchdb_t)
-
-fs_getattr_xattr_fs(couchdb_t)
-
-auth_use_nsswitch(couchdb_t)
-
-miscfiles_read_localization(couchdb_t)
diff --git a/ctdb.fc b/ctdb.fc
deleted file mode 100644
index bc117ce..0000000
--- a/ctdb.fc
+++ /dev/null
@@ -1,11 +0,0 @@
-/etc/rc\.d/init\.d/ctdb -- gen_context(system_u:object_r:ctdbd_initrc_exec_t,s0)
-
-/usr/sbin/ctdbd -- gen_context(system_u:object_r:ctdbd_exec_t,s0)
-
-/var/lib/ctdbd(/.*)? gen_context(system_u:object_r:ctdbd_var_lib_t,s0)
-
-/var/log/log\.ctdb.* -- gen_context(system_u:object_r:ctdbd_log_t,s0)
-
-/var/run/ctdbd(/.*)? gen_context(system_u:object_r:ctdbd_var_run_t,s0)
-
-/var/spool/ctdb(/.*)? gen_context(system_u:object_r:ctdbd_spool_t,s0)
diff --git a/ctdb.if b/ctdb.if
deleted file mode 100644
index 53779fb..0000000
--- a/ctdb.if
+++ /dev/null
@@ -1,45 +0,0 @@
-## <summary>Clustered Database based on Samba Trivial Database.</summary>
-
-########################################
-## <summary>
-## All of the rules required to
-## administrate an ctdb environment.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-## <param name="role">
-## <summary>
-## Role allowed access.
-## </summary>
-## </param>
-## <rolecap/>
-#
-interface(`ctdb_admin',`
- gen_require(`
- type ctdbd_t, ctdbd_initrc_exec_t, ctdbd_tmp_t;
- type ctdbd_log_t, ctdbd_var_lib_t, ctdbd_var_run_t;
- ')
-
- allow $1 ctdbd_t:process { ptrace signal_perms };
- ps_process_pattern($1, ctdbd_t)
-
- init_labeled_script_domtrans($1, ctdbd_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 ctdbd_initrc_exec_t system_r;
- allow $2 system_r;
-
- logging_search_logs($1)
- admin_pattern($1, ctdbd_log_t)
-
- files_search_tmp($1)
- admin_pattern($1, ctdbd_tmp_t)
-
- files_search_var_lib($1)
- admin_pattern($1, ctdbd_var_lib_t)
-
- files_search_pids($1)
- admin_pattern($1, ctdbd_var_run_t)
-')
diff --git a/ctdb.te b/ctdb.te
deleted file mode 100644
index 3c2d77d..0000000
--- a/ctdb.te
+++ /dev/null
@@ -1,116 +0,0 @@
-policy_module(ctdb, 1.0.1)
-
-########################################
-#
-# Declarations
-#
-
-type ctdbd_t;
-type ctdbd_exec_t;
-init_daemon_domain(ctdbd_t, ctdbd_exec_t)
-
-type ctdbd_initrc_exec_t;
-init_script_file(ctdbd_initrc_exec_t)
-
-type ctdbd_log_t;
-logging_log_file(ctdbd_log_t)
-
-type ctdbd_spool_t;
-files_type(ctdbd_spool_t)
-
-type ctdbd_tmp_t;
-files_tmp_file(ctdbd_tmp_t)
-
-type ctdbd_var_lib_t;
-files_type(ctdbd_var_lib_t)
-
-type ctdbd_var_run_t;
-files_pid_file(ctdbd_var_run_t)
-
-########################################
-#
-# Local policy
-#
-
-allow ctdbd_t self:capability { chown ipc_lock net_admin net_raw sys_nice };
-allow ctdbd_t self:process { setpgid signal_perms setsched };
-allow ctdbd_t self:fifo_file rw_fifo_file_perms;
-allow ctdbd_t self:unix_stream_socket { accept connectto listen };
-allow ctdbd_t self:netlink_route_socket r_netlink_socket_perms;
-allow ctdbd_t self:packet_socket create_socket_perms;
-allow ctdbd_t self:tcp_socket create_stream_socket_perms;
-
-append_files_pattern(ctdbd_t, ctdbd_log_t, ctdbd_log_t)
-create_files_pattern(ctdbd_t, ctdbd_log_t, ctdbd_log_t)
-setattr_files_pattern(ctdbd_t, ctdbd_log_t, ctdbd_log_t)
-logging_log_filetrans(ctdbd_t, ctdbd_log_t, file)
-
-manage_files_pattern(ctdbd_t, ctdbd_tmp_t, ctdbd_tmp_t)
-manage_sock_files_pattern(ctdbd_t, ctdbd_tmp_t, ctdbd_tmp_t)
-files_tmp_filetrans(ctdbd_t, ctdbd_tmp_t, { file sock_file })
-
-manage_dirs_pattern(ctdbd_t, ctdbd_spool_t, ctdbd_spool_t)
-manage_files_pattern(ctdbd_t, ctdbd_spool_t, ctdbd_spool_t)
-manage_lnk_files_pattern(ctdbd_t, ctdbd_spool_t, ctdbd_spool_t)
-files_spool_filetrans(ctdbd_t, ctdbd_spool_t, dir)
-
-exec_files_pattern(ctdbd_t, ctdbd_var_lib_t, ctdbd_var_lib_t)
-manage_dirs_pattern(ctdbd_t, ctdbd_var_lib_t, ctdbd_var_lib_t)
-manage_files_pattern(ctdbd_t, ctdbd_var_lib_t, ctdbd_var_lib_t)
-files_var_lib_filetrans(ctdbd_t, ctdbd_var_lib_t, dir)
-
-manage_dirs_pattern(ctdbd_t, ctdbd_var_run_t, ctdbd_var_run_t)
-manage_files_pattern(ctdbd_t, ctdbd_var_run_t, ctdbd_var_run_t)
-files_pid_filetrans(ctdbd_t, ctdbd_var_run_t, dir)
-
-kernel_read_network_state(ctdbd_t)
-kernel_read_system_state(ctdbd_t)
-kernel_rw_net_sysctls(ctdbd_t)
-
-corenet_all_recvfrom_unlabeled(ctdbd_t)
-corenet_all_recvfrom_netlabel(ctdbd_t)
-corenet_tcp_sendrecv_generic_if(ctdbd_t)
-corenet_tcp_sendrecv_generic_node(ctdbd_t)
-corenet_tcp_bind_generic_node(ctdbd_t)
-
-corenet_sendrecv_ctdb_server_packets(ctdbd_t)
-corenet_tcp_bind_ctdb_port(ctdbd_t)
-corenet_tcp_sendrecv_ctdb_port(ctdbd_t)
-
-corecmd_exec_bin(ctdbd_t)
-corecmd_exec_shell(ctdbd_t)
-
-dev_read_sysfs(ctdbd_t)
-dev_read_urand(ctdbd_t)
-
-domain_dontaudit_read_all_domains_state(ctdbd_t)
-
-files_read_etc_files(ctdbd_t)
-files_search_all_mountpoints(ctdbd_t)
-
-logging_send_syslog_msg(ctdbd_t)
-
-miscfiles_read_localization(ctdbd_t)
-miscfiles_read_public_files(ctdbd_t)
-
-optional_policy(`
- consoletype_exec(ctdbd_t)
-')
-
-optional_policy(`
- hostname_exec(ctdbd_t)
-')
-
-optional_policy(`
- iptables_domtrans(ctdbd_t)
-')
-
-optional_policy(`
- samba_initrc_domtrans(ctdbd_t)
- samba_domtrans_net(ctdbd_t)
- samba_rw_var_files(ctdbd_t)
-')
-
-optional_policy(`
- sysnet_domtrans_ifconfig(ctdbd_t)
-')
diff --git a/dnssectrigger.fc b/dnssectrigger.fc
deleted file mode 100644
index c459b4a..0000000
--- a/dnssectrigger.fc
+++ /dev/null
@@ -1,9 +0,0 @@
-/etc/dnssec-trigger/dnssec-trigger\.conf -- gen_context(system_u:object_r:dnssec_trigger_conf_t,s0)
-
-/etc/rc\.d/init\.d/dnssec-triggerd -- gen_context(system_u:object_r:dnssec_triggerd_initrc_exec_t,s0)
-
-/usr/sbin/dnssec-triggerd -- gen_context(system_u:object_r:dnssec_triggerd_exec_t,s0)
-
-/var/log/dnssec-trigger\.log.* -- gen_context(system_u:object_r:dnssec_trigger_log_t,s0)
-
-/var/run/dnssec-triggerd\.pid -- gen_context(system_u:object_r:dnssec_triggerd_var_run_t,s0)
diff --git a/dnssectrigger.if b/dnssectrigger.if
deleted file mode 100644
index 456da5c..0000000
--- a/dnssectrigger.if
+++ /dev/null
@@ -1,42 +0,0 @@
-## <summary>Enables DNSSEC protection for DNS traffic.</summary>
-
-########################################
-## <summary>
-## All of the rules required to
-## administrate an dnssec environment.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-## <param name="role">
-## <summary>
-## Role allowed access.
-## </summary>
-## </param>
-## <rolecap/>
-#
-interface(`dnssectrigger_admin',`
- gen_require(`
- type dnssec_triggerd_t, dnssec_triggerd_initrc_exec_t, dnssec_trigger_conf_t;
- type dnssec_trigger_log_t, dnssec_triggerd_var_run_t;
- ')
-
- allow $1 dnssec_triggerd_t:process { ptrace signal_perms };
- ps_process_pattern($1, dnssec_triggerd_t)
-
- init_labeled_script_domtrans($1, dnssec_triggerd_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 dnssec_triggerd_initrc_exec_t system_r;
- allow $2 system_r;
-
- files_search_etc($1)
- admin_pattern($1, dnssec_trigger_conf_t)
-
- logging_search_logs($1)
- admin_pattern($1, dnssec_trigger_log_t)
-
- files_search_pids($1)
- admin_pattern($1, dnssec_triggerd_var_run_t)
-')
diff --git a/dnssectrigger.te b/dnssectrigger.te
deleted file mode 100644
index ef36d73..0000000
--- a/dnssectrigger.te
+++ /dev/null
@@ -1,79 +0,0 @@
-policy_module(dnssectrigger, 1.0.1)
-
-########################################
-#
-# Declarations
-#
-
-type dnssec_triggerd_t;
-type dnssec_triggerd_exec_t;
-init_daemon_domain(dnssec_triggerd_t, dnssec_triggerd_exec_t)
-
-type dnssec_triggerd_initrc_exec_t;
-init_script_file(dnssec_triggerd_initrc_exec_t)
-
-type dnssec_trigger_conf_t;
-files_config_file(dnssec_trigger_conf_t)
-
-type dnssec_trigger_log_t;
-logging_log_file(dnssec_trigger_log_t)
-
-type dnssec_triggerd_var_run_t;
-files_pid_file(dnssec_triggerd_var_run_t)
-
-########################################
-#
-# Local policy
-#
-
-allow dnssec_triggerd_t self:capability linux_immutable;
-allow dnssec_triggerd_t self:process signal;
-allow dnssec_triggerd_t self:fifo_file rw_fifo_file_perms;
-allow dnssec_triggerd_t self:unix_stream_socket { accept listen };
-allow dnssec_triggerd_t self:tcp_socket { accept listen };
-
-allow dnssec_triggerd_t dnssec_trigger_conf_t:file read_file_perms;
-
-append_files_pattern(dnssec_triggerd_t, dnssec_trigger_log_t, dnssec_trigger_log_t)
-create_files_pattern(dnssec_triggerd_t, dnssec_trigger_log_t, dnssec_trigger_log_t)
-setattr_files_pattern(dnssec_triggerd_t, dnssec_trigger_log_t, dnssec_trigger_log_t)
-logging_log_filetrans(dnssec_triggerd_t, dnssec_trigger_log_t, file)
-
-manage_files_pattern(dnssec_triggerd_t, dnssec_triggerd_var_run_t, dnssec_triggerd_var_run_t)
-files_pid_filetrans(dnssec_triggerd_t, dnssec_triggerd_var_run_t, file)
-
-kernel_read_system_state(dnssec_triggerd_t)
-
-corecmd_exec_bin(dnssec_triggerd_t)
-corecmd_exec_shell(dnssec_triggerd_t)
-
-corenet_all_recvfrom_unlabeled(dnssec_triggerd_t)
-corenet_all_recvfrom_netlabel(dnssec_triggerd_t)
-corenet_tcp_sendrecv_generic_if(dnssec_triggerd_t)
-corenet_tcp_sendrecv_generic_node(dnssec_triggerd_t)
-corenet_tcp_bind_generic_node(dnssec_triggerd_t)
-
-corenet_sendrecv_rndc_client_packets(dnssec_triggerd_t)
-corenet_tcp_connect_rndc_port(dnssec_triggerd_t)
-corenet_tcp_sendrecv_rndc_port(dnssec_triggerd_t)
-
-corenet_sendrecv_http_client_packets(dnssec_triggerd_t)
-corenet_tcp_connect_http_port(dnssec_triggerd_t)
-corenet_tcp_sendrecv_http_port(dnssec_triggerd_t)
-
-dev_read_urand(dnssec_triggerd_t)
-
-files_read_etc_runtime_files(dnssec_triggerd_t)
-
-logging_send_syslog_msg(dnssec_triggerd_t)
-
-miscfiles_read_localization(dnssec_triggerd_t)
-
-sysnet_dns_name_resolve(dnssec_triggerd_t)
-sysnet_manage_config(dnssec_triggerd_t)
-sysnet_etc_filetrans_config(dnssec_triggerd_t)
-
-optional_policy(`
- bind_read_config(dnssec_triggerd_t)
- bind_read_dnssec_keys(dnssec_triggerd_t)
-')
diff --git a/firewalld.fc b/firewalld.fc
deleted file mode 100644
index 21d7b84..0000000
--- a/firewalld.fc
+++ /dev/null
@@ -1,10 +0,0 @@
-/etc/rc\.d/init\.d/firewalld -- gen_context(system_u:object_r:firewalld_initrc_exec_t,s0)
-
-/etc/firewalld(/.*)? gen_context(system_u:object_r:firewalld_etc_rw_t,s0)
-
-/usr/sbin/firewalld -- gen_context(system_u:object_r:firewalld_exec_t,s0)
-
-/var/log/firewalld.* -- gen_context(system_u:object_r:firewalld_var_log_t,s0)
-
-/var/run/firewalld(/.*)? gen_context(system_u:object_r:firewalld_var_run_t,s0)
-/var/run/firewalld\.pid -- gen_context(system_u:object_r:firewalld_var_run_t,s0)
diff --git a/firewalld.if b/firewalld.if
deleted file mode 100644
index 82a225a..0000000
--- a/firewalld.if
+++ /dev/null
@@ -1,43 +0,0 @@
-## <summary>Service daemon with a D-BUS interface that provides a dynamic managed firewall.</summary>
-
-########################################
-## <summary>
-## All of the rules required to
-## administrate an firewalld environment.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-## <param name="role">
-## <summary>
-## Role allowed access.
-## </summary>
-## </param>
-## <rolecap/>
-#
-interface(`firewalld_admin',`
- gen_require(`
- type firewalld_t, firewalld_initrc_exec_t;
- type firewall_etc_rw_t, firewalld_var_run_t;
- type firewalld_var_log_t;
- ')
-
- allow $1 firewalld_t:process { ptrace signal_perms };
- ps_process_pattern($1, firewalld_t)
-
- init_labeled_script_domtrans($1, firewalld_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 firewalld_initrc_exec_t system_r;
- allow $2 system_r;
-
- files_search_pids($1)
- admin_pattern($1, firewalld_var_run_t)
-
- logging_search_logs($1)
- admin_pattern($1, firewalld_var_log_t)
-
- files_search_etc($1)
- admin_pattern($1, firewall_etc_rw_t)
-')
diff --git a/firewalld.te b/firewalld.te
deleted file mode 100644
index 6bd2271..0000000
--- a/firewalld.te
+++ /dev/null
@@ -1,85 +0,0 @@
-policy_module(firewalld, 1.0.1)
-
-########################################
-#
-# Declarations
-#
-
-type firewalld_t;
-type firewalld_exec_t;
-init_daemon_domain(firewalld_t, firewalld_exec_t)
-
-type firewalld_initrc_exec_t;
-init_script_file(firewalld_initrc_exec_t)
-
-type firewalld_etc_rw_t;
-files_config_file(firewalld_etc_rw_t)
-
-type firewalld_var_log_t;
-logging_log_file(firewalld_var_log_t)
-
-type firewalld_var_run_t;
-files_pid_file(firewalld_var_run_t)
-
-########################################
-#
-# Local policy
-#
-
-dontaudit firewalld_t self:capability sys_tty_config;
-allow firewalld_t self:fifo_file rw_fifo_file_perms;
-allow firewalld_t self:unix_stream_socket { accept listen };
-
-manage_dirs_pattern(firewalld_t, firewalld_etc_rw_t, firewalld_etc_rw_t)
-manage_files_pattern(firewalld_t, firewalld_etc_rw_t, firewalld_etc_rw_t)
-
-allow firewalld_t firewalld_var_log_t:file append_file_perms;
-allow firewalld_t firewalld_var_log_t:file create_file_perms;
-allow firewalld_t firewalld_var_log_t:file read_file_perms;
-allow firewalld_t firewalld_var_log_t:file setattr_file_perms;
-logging_log_filetrans(firewalld_t, firewalld_var_log_t, file)
-
-manage_files_pattern(firewalld_t, firewalld_var_run_t, firewalld_var_run_t)
-files_pid_filetrans(firewalld_t, firewalld_var_run_t, file)
-
-kernel_read_network_state(firewalld_t)
-kernel_read_system_state(firewalld_t)
-
-corecmd_exec_bin(firewalld_t)
-corecmd_exec_shell(firewalld_t)
-
-dev_read_urand(firewalld_t)
-
-domain_use_interactive_fds(firewalld_t)
-
-files_read_etc_files(firewalld_t)
-files_read_usr_files(firewalld_t)
-
-fs_getattr_xattr_fs(firewalld_t)
-
-logging_send_syslog_msg(firewalld_t)
-
-miscfiles_read_localization(firewalld_t)
-
-seutil_exec_setfiles(firewalld_t)
-seutil_read_file_contexts(firewalld_t)
-
-optional_policy(`
- dbus_system_domain(firewalld_t, firewalld_exec_t)
-
- optional_policy(`
- policykit_dbus_chat(firewalld_t)
- ')
-
- optional_policy(`
- networkmanager_dbus_chat(firewalld_t)
- ')
-')
-
-optional_policy(`
- iptables_domtrans(firewalld_t)
-')
-
-optional_policy(`
- modutils_domtrans_insmod(firewalld_t)
-')
diff --git a/glusterfs.fc b/glusterfs.fc
deleted file mode 100644
index 4bd6ade..0000000
--- a/glusterfs.fc
+++ /dev/null
@@ -1,16 +0,0 @@
-/etc/rc\.d/init\.d/gluster.* -- gen_context(system_u:object_r:glusterd_initrc_exec_t,s0)
-
-/etc/glusterfs(/.*)? gen_context(system_u:object_r:glusterd_conf_t,s0)
-/etc/glusterd(/.*)? gen_context(system_u:object_r:glusterd_conf_t,s0)
-
-/usr/sbin/glusterd -- gen_context(system_u:object_r:glusterd_initrc_exec_t,s0)
-/usr/sbin/glusterfsd -- gen_context(system_u:object_r:glusterd_exec_t,s0)
-
-/opt/glusterfs/[^/]+/sbin/glusterfsd -- gen_context(system_u:object_r:glusterd_exec_t,s0)
-
-/var/lib/gluster.* gen_context(system_u:object_r:glusterd_var_lib_t,s0)
-
-/var/log/glusterfs(/.*)? gen_context(system_u:object_r:glusterd_log_t,s0)
-
-/var/run/glusterd(/.*)? gen_context(system_u:object_r:glusterd_var_run_t,s0)
-/var/run/glusterd\.pid -- gen_context(system_u:object_r:glusterd_var_run_t,s0)
diff --git a/glusterfs.if b/glusterfs.if
deleted file mode 100644
index 05233c8..0000000
--- a/glusterfs.if
+++ /dev/null
@@ -1,71 +0,0 @@
-## <summary>Cluster File System binary, daemon and command line.</summary>
-
-########################################
-## <summary>
-## All of the rules required to
-## administrate an glusterfs environment.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-## <param name="role">
-## <summary>
-## Role allowed access.
-## </summary>
-## </param>
-## <rolecap/>
-#
-interface(`glusterd_admin',`
- refpolicywarn(`$0($*) has been deprecated, use glusterfs_admin() instead.')
- glusterfs_admin($1, $2)
-')
-
-########################################
-## <summary>
-## All of the rules required to
-## administrate an glusterfs environment.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-## <param name="role">
-## <summary>
-## Role allowed access.
-## </summary>
-## </param>
-## <rolecap/>
-#
-interface(`glusterfs_admin',`
- gen_require(`
- type glusterd_t, glusterd_initrc_exec_t, glusterd_log_t;
- type glusterd_tmp_t, glusterd_conf_t, glusterd_var_lib_t;
- type glusterd_var_run_t;
- ')
-
- init_labeled_script_domtrans($1, glusterd_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 glusterd_initrc_exec_t system_r;
- allow $2 system_r;
-
- allow $1 glusterd_t:process { ptrace signal_perms };
- ps_process_pattern($1, glusterd_t)
-
- files_search_etc($1)
- admin_pattern($1, glusterd_conf_t)
-
- logging_search_logs($1)
- admin_pattern($1, glusterd_log_t)
-
- files_search_tmp($1)
- admin_pattern($1, glusterd_tmp_t)
-
- files_search_var_lib($1)
- admin_pattern($1, glusterd_var_lib_t)
-
- files_search_pids($1)
- admin_pattern($1, glusterd_var_run_t)
-')
diff --git a/glusterfs.te b/glusterfs.te
deleted file mode 100644
index 6c815e1..0000000
--- a/glusterfs.te
+++ /dev/null
@@ -1,102 +0,0 @@
-policy_module(glusterfs, 1.0.0)
-
-########################################
-#
-# Declarations
-#
-
-type glusterd_t;
-type glusterd_exec_t;
-init_daemon_domain(glusterd_t, glusterd_exec_t)
-
-type glusterd_conf_t;
-files_type(glusterd_conf_t)
-
-type glusterd_initrc_exec_t;
-init_script_file(glusterd_initrc_exec_t)
-
-type glusterd_tmp_t;
-files_tmp_file(glusterd_tmp_t)
-
-type glusterd_log_t;
-logging_log_file(glusterd_log_t)
-
-type glusterd_var_run_t;
-files_pid_file(glusterd_var_run_t)
-
-type glusterd_var_lib_t;
-files_type(glusterd_var_lib_t);
-
-########################################
-#
-# Local policy
-#
-
-allow glusterd_t self:capability { net_bind_service sys_admin sys_resource dac_override chown dac_read_search fowner };
-allow glusterd_t self:process { setrlimit signal };
-allow glusterd_t self:fifo_file rw_fifo_file_perms;
-allow glusterd_t self:tcp_socket { accept listen };
-allow glusterd_t self:unix_stream_socket { accept listen };
-
-manage_dirs_pattern(glusterd_t, glusterd_conf_t, glusterd_conf_t)
-manage_files_pattern(glusterd_t, glusterd_conf_t, glusterd_conf_t)
-files_etc_filetrans(glusterd_t, glusterd_conf_t, dir)
-
-manage_dirs_pattern(glusterd_t, glusterd_tmp_t, glusterd_tmp_t)
-manage_files_pattern(glusterd_t, glusterd_tmp_t, glusterd_tmp_t)
-manage_sock_files_pattern(glusterd_t, glusterd_tmp_t, glusterd_tmp_t)
-files_tmp_filetrans(glusterd_t, glusterd_tmp_t, { dir file sock_file })
-
-manage_dirs_pattern(glusterd_t, glusterd_log_t, glusterd_log_t)
-append_files_pattern(glusterd_t, glusterd_log_t, glusterd_log_t)
-create_files_pattern(glusterd_t, glusterd_log_t, glusterd_log_t)
-setattr_files_pattern(glusterd_t, glusterd_log_t, glusterd_log_t)
-logging_log_filetrans(glusterd_t, glusterd_log_t, dir)
-
-manage_dirs_pattern(glusterd_t, glusterd_var_run_t, glusterd_var_run_t)
-manage_files_pattern(glusterd_t, glusterd_var_run_t, glusterd_var_run_t)
-files_pid_filetrans(glusterd_t, glusterd_var_run_t, { dir file })
-
-manage_dirs_pattern(glusterd_t, glusterd_var_lib_t, glusterd_var_lib_t)
-manage_files_pattern(glusterd_t, glusterd_var_lib_t, glusterd_var_lib_t)
-files_var_lib_filetrans(glusterd_t, glusterd_var_lib_t, dir)
-
-can_exec(glusterd_t, glusterd_exec_t)
-
-kernel_read_system_state(glusterd_t)
-
-corecmd_exec_bin(glusterd_t)
-corecmd_exec_shell(glusterd_t)
-
-corenet_all_recvfrom_unlabeled(glusterd_t)
-corenet_all_recvfrom_netlabel(glusterd_t)
-corenet_tcp_sendrecv_generic_if(glusterd_t)
-corenet_udp_sendrecv_generic_if(glusterd_t)
-corenet_tcp_sendrecv_generic_node(glusterd_t)
-corenet_udp_sendrecv_generic_node(glusterd_t)
-corenet_tcp_sendrecv_all_ports(glusterd_t)
-corenet_udp_sendrecv_all_ports(glusterd_t)
-corenet_tcp_bind_generic_node(glusterd_t)
-corenet_udp_bind_generic_node(glusterd_t)
-
-# Too coarse?
-corenet_sendrecv_all_server_packets(glusterd_t)
-corenet_tcp_bind_all_reserved_ports(glusterd_t)
-corenet_udp_bind_all_rpc_ports(glusterd_t)
-corenet_udp_bind_ipp_port(glusterd_t)
-
-corenet_sendrecv_all_client_packets(glusterd_t)
-corenet_tcp_connect_all_unreserved_ports(glusterd_t)
-
-dev_read_sysfs(glusterd_t)
-dev_read_urand(glusterd_t)
-
-domain_use_interactive_fds(glusterd_t)
-
-files_read_usr_files(glusterd_t)
-
-auth_use_nsswitch(glusterd_t)
-
-logging_send_syslog_msg(glusterd_t)
-
-miscfiles_read_localization(glusterd_t)
diff --git a/isns.fc b/isns.fc
deleted file mode 100644
index a0852ec..0000000
--- a/isns.fc
+++ /dev/null
@@ -1,8 +0,0 @@
-/etc/rc\.d/init\.d/isnsd -- gen_context(system_u:object_r:isnsd_initrc_exec_t,s0)
-
-/usr/sbin/isnsd -- gen_context(system_u:object_r:isnsd_exec_t,s0)
-
-/var/lib/isns(/.*)? gen_context(system_u:object_r:isnsd_var_lib_t,s0)
-
-/var/run/isnsd\.pid -- gen_context(system_u:object_r:isnsd_var_run_t,s0)
-/var/run/isnsctl -s gen_context(system_u:object_r:isnsd_var_run_t,s0)
diff --git a/isns.if b/isns.if
deleted file mode 100644
index da7e970..0000000
--- a/isns.if
+++ /dev/null
@@ -1,39 +0,0 @@
-## <summary>Internet Storage Name Service.</summary>
-
-########################################
-## <summary>
-## All of the rules required to
-## administrate an isnsd environment.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-## <param name="role">
-## <summary>
-## Role allowed access.
-## </summary>
-## </param>
-## <rolecap/>
-#
-interface(`isnsd_admin',`
- gen_require(`
- type isnsd_t, isnsd_initrc_exec_t, isnsd_var_lib_t;
- type isnsd_var_run_t;
- ')
-
- allow $1 isnsd_t:process { ptrace signal_perms };
- ps_process_pattern($1, isnsd_t)
-
- init_labeled_script_domtrans($1, isnsd_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 isnsd_initrc_exec_t system_r;
- allow $2 system_r;
-
- files_search_var_lib($1)
- admin_pattern($1, isnsd_var_lib_t)
-
- files_search_pids($1)
- admin_pattern($1, isnsd_var_run_t)
-')
diff --git a/isns.te b/isns.te
deleted file mode 100644
index bc11034..0000000
--- a/isns.te
+++ /dev/null
@@ -1,55 +0,0 @@
-policy_module(isns, 1.0.0)
-
-########################################
-#
-# Declarations
-#
-
-type isnsd_t;
-type isnsd_exec_t;
-init_daemon_domain(isnsd_t, isnsd_exec_t)
-
-type isnsd_initrc_exec_t;
-init_script_file(isnsd_initrc_exec_t)
-
-type isnsd_var_lib_t;
-files_type(isnsd_var_lib_t)
-
-type isnsd_var_run_t;
-files_pid_file(isnsd_var_run_t)
-
-########################################
-#
-# Local policy
-#
-
-allow isnsd_t self:capability kill;
-allow isnsd_t self:process signal;
-allow isnsd_t self:fifo_file rw_fifo_file_perms;
-allow isnsd_t self:udp_socket { accept listen };
-allow isnsd_t self:unix_stream_socket { accept listen };
-
-manage_dirs_pattern(isnsd_t, isnsd_var_lib_t, isnsd_var_lib_t)
-manage_files_pattern(isnsd_t, isnsd_var_lib_t, isnsd_var_lib_t)
-files_var_lib_filetrans(isnsd_t, isnsd_var_lib_t, dir)
-
-manage_sock_files_pattern(isnsd_t, isnsd_var_run_t, isnsd_var_run_t)
-manage_files_pattern(isnsd_t, isnsd_var_run_t, isnsd_var_run_t)
-files_pid_filetrans(isnsd_t, isnsd_var_run_t, { file sock_file })
-
-corenet_all_recvfrom_unlabeled(isnsd_t)
-corenet_all_recvfrom_netlabel(isnsd_t)
-corenet_tcp_sendrecv_generic_if(isnsd_t)
-corenet_tcp_sendrecv_generic_node(isnsd_t)
-corenet_tcp_sendrecv_isns_port(isnsd_t)
-corenet_tcp_bind_generic_node(isnsd_t)
-corenet_sendrecv_isns_server_packets(isnsd_t)
-corenet_tcp_bind_isns_port(isnsd_t)
-
-files_read_etc_files(isnsd_t)
-
-logging_send_syslog_msg(isnsd_t)
-
-miscfiles_read_localization(isnsd_t)
-
-sysnet_dns_name_resolve(isnsd_t)
diff --git a/keystone.fc b/keystone.fc
deleted file mode 100644
index b273d80..0000000
--- a/keystone.fc
+++ /dev/null
@@ -1,7 +0,0 @@
-/etc/rc\.d/init\.d/openstack-keystone -- gen_context(system_u:object_r:keystone_initrc_exec_t,s0)
-
-/usr/bin/keystone-all -- gen_context(system_u:object_r:keystone_exec_t,s0)
-
-/var/lib/keystone(/.*)? gen_context(system_u:object_r:keystone_var_lib_t,s0)
-
-/var/log/keystone(/.*)? gen_context(system_u:object_r:keystone_log_t,s0)
diff --git a/keystone.if b/keystone.if
deleted file mode 100644
index d3e7fc9..0000000
--- a/keystone.if
+++ /dev/null
@@ -1,42 +0,0 @@
-## <summary>Python implementation of the OpenStack identity service API.</summary>
-
-########################################
-## <summary>
-## All of the rules required to
-## administrate an keystone environment.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-## <param name="role">
-## <summary>
-## Role allowed access.
-## </summary>
-## </param>
-## <rolecap/>
-#
-interface(`keystone_admin',`
- gen_require(`
- type keystone_t, keystone_initrc_exec_t, keystone_log_t;
- type keystone_var_lib_t, keystone_tmp_t;
- ')
-
- allow $1 keystone_t:process { ptrace signal_perms };
- ps_process_pattern($1, keystone_t)
-
- init_labeled_script_domtrans($1, keystone_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 keystone_initrc_exec_t system_r;
- allow $2 system_r;
-
- logging_search_logs($1)
- admin_pattern($1, keystone_log_t)
-
- files_search_var_lib($1
- admin_pattern($1, keystone_var_lib_t)
-
- files_search_tmp($1)
- admin_pattern($1, keystone_tmp_t)
-')
diff --git a/keystone.te b/keystone.te
deleted file mode 100644
index 3494d9b..0000000
--- a/keystone.te
+++ /dev/null
@@ -1,76 +0,0 @@
-policy_module(keystone, 1.0.1)
-
-########################################
-#
-# Declarations
-#
-
-type keystone_t;
-type keystone_exec_t;
-init_daemon_domain(keystone_t, keystone_exec_t)
-
-type keystone_initrc_exec_t;
-init_script_file(keystone_initrc_exec_t)
-
-type keystone_log_t;
-logging_log_file(keystone_log_t)
-
-type keystone_var_lib_t;
-files_type(keystone_var_lib_t)
-
-type keystone_tmp_t;
-files_tmp_file(keystone_tmp_t)
-
-########################################
-#
-# Local policy
-#
-
-allow keystone_t self:fifo_file rw_fifo_file_perms;
-allow keystone_t self:unix_stream_socket { accept listen };
-allow keystone_t self:tcp_socket { accept listen };
-
-manage_dirs_pattern(keystone_t, keystone_log_t, keystone_log_t)
-append_files_pattern(keystone_t, keystone_log_t, keystone_log_t)
-create_files_pattern(keystone_t, keystone_log_t, keystone_log_t)
-setattr_files_pattern(keystone_t, keystone_log_t, keystone_log_t)
-logging_log_filetrans(keystone_t, keystone_log_t, dir)
-
-manage_dirs_pattern(keystone_t, keystone_tmp_t, keystone_tmp_t)
-manage_files_pattern(keystone_t, keystone_tmp_t, keystone_tmp_t)
-manage_lnk_files_pattern(keystone_t, keystone_tmp_t, keystone_tmp_t)
-files_tmp_filetrans(keystone_t, keystone_tmp_t, { dir file lnk_file })
-
-manage_dirs_pattern(keystone_t, keystone_var_lib_t, keystone_var_lib_t)
-manage_files_pattern(keystone_t, keystone_var_lib_t, keystone_var_lib_t)
-files_var_lib_filetrans(keystone_t, keystone_var_lib_t, dir)
-
-can_exec(keystone_t, keystone_tmp_t)
-
-kernel_read_system_state(keystone_t)
-
-corecmd_exec_bin(keystone_t)
-corecmd_exec_shell(keystone_t)
-
-corenet_all_recvfrom_unlabeled(keystone_t)
-corenet_all_recvfrom_netlabel(keystone_t)
-corenet_tcp_sendrecv_generic_if(keystone_t)
-corenet_tcp_sendrecv_generic_node(keystone_t)
-corenet_tcp_bind_generic_node(keystone_t)
-
-corenet_sendrecv_commplex_main_server_packets(keystone_t)
-corenet_tcp_bind_commplex_main_port(keystone_t)
-corenet_tcp_sendrecv_commplex_main_port(keystone_t)
-
-files_read_usr_files(keystone_t)
-
-auth_use_pam(keystone_t)
-
-libs_exec_ldconfig(keystone_t)
-
-miscfiles_read_localization(keystone_t)
-
-optional_policy(`
- mysql_stream_connect(keystone_t)
- mysql_tcp_connect(keystone_t)
-')
diff --git a/l2tp.fc b/l2tp.fc
deleted file mode 100644
index d5d1572..0000000
--- a/l2tp.fc
+++ /dev/null
@@ -1,11 +0,0 @@
-/etc/.*l2tp(/.*)? gen_context(system_u:object_r:l2tp_conf_t,s0)
-
-/etc/rc\.d/init\.d/.*l2tpd -- gen_context(system_u:object_r:l2tpd_initrc_exec_t,s0)
-
-/etc/sysconfig/.*l2tpd -- gen_context(system_u:object_r:l2tp_conf_t,s0)
-
-/usr/sbin/.*l2tpd -- gen_context(system_u:object_r:l2tpd_exec_t,s0)
-
-/var/run/.*l2tpd(/.*)? gen_context(system_u:object_r:l2tpd_var_run_t,s0)
-/var/run/prol2tpd\.ctl -s gen_context(system_u:object_r:l2tpd_var_run_t,s0)
-/var/run/.*l2tpd\.pid -- gen_context(system_u:object_r:l2tpd_var_run_t,s0)
diff --git a/l2tp.if b/l2tp.if
deleted file mode 100644
index 32eaecf..0000000
--- a/l2tp.if
+++ /dev/null
@@ -1,42 +0,0 @@
-## <summary>Layer 2 Tunneling Protocol.</summary>
-
-########################################
-## <summary>
-## All of the rules required to
-## administrate an l2tp environment.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-## <param name="role">
-## <summary>
-## Role allowed access.
-## </summary>
-## </param>
-## <rolecap/>
-#
-interface(`l2tp_admin',`
- gen_require(`
- type l2tpd_t, l2tpd_initrc_exec_t, l2tpd_var_run_t;
- type l2tp_conf_t, l2tpd_tmp_t;
- ')
-
- allow $1 l2tpd_t:process { ptrace signal_perms };
- ps_process_pattern($1, l2tpd_t)
-
- init_labeled_script_domtrans($1, l2tpd_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 l2tpd_initrc_exec_t system_r;
- allow $2 system_r;
-
- files_search_etc($1)
- admin_pattern($1, l2tp_conf_t)
-
- files_search_pids($1)
- admin_pattern($1, l2tpd_var_run_t)
-
- files_search_tmp($1)
- admin_pattern($1, l2tpd_tmp_t)
-')
diff --git a/l2tp.te b/l2tp.te
deleted file mode 100644
index 409db93..0000000
--- a/l2tp.te
+++ /dev/null
@@ -1,95 +0,0 @@
-policy_module(l2tp, 1.0.1)
-
-########################################
-#
-# Declarations
-#
-
-type l2tpd_t;
-type l2tpd_exec_t;
-init_daemon_domain(l2tpd_t, l2tpd_exec_t)
-
-type l2tpd_initrc_exec_t;
-init_script_file(l2tpd_initrc_exec_t)
-
-type l2tp_conf_t;
-files_config_file(l2tp_conf_t)
-
-type l2tpd_tmp_t;
-files_tmp_file(l2tpd_tmp_t)
-
-type l2tpd_var_run_t;
-files_pid_file(l2tpd_var_run_t)
-
-########################################
-#
-# Local policy
-#
-
-allow l2tpd_t self:capability { net_admin net_bind_service };
-allow l2tpd_t self:process signal;
-allow l2tpd_t self:fifo_file rw_fifo_file_perms;
-allow l2tpd_t self:netlink_socket create_socket_perms;
-allow l2tpd_t self:rawip_socket create_socket_perms;
-allow l2tpd_t self:socket create_socket_perms;
-allow l2tpd_t self:tcp_socket create_stream_socket_perms;
-allow l2tpd_t self:unix_dgram_socket sendto;
-allow l2tpd_t self:unix_stream_socket { accept listen };
-
-read_files_pattern(l2tpd_t, l2tp_conf_t, l2tp_conf_t)
-
-manage_dirs_pattern(l2tpd_t, l2tpd_var_run_t, l2tpd_var_run_t)
-manage_files_pattern(l2tpd_t, l2tpd_var_run_t, l2tpd_var_run_t)
-manage_sock_files_pattern(l2tpd_t, l2tpd_var_run_t, l2tpd_var_run_t)
-manage_fifo_files_pattern(l2tpd_t, l2tpd_var_run_t, l2tpd_var_run_t)
-files_pid_filetrans(l2tpd_t, l2tpd_var_run_t, { dir file sock_file })
-
-manage_sock_files_pattern(l2tpd_t, l2tpd_tmp_t, l2tpd_tmp_t)
-files_tmp_filetrans(l2tpd_t, l2tpd_tmp_t, sock_file)
-
-corenet_all_recvfrom_unlabeled(l2tpd_t)
-corenet_all_recvfrom_netlabel(l2tpd_t)
-corenet_raw_sendrecv_generic_if(l2tpd_t)
-corenet_tcp_sendrecv_generic_if(l2tpd_t)
-corenet_udp_sendrecv_generic_if(l2tpd_t)
-corenet_raw_bind_generic_node(l2tpd_t)
-corenet_tcp_bind_generic_node(l2tpd_t)
-corenet_udp_bind_generic_node(l2tpd_t)
-corenet_raw_sendrecv_generic_node(l2tpd_t)
-corenet_tcp_sendrecv_generic_node(l2tpd_t)
-corenet_udp_sendrecv_generic_node(l2tpd_t)
-corenet_tcp_sendrecv_all_ports(l2tpd_t)
-corenet_udp_sendrecv_all_ports(l2tpd_t)
-
-corenet_sendrecv_all_server_packets(l2tpd_t)
-corenet_tcp_bind_all_rpc_ports(l2tpd_t)
-corenet_udp_bind_all_rpc_ports(l2tpd_t)
-
-corenet_udp_bind_l2tp_port(l2tpd_t)
-
-kernel_read_network_state(l2tpd_t)
-kernel_read_system_state(l2tpd_t)
-# net-pf-24 (pppox)
-kernel_request_load_module(l2tpd_t)
-
-# prol2tpc
-corecmd_exec_bin(l2tpd_t)
-
-dev_read_urand(l2tpd_t)
-
-files_read_etc_files(l2tpd_t)
-
-term_use_generic_ptys(l2tpd_t)
-term_use_ptmx(l2tpd_t)
-
-logging_send_syslog_msg(l2tpd_t)
-
-miscfiles_read_localization(l2tpd_t)
-
-sysnet_dns_name_resolve(l2tpd_t)
-
-optional_policy(`
- ppp_domtrans(l2tpd_t)
- ppp_signal(l2tpd_t)
- ppp_kill(l2tpd_t)
-')
diff --git a/man2html.fc b/man2html.fc
deleted file mode 100644
index 82f6255..0000000
--- a/man2html.fc
+++ /dev/null
@@ -1,5 +0,0 @@
-/usr/lib/man2html/cgi-bin/man/man2html -- gen_context(system_u:object_r:httpd_man2html_script_exec_t,s0)
-/usr/lib/man2html/cgi-bin/man/mansec -- gen_context(system_u:object_r:httpd_man2html_script_exec_t,s0)
-/usr/lib/man2html/cgi-bin/man/manwhatis -- gen_context(system_u:object_r:httpd_man2html_script_exec_t,s0)
-
-/var/cache/man2html(/.*)? gen_context(system_u:object_r:httpd_man2html_script_cache_t,s0)
diff --git a/man2html.if b/man2html.if
deleted file mode 100644
index 54ec04d..0000000
--- a/man2html.if
+++ /dev/null
@@ -1 +0,0 @@
-## <summary>A Unix manpage-to-HTML converter.</summary>
diff --git a/man2html.te b/man2html.te
deleted file mode 100644
index e08c55d..0000000
--- a/man2html.te
+++ /dev/null
@@ -1,26 +0,0 @@
-policy_module(man2html, 1.0.0)
-
-########################################
-#
-# Declarations
-#
-
-apache_content_template(man2html)
-
-type httpd_man2html_script_cache_t;
-files_type(httpd_man2html_script_cache_t)
-
-########################################
-#
-# Local policy
-#
-
-manage_dirs_pattern(httpd_man2html_script_t, httpd_man2html_script_cache_t, httpd_man2html_script_cache_t)
-manage_files_pattern(httpd_man2html_script_t, httpd_man2html_script_cache_t, httpd_man2html_script_cache_t)
-manage_lnk_files_pattern(httpd_man2html_script_t, httpd_man2html_script_cache_t, httpd_man2html_script_cache_t)
-files_var_filetrans(httpd_man2html_script_t, httpd_man2html_script_cache_t, dir)
-
-files_read_etc_files(httpd_man2html_script_t)
-
-miscfiles_read_localization(httpd_man2html_script_t)
-miscfiles_read_man_pages(httpd_man2html_script_t)
diff --git a/mandb.fc b/mandb.fc
deleted file mode 100644
index e4864f3..0000000
--- a/mandb.fc
+++ /dev/null
@@ -1,4 +0,0 @@
-/etc/cron.daily/man-db\.cron -- gen_context(system_u:object_r:mandb_exec_t,s0)
-
-# file context conflict with spec in miscfiles. remove comment when the spec in miscfiles is removed
-# /var/cache/man(/.*)? gen_context(system_u:object_r:mandb_cache_t,s0)
diff --git a/mandb.if b/mandb.if
deleted file mode 100644
index 35988b0..0000000
--- a/mandb.if
+++ /dev/null
@@ -1,161 +0,0 @@
-## <summary>On-line manual database.</summary>
-
-########################################
-## <summary>
-## Execute the mandb program in
-## the mandb domain.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed to transition.
-## </summary>
-## </param>
-#
-interface(`mandb_domtrans',`
- gen_require(`
- type mandb_t, mandb_exec_t;
- ')
-
- corecmd_search_bin($1)
- domtrans_pattern($1, mandb_exec_t, mandb_t)
-')
-
-########################################
-## <summary>
-## Execute mandb in the mandb
-## domain, and allow the specified
-## role the mandb domain.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed to transition.
-## </summary>
-## </param>
-## <param name="role">
-## <summary>
-## Role allowed access.
-## </summary>
-## </param>
-#
-interface(`mandb_run',`
- gen_require(`
- attribute_role mandb_roles;
- ')
-
- lightsquid_domtrans($1)
- roleattribute $2 mandb_roles;
-')
-
-########################################
-## <summary>
-## Search mandb cache directories.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`mandb_search_cache',`
- gen_require(`
- type mandb_cache_t;
- ')
-
- files_search_var($1)
- allow $1 mandb_cache_t:dir search_dir_perms;
-')
-
-########################################
-## <summary>
-## Delete mandb cache content.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`mandb_delete_cache_content',`
- gen_require(`
- type mandb_cache_t;
- ')
-
- files_search_var($1)
- allow $1 mandb_cache_t:dir delete_dir_perms;
- allow $1 mandb_cache_t:file delete_file_perms;
- allow $1 mandb_cache_t:lnk_file delete_lnk_file_perms;
-')
-
-########################################
-## <summary>
-## Read mandb cache content.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`mandb_read_cache_content',`
- gen_require(`
- type mandb_cache_t;
- ')
-
- files_search_var($1)
- allow $1 mandb_cache_t:dir list_dir_perms;
- allow $1 mandb_cache_t:file read_file_perms;
- allow $1 mandb_cache_t:lnk_file read_lnk_file_perms;
-')
-
-########################################
-## <summary>
-## Create, read, write, and delete
-## mandb cache files.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`mandb_manage_cache_content',`
- gen_require(`
- type mandb_cache_t;
- ')
-
- files_search_var($1)
- allow $1 mandb_cache_t:dir manage_dir_perms;
- allow $1 mandb_cache_t:file manage_file_perms;
- allow $1 mandb_cache_t:lnk_file manage_lnk_file_perms;
-')
-
-########################################
-## <summary>
-## All of the rules required to
-## administrate an mandb environment.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-## <param name="role">
-## <summary>
-## Role allowed access.
-## </summary>
-## </param>
-## <rolecap/>
-#
-interface(`mandb_admin',`
- gen_require(`
- type mandb_t, mandb_cache_t;
- ')
-
- allow $1 mandb_t:process { ptrace signal_perms };
- ps_process_pattern($1, mandb_t)
-
- mandb_run($1, $2)
-
- files_search_var($1)
- admin_pattern($1, mandb_cache_t)
-')
diff --git a/mandb.te b/mandb.te
deleted file mode 100644
index 8db8613..0000000
--- a/mandb.te
+++ /dev/null
@@ -1,42 +0,0 @@
-policy_module(mandb, 1.0.1)
-
-########################################
-#
-# Declarations
-#
-
-attribute_role mandb_roles;
-roleattribute system_r mandb_roles;
-
-type mandb_t;
-type mandb_exec_t;
-application_domain(mandb_t, mandb_exec_t)
-role mandb_roles types mandb_t;
-
-type mandb_cache_t;
-files_type(mandb_cache_t)
-
-########################################
-#
-# Local policy
-#
-
-allow mandb_t self:process signal;
-allow mandb_t self:fifo_file rw_fifo_file_perms;
-allow mandb_t self:unix_stream_socket create_stream_socket_perms;
-
-manage_dirs_pattern(mandb_t, mandb_cache_t, mandb_cache_t)
-manage_files_pattern(mandb_t, mandb_cache_t, mandb_cache_t)
-manage_lnk_files_pattern(mandb_t, mandb_cache_t, mandb_cache_t)
-
-kernel_read_system_state(mandb_t)
-
-corecmd_exec_bin(mandb_t)
-
-domain_use_interactive_fds(mandb_t)
-
-files_read_etc_files(mandb_t)
-
-optional_policy(`
- cron_system_entry(mandb_t, mandb_exec_t)
-')
diff --git a/mongodb.fc b/mongodb.fc
deleted file mode 100644
index 2abd690..0000000
--- a/mongodb.fc
+++ /dev/null
@@ -1,9 +0,0 @@
-/etc/rc\.d/init\.d/mongod -- gen_context(system_u:object_r:mongod_initrc_exec_t,s0)
-
-/usr/bin/mongod -- gen_context(system_u:object_r:mongod_exec_t,s0)
-
-/var/lib/mongodb(/.*)? gen_context(system_u:object_r:mongod_var_lib_t,s0)
-
-/var/log/mongodb(/.*)? gen_context(system_u:object_r:mongod_log_t,s0)
-
-/var/run/mongodb(/.*)? gen_context(system_u:object_r:mongod_var_run_t,s0)
diff --git a/mongodb.if b/mongodb.if
deleted file mode 100644
index b247d25..0000000
--- a/mongodb.if
+++ /dev/null
@@ -1,42 +0,0 @@
-## <summary>Scalable, high-performance, open source NoSQL database.</summary>
-
-########################################
-## <summary>
-## All of the rules required to
-## administrate an mongodb environment.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-## <param name="role">
-## <summary>
-## Role allowed access.
-## </summary>
-## </param>
-## <rolecap/>
-#
-interface(`mongodb_admin',`
- gen_require(`
- type mongod_t, mongod_initrc_exec_t, mongod_log_t;
- type mongod_var_lib_t, mongod_var_run_t;
- ')
-
- allow $1 mongod_t:process { ptrace signal_perms };
- ps_process_pattern($1, mongod_t)
-
- init_labeled_script_domtrans($1, mongod_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 mongod_initrc_exec_t system_r;
- allow $2 system_r;
-
- logging_search_logs($1)
- admin_pattern($1, mongod_log_t)
-
- files_search_var_lib($1)
- admin_pattern($1, mongod_var_lib_t)
-
- files_search_pids($1)
- admin_pattern($1, mongod_var_run_t)
-')
diff --git a/mongodb.te b/mongodb.te
deleted file mode 100644
index 25a5930..0000000
--- a/mongodb.te
+++ /dev/null
@@ -1,58 +0,0 @@
-policy_module(mongodb, 1.0.0)
-
-########################################
-#
-# Declarations
-#
-
-type mongod_t;
-type mongod_exec_t;
-init_daemon_domain(mongod_t, mongod_exec_t)
-
-type mongod_initrc_exec_t;
-init_script_file(mongod_initrc_exec_t)
-
-type mongod_log_t;
-logging_log_file(mongod_log_t)
-
-type mongod_var_lib_t;
-files_type(mongod_var_lib_t)
-
-type mongod_var_run_t;
-files_pid_file(mongod_var_run_t)
-
-########################################
-#
-# Local policy
-#
-
-allow mongod_t self:process signal;
-allow mongod_t self:fifo_file rw_fifo_file_perms;
-
-manage_dirs_pattern(mongod_t, mongod_log_t, mongod_log_t)
-append_files_pattern(mongod_t, mongod_log_t, mongod_log_t)
-create_files_pattern(mongod_t, mongod_log_t, mongod_log_t)
-setattr_files_pattern(mongod_t, mongod_log_t, mongod_log_t)
-logging_log_filetrans(mongod_t, mongod_log_t, dir)
-
-manage_dirs_pattern(mongod_t, mongod_var_lib_t, mongod_var_lib_t)
-manage_files_pattern(mongod_t, mongod_var_lib_t, mongod_var_lib_t)
-files_var_lib_filetrans(mongod_t, mongod_var_lib_t, dir)
-
-manage_dirs_pattern(mongod_t, mongod_var_run_t, mongod_var_run_t)
-manage_files_pattern(mongod_t, mongod_var_run_t, mongod_var_run_t)
-files_pid_filetrans(mongod_t, mongod_var_run_t, dir)
-
-kernel_read_system_state(mongod_t)
-
-corenet_all_recvfrom_unlabeled(mongod_t)
-corenet_all_recvfrom_netlabel(mongod_t)
-corenet_tcp_sendrecv_generic_if(mongod_t)
-corenet_tcp_sendrecv_generic_node(mongod_t)
-corenet_tcp_bind_generic_node(mongod_t)
-
-dev_read_urand(mongod_t)
-
-files_read_etc_files(mongod_t)
-
-miscfiles_read_localization(mongod_t)
diff --git a/openhpi.fc b/openhpi.fc
deleted file mode 100644
index 727b47e..0000000
--- a/openhpi.fc
+++ /dev/null
@@ -1,7 +0,0 @@
-/etc/rc\.d/init\.d/openhpid -- gen_context(system_u:object_r:openhpid_initrc_exec_t,s0)
-
-/usr/sbin/openhpid -- gen_context(system_u:object_r:openhpid_exec_t,s0)
-
-/var/lib/openhpi(/.*)? gen_context(system_u:object_r:openhpid_var_lib_t,s0)
-
-/var/run/openhpid\.pid -- gen_context(system_u:object_r:openhpid_var_run_t,s0)
diff --git a/openhpi.if b/openhpi.if
deleted file mode 100644
index 3c86958..0000000
--- a/openhpi.if
+++ /dev/null
@@ -1,39 +0,0 @@
-## <summary>Open source implementation of the Service Availability Forum Hardware Platform Interface.</summary>
-
-########################################
-## <summary>
-## All of the rules required to
-## administrate an openhpi environment.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-## <param name="role">
-## <summary>
-## Role allowed access.
-## </summary>
-## </param>
-## <rolecap/>
-#
-interface(`openhpi_admin',`
- gen_require(`
- type openhpid_t, openhpid_initrc_exec_t, openhpid_var_lib_t;
- type openhpid_var_run_t;
- ')
-
- allow $1 openhpid_t:process { ptrace signal_perms };
- ps_process_pattern($1, openhpid_t)
-
- init_labeled_script_domtrans($1, openhpid_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 openhpid_initrc_exec_t system_r;
- allow $2 system_r;
-
- files_search_var_lib($1)
- admin_pattern($1, openhpid_var_lib_t)
-
- files_search_pids($1)
- admin_pattern($1, openhpid_var_run_t)
-')
diff --git a/openhpi.te b/openhpi.te
deleted file mode 100644
index 7f398c0..0000000
--- a/openhpi.te
+++ /dev/null
@@ -1,57 +0,0 @@
-policy_module(openhpi, 1.0.1)
-
-########################################
-#
-# Declarations
-#
-
-type openhpid_t;
-type openhpid_exec_t;
-init_daemon_domain(openhpid_t, openhpid_exec_t)
-
-type openhpid_initrc_exec_t;
-init_script_file(openhpid_initrc_exec_t)
-
-type openhpid_var_lib_t;
-files_type(openhpid_var_lib_t)
-
-type openhpid_var_run_t;
-files_pid_file(openhpid_var_run_t)
-
-########################################
-#
-# Local policy
-#
-
-allow openhpid_t self:capability kill;
-allow openhpid_t self:process signal;
-allow openhpid_t self:fifo_file rw_fifo_file_perms;
-allow openhpid_t self:netlink_route_socket r_netlink_socket_perms;
-allow openhpid_t self:unix_stream_socket { accept listen };
-allow openhpid_t self:tcp_socket create_stream_socket_perms;
-allow openhpid_t self:udp_socket create_socket_perms;
-
-manage_dirs_pattern(openhpid_t, openhpid_var_lib_t, openhpid_var_lib_t)
-manage_files_pattern(openhpid_t, openhpid_var_lib_t, openhpid_var_lib_t)
-files_var_lib_filetrans(openhpid_t, openhpid_var_lib_t, dir)
-
-manage_files_pattern(openhpid_t, openhpid_var_run_t, openhpid_var_run_t)
-files_pid_filetrans(openhpid_t, openhpid_var_run_t, file)
-
-corenet_all_recvfrom_unlabeled(openhpid_t)
-corenet_all_recvfrom_netlabel(openhpid_t)
-corenet_tcp_sendrecv_generic_if(openhpid_t)
-corenet_tcp_sendrecv_generic_node(openhpid_t)
-corenet_tcp_bind_generic_node(openhpid_t)
-
-corenet_sendrecv_openhpid_server_packets(openhpid_t)
-corenet_tcp_bind_openhpid_port(openhpid_t)
-corenet_tcp_sendrecv_openhpid_port(openhpid_t)
-
-dev_read_urand(openhpid_t)
-
-files_read_etc_files(openhpid_t)
-
-logging_send_syslog_msg(openhpid_t)
-
-miscfiles_read_localization(openhpid_t)
diff --git a/pkcs.fc b/pkcs.fc
deleted file mode 100644
index f9dc0be..0000000
--- a/pkcs.fc
+++ /dev/null
@@ -1,7 +0,0 @@
-/etc/rc\.d/init\.d/pkcsslotd -- gen_context(system_u:object_r:pkcs_slotd_initrc_exec_t,s0)
-
-/usr/sbin/pkcsslotd -- gen_context(system_u:object_r:pkcs_slotd_exec_t,s0)
-
-/var/lib/opencryptoki(/.*)? gen_context(system_u:object_r:pkcs_slotd_var_lib_t,s0)
-
-/var/run/pkcsslotd\.pid -- gen_context(system_u:object_r:pkcs_slotd_var_run_t,s0)
diff --git a/pkcs.if b/pkcs.if
deleted file mode 100644
index 69be2aa..0000000
--- a/pkcs.if
+++ /dev/null
@@ -1,45 +0,0 @@
-## <summary>Implementations of the Cryptoki specification.</summary>
-
-########################################
-## <summary>
-## All of the rules required to
-## administrate an pkcs slotd environment.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-## <param name="role">
-## <summary>
-## Role allowed access.
-## </summary>
-## </param>
-## <rolecap/>
-#
-interface(`pkcs_admin_slotd',`
- gen_require(`
- type pkcs_slotd_t, pkcs_slotd_initrc_exec_t, pkcs_slotd_var_lib_t;
- type pkcs_slotd_var_run_t, pkcs_slotd_tmp_t, pkcs_slotd_tmpfs_t;
- ')
-
- allow $1 pkcs_slotd_t:process { ptrace signal_perms };
- ps_process_pattern($1, pkcs_slotd_t)
-
- init_labeled_script_domtrans($1, pkcs_slotd_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 pkcs_slotd_initrc_exec_t system_r;
- allow $2 system_r;
-
- files_search_var_lib($1)
- admin_pattern($1, pkcs_slotd_var_lib_t)
-
- files_search_pids($1)
- admin_pattern($1, pkcs_slotd_var_run_t)
-
- files_search_tmp($1)
- admin_pattern($1, pkcs_slotd_tmp_t)
-
- fs_search_tmpfs($1)
- admin_pattern($1, pkcs_slotd_tmpfs_t)
-')
diff --git a/pkcs.te b/pkcs.te
deleted file mode 100644
index 977b972..0000000
--- a/pkcs.te
+++ /dev/null
@@ -1,58 +0,0 @@
-policy_module(pkcs, 1.0.0)
-
-########################################
-#
-# Declarations
-#
-
-type pkcs_slotd_t;
-type pkcs_slotd_exec_t;
-init_daemon_domain(pkcs_slotd_t, pkcs_slotd_exec_t)
-
-type pkcs_slotd_initrc_exec_t;
-init_script_file(pkcs_slotd_initrc_exec_t)
-
-type pkcs_slotd_var_lib_t;
-files_type(pkcs_slotd_var_lib_t)
-
-type pkcs_slotd_var_run_t;
-files_pid_file(pkcs_slotd_var_run_t)
-
-type pkcs_slotd_tmp_t;
-files_tmp_file(pkcs_slotd_tmp_t)
-
-type pkcs_slotd_tmpfs_t;
-files_tmpfs_file(pkcs_slotd_tmpfs_t)
-
-########################################
-#
-# Local policy
-#
-
-allow pkcs_slotd_t self:capability kill;
-allow pkcs_slotd_t self:fifo_file rw_fifo_file_perms;
-allow pkcs_slotd_t self:sem create_sem_perms;
-allow pkcs_slotd_t self:shm create_shm_perms;
-allow pkcs_slotd_t self:unix_stream_socket { accept listen };
-
-manage_dirs_pattern(pkcs_slotd_t, pkcs_slotd_var_lib_t, pkcs_slotd_var_lib_t)
-manage_files_pattern(pkcs_slotd_t, pkcs_slotd_var_lib_t, pkcs_slotd_var_lib_t)
-manage_lnk_files_pattern(pkcs_slotd_t, pkcs_slotd_var_lib_t, pkcs_slotd_var_lib_t)
-files_var_lib_filetrans(pkcs_slotd_t, pkcs_slotd_var_lib_t, dir)
-
-manage_files_pattern(pkcs_slotd_t, pkcs_slotd_var_run_t, pkcs_slotd_var_run_t)
-files_pid_filetrans(pkcs_slotd_t, pkcs_slotd_var_run_t, file)
-
-manage_dirs_pattern(pkcs_slotd_t, pkcs_slotd_tmp_t, pkcs_slotd_tmp_t)
-manage_files_pattern(pkcs_slotd_t, pkcs_slotd_tmp_t, pkcs_slotd_tmp_t)
-files_tmp_filetrans(pkcs_slotd_t, pkcs_slotd_tmp_t, dir)
-
-manage_dirs_pattern(pkcs_slotd_t, pkcs_slotd_tmpfs_t, pkcs_slotd_tmpfs_t)
-manage_files_pattern(pkcs_slotd_t, pkcs_slotd_tmpfs_t, pkcs_slotd_tmpfs_t)
-fs_tmpfs_filetrans(pkcs_slotd_t, pkcs_slotd_tmpfs_t, dir)
-
-files_read_etc_files(pkcs_slotd_t)
-
-logging_send_syslog_msg(pkcs_slotd_t)
-
-miscfiles_read_localization(pkcs_slotd_t)
^ permalink raw reply related [flat|nested] 101+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: /
@ 2012-10-16 17:39 Sven Vermeulen
0 siblings, 0 replies; 101+ messages in thread
From: Sven Vermeulen @ 2012-10-16 17:39 UTC (permalink / raw
To: gentoo-commits
commit: 67f7c97fa4287aecf5e4eab532f389016359c3d0
Author: Dominick Grift <dominick.grift <AT> gmail <DOT> com>
AuthorDate: Mon Oct 15 16:09:25 2012 +0000
Commit: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
CommitDate: Tue Oct 16 17:35:40 2012 +0000
URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=67f7c97f
Initial rngd policy module
Hardware random number generation tools.
Ported from Fedora with changes
Signed-off-by: Dominick Grift <dominick.grift <AT> gmail.com>
---
rngd.fc | 3 +++
rngd.if | 32 ++++++++++++++++++++++++++++++++
rngd.te | 34 ++++++++++++++++++++++++++++++++++
3 files changed, 69 insertions(+), 0 deletions(-)
diff --git a/rngd.fc b/rngd.fc
new file mode 100644
index 0000000..5dd779e
--- /dev/null
+++ b/rngd.fc
@@ -0,0 +1,3 @@
+/etc/rc\.d/init\.d/rngd -- gen_context(system_u:object_r:rngd_initrc_exec_t,s0)
+
+/usr/sbin/rngd -- gen_context(system_u:object_r:rngd_exec_t,s0)
diff --git a/rngd.if b/rngd.if
new file mode 100644
index 0000000..0e759a2
--- /dev/null
+++ b/rngd.if
@@ -0,0 +1,32 @@
+## <summary>Check and feed random data from hardware device to kernel random device.</summary>
+
+########################################
+## <summary>
+## All of the rules required to
+## administrate an rng environment.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <param name="role">
+## <summary>
+## Role allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`rngd_admin',`
+ gen_require(`
+ type rngd_t, rngd_initrc_exec_t;
+ ')
+
+ allow $1 rngd_t:process { ptrace signal_perms };
+ ps_process_pattern($1, rngd_t)
+
+ init_labeled_script_domtrans($1, rngd_initrc_exec_t)
+ domain_system_change_exemption($1)
+ role_transition $2 rngd_initrc_exec_t system_r;
+ allow $2 system_r;
+')
diff --git a/rngd.te b/rngd.te
new file mode 100644
index 0000000..c324536
--- /dev/null
+++ b/rngd.te
@@ -0,0 +1,34 @@
+policy_module(rngd, 1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+type rngd_t;
+type rngd_exec_t;
+init_daemon_domain(rngd_t, rngd_exec_t)
+
+type rngd_initrc_exec_t;
+init_script_file(rngd_initrc_exec_t)
+
+########################################
+#
+# Local policy
+#
+
+allow rngd_t self:capability sys_admin;
+allow rngd_t self:process signal;
+allow rngd_t self:fifo_file rw_fifo_file_perms;
+allow rngd_t self:unix_stream_socket { accept listen };
+
+dev_read_rand(rngd_t)
+dev_read_urand(rngd_t)
+dev_rw_tpm(rngd_t)
+dev_write_rand(rngd_t)
+
+files_read_etc_files(rngd_t)
+
+logging_send_syslog_msg(rngd_t)
+
+miscfiles_read_localization(rngd_t)
^ permalink raw reply related [flat|nested] 101+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: /
@ 2012-10-16 17:39 Sven Vermeulen
0 siblings, 0 replies; 101+ messages in thread
From: Sven Vermeulen @ 2012-10-16 17:39 UTC (permalink / raw
To: gentoo-commits
commit: 075b069ccd70cef328f29a8926ebd0a810a55d5e
Author: Dominick Grift <dominick.grift <AT> gmail <DOT> com>
AuthorDate: Tue Oct 16 10:38:01 2012 +0000
Commit: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
CommitDate: Tue Oct 16 17:36:27 2012 +0000
URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=075b069c
Initial obex policy module
obex-data-server is D-Bus service providing high-level OBEX client and
server side functionality. It currently supports OPP (Object Push
Profile) and FTP (File Transfer profile) profiles and Bluetooth as
transport. obex-data-server exposes it's functionality through
'org.openobex' namespace in DBus Session bus.
Signed-off-by: Dominick Grift <dominick.grift <AT> gmail.com>
---
obex.fc | 1 +
obex.if | 88 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
obex.te | 43 ++++++++++++++++++++++++++++++
3 files changed, 132 insertions(+), 0 deletions(-)
diff --git a/obex.fc b/obex.fc
new file mode 100644
index 0000000..03fa560
--- /dev/null
+++ b/obex.fc
@@ -0,0 +1 @@
+/usr/bin/obex-data-server -- gen_context(system_u:object_r:obex_exec_t,s0)
diff --git a/obex.if b/obex.if
new file mode 100644
index 0000000..8635ea2
--- /dev/null
+++ b/obex.if
@@ -0,0 +1,88 @@
+## <summary>D-Bus service providing high-level OBEX client and server side functionality.</summary>
+
+#######################################
+## <summary>
+## The role template for obex.
+## </summary>
+## <param name="role_prefix">
+## <summary>
+## The prefix of the user domain (e.g., user
+## is the prefix for user_t).
+## </summary>
+## </param>
+## <param name="user_role">
+## <summary>
+## The role associated with the user domain.
+## </summary>
+## </param>
+## <param name="user_domain">
+## <summary>
+## The type of the user domain.
+## </summary>
+## </param>
+#
+template(`obex_role_template',`
+ gen_require(`
+ attribute_role obex_roles;
+ type obex_t, obex_exec_exec_t;
+ ')
+
+ ########################################
+ #
+ # Declarations
+ #
+
+ roleattribute $2 obex_roles;
+
+ ########################################
+ #
+ # Policy
+ #
+
+ allow $3 obex_t:process { ptrace signal_perms };
+ ps_process_pattern($3, obex_t)
+
+ dbus_spec_session_domain($1, obex_exec_t, obex_t)
+
+ obex_dbus_chat($3)
+')
+
+########################################
+## <summary>
+## Execute obex in the obex domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`obex_domtrans',`
+ gen_require(`
+ type obex_t, obex_exec_t;
+ ')
+
+ corecmd_search_bin($1)
+ domtrans_pattern($1, obex_exec_t, obex_t)
+')
+
+########################################
+## <summary>
+## Send and receive messages from
+## obex over dbus.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`obex_dbus_chat',`
+ gen_require(`
+ type obex_t;
+ class dbus send_msg;
+ ')
+
+ allow $1 obex_t:dbus send_msg;
+ allow obex_t $1:dbus send_msg;
+')
diff --git a/obex.te b/obex.te
new file mode 100644
index 0000000..cd29ea8
--- /dev/null
+++ b/obex.te
@@ -0,0 +1,43 @@
+policy_module(obex, 1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+attribute_role obex_roles;
+
+type obex_t;
+type obex_exec_t;
+userdom_user_application_domain(obex_t, obex_exec_t)
+role obex_roles types obex_t;
+
+########################################
+#
+# Local policy
+#
+
+allow obex_t self:fifo_file rw_fifo_file_perms;
+allow obex_t self:socket create_stream_socket_perms;
+
+dev_read_urand(obex_t)
+
+files_read_etc_files(obex_t)
+
+logging_send_syslog_msg(obex_t)
+
+miscfiles_read_localization(obex_t)
+
+userdom_search_user_home_content(obex_t)
+
+optional_policy(`
+ bluetooth_stream_connect(obex_t)
+')
+
+optional_policy(`
+ dbus_system_bus_client(obex_t)
+
+ optional_policy(`
+ bluetooth_dbus_chat(obex_t)
+ ')
+')
^ permalink raw reply related [flat|nested] 101+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: /
@ 2012-10-16 17:39 Sven Vermeulen
0 siblings, 0 replies; 101+ messages in thread
From: Sven Vermeulen @ 2012-10-16 17:39 UTC (permalink / raw
To: gentoo-commits
commit: 3aec0515dc3f6e48e76ffc862b7b368cab0df193
Author: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Tue Oct 16 17:37:12 2012 +0000
Commit: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
CommitDate: Tue Oct 16 17:37:12 2012 +0000
URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=3aec0515
Remove obex/rngd from root
---
obex.fc | 1 -
obex.if | 88 ---------------------------------------------------------------
obex.te | 43 ------------------------------
rngd.fc | 3 --
rngd.if | 32 -----------------------
rngd.te | 34 ------------------------
6 files changed, 0 insertions(+), 201 deletions(-)
diff --git a/obex.fc b/obex.fc
deleted file mode 100644
index 03fa560..0000000
--- a/obex.fc
+++ /dev/null
@@ -1 +0,0 @@
-/usr/bin/obex-data-server -- gen_context(system_u:object_r:obex_exec_t,s0)
diff --git a/obex.if b/obex.if
deleted file mode 100644
index 8635ea2..0000000
--- a/obex.if
+++ /dev/null
@@ -1,88 +0,0 @@
-## <summary>D-Bus service providing high-level OBEX client and server side functionality.</summary>
-
-#######################################
-## <summary>
-## The role template for obex.
-## </summary>
-## <param name="role_prefix">
-## <summary>
-## The prefix of the user domain (e.g., user
-## is the prefix for user_t).
-## </summary>
-## </param>
-## <param name="user_role">
-## <summary>
-## The role associated with the user domain.
-## </summary>
-## </param>
-## <param name="user_domain">
-## <summary>
-## The type of the user domain.
-## </summary>
-## </param>
-#
-template(`obex_role_template',`
- gen_require(`
- attribute_role obex_roles;
- type obex_t, obex_exec_exec_t;
- ')
-
- ########################################
- #
- # Declarations
- #
-
- roleattribute $2 obex_roles;
-
- ########################################
- #
- # Policy
- #
-
- allow $3 obex_t:process { ptrace signal_perms };
- ps_process_pattern($3, obex_t)
-
- dbus_spec_session_domain($1, obex_exec_t, obex_t)
-
- obex_dbus_chat($3)
-')
-
-########################################
-## <summary>
-## Execute obex in the obex domain.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed to transition.
-## </summary>
-## </param>
-#
-interface(`obex_domtrans',`
- gen_require(`
- type obex_t, obex_exec_t;
- ')
-
- corecmd_search_bin($1)
- domtrans_pattern($1, obex_exec_t, obex_t)
-')
-
-########################################
-## <summary>
-## Send and receive messages from
-## obex over dbus.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`obex_dbus_chat',`
- gen_require(`
- type obex_t;
- class dbus send_msg;
- ')
-
- allow $1 obex_t:dbus send_msg;
- allow obex_t $1:dbus send_msg;
-')
diff --git a/obex.te b/obex.te
deleted file mode 100644
index cd29ea8..0000000
--- a/obex.te
+++ /dev/null
@@ -1,43 +0,0 @@
-policy_module(obex, 1.0.0)
-
-########################################
-#
-# Declarations
-#
-
-attribute_role obex_roles;
-
-type obex_t;
-type obex_exec_t;
-userdom_user_application_domain(obex_t, obex_exec_t)
-role obex_roles types obex_t;
-
-########################################
-#
-# Local policy
-#
-
-allow obex_t self:fifo_file rw_fifo_file_perms;
-allow obex_t self:socket create_stream_socket_perms;
-
-dev_read_urand(obex_t)
-
-files_read_etc_files(obex_t)
-
-logging_send_syslog_msg(obex_t)
-
-miscfiles_read_localization(obex_t)
-
-userdom_search_user_home_content(obex_t)
-
-optional_policy(`
- bluetooth_stream_connect(obex_t)
-')
-
-optional_policy(`
- dbus_system_bus_client(obex_t)
-
- optional_policy(`
- bluetooth_dbus_chat(obex_t)
- ')
-')
diff --git a/rngd.fc b/rngd.fc
deleted file mode 100644
index 5dd779e..0000000
--- a/rngd.fc
+++ /dev/null
@@ -1,3 +0,0 @@
-/etc/rc\.d/init\.d/rngd -- gen_context(system_u:object_r:rngd_initrc_exec_t,s0)
-
-/usr/sbin/rngd -- gen_context(system_u:object_r:rngd_exec_t,s0)
diff --git a/rngd.if b/rngd.if
deleted file mode 100644
index 0e759a2..0000000
--- a/rngd.if
+++ /dev/null
@@ -1,32 +0,0 @@
-## <summary>Check and feed random data from hardware device to kernel random device.</summary>
-
-########################################
-## <summary>
-## All of the rules required to
-## administrate an rng environment.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-## <param name="role">
-## <summary>
-## Role allowed access.
-## </summary>
-## </param>
-## <rolecap/>
-#
-interface(`rngd_admin',`
- gen_require(`
- type rngd_t, rngd_initrc_exec_t;
- ')
-
- allow $1 rngd_t:process { ptrace signal_perms };
- ps_process_pattern($1, rngd_t)
-
- init_labeled_script_domtrans($1, rngd_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 rngd_initrc_exec_t system_r;
- allow $2 system_r;
-')
diff --git a/rngd.te b/rngd.te
deleted file mode 100644
index c324536..0000000
--- a/rngd.te
+++ /dev/null
@@ -1,34 +0,0 @@
-policy_module(rngd, 1.0.0)
-
-########################################
-#
-# Declarations
-#
-
-type rngd_t;
-type rngd_exec_t;
-init_daemon_domain(rngd_t, rngd_exec_t)
-
-type rngd_initrc_exec_t;
-init_script_file(rngd_initrc_exec_t)
-
-########################################
-#
-# Local policy
-#
-
-allow rngd_t self:capability sys_admin;
-allow rngd_t self:process signal;
-allow rngd_t self:fifo_file rw_fifo_file_perms;
-allow rngd_t self:unix_stream_socket { accept listen };
-
-dev_read_rand(rngd_t)
-dev_read_urand(rngd_t)
-dev_rw_tpm(rngd_t)
-dev_write_rand(rngd_t)
-
-files_read_etc_files(rngd_t)
-
-logging_send_syslog_msg(rngd_t)
-
-miscfiles_read_localization(rngd_t)
^ permalink raw reply related [flat|nested] 101+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: /
@ 2012-10-17 17:41 Sven Vermeulen
0 siblings, 0 replies; 101+ messages in thread
From: Sven Vermeulen @ 2012-10-17 17:41 UTC (permalink / raw
To: gentoo-commits
commit: 4aa4bb6567da69b4b6a657b17bcc6cb6a8fb23e5
Author: Dominick Grift <dominick.grift <AT> gmail <DOT> com>
AuthorDate: Tue Oct 16 13:55:50 2012 +0000
Commit: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
CommitDate: Wed Oct 17 17:37:07 2012 +0000
URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=4aa4bb65
Initial pacemaker policy module
Pacemaker is an Open Source, High Availability resource manager suitable
for both small and large clusters
Ported from Fedora with changes
Signed-off-by: Dominick Grift <dominick.grift <AT> gmail.com>
---
pacemaker.fc | 9 +++++++++
pacemaker.if | 39 +++++++++++++++++++++++++++++++++++++++
pacemaker.te | 49 +++++++++++++++++++++++++++++++++++++++++++++++++
3 files changed, 97 insertions(+), 0 deletions(-)
diff --git a/pacemaker.fc b/pacemaker.fc
new file mode 100644
index 0000000..a66d7be
--- /dev/null
+++ b/pacemaker.fc
@@ -0,0 +1,9 @@
+/etc/rc\.d/init\.d/pacemaker -- gen_context(system_u:object_r:pacemaker_initrc_exec_t,s0)
+
+/usr/sbin/pacemakerd -- gen_context(system_u:object_r:pacemaker_exec_t,s0)
+
+/var/lib/heartbeat/crm(/.*)? gen_context(system_u:object_r:pacemaker_var_lib_t,s0)
+
+/var/lib/pengine(/.*)? gen_context(system_u:object_r:pacemaker_var_lib_t,s0)
+
+/var/run/crm(/.*)? gen_context(system_u:object_r:pacemaker_var_run_t,s0)
diff --git a/pacemaker.if b/pacemaker.if
new file mode 100644
index 0000000..9682d9a
--- /dev/null
+++ b/pacemaker.if
@@ -0,0 +1,39 @@
+## <summary>A scalable high-availability cluster resource manager.</summary>
+
+########################################
+## <summary>
+## All of the rules required to
+## administrate an pacemaker environment.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <param name="role">
+## <summary>
+## Role allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`pacemaker_admin',`
+ gen_require(`
+ type pacemaker_t, pacemaker_initrc_exec_t, pacemaker_var_lib_t;
+ type pacemaker_var_run_t;
+ ')
+
+ allow $1 pacemaker_t:process { ptrace signal_perms };
+ ps_process_pattern($1, pacemaker_t)
+
+ init_labeled_script_domtrans($1, pacemaker_initrc_exec_t)
+ domain_system_change_exemption($1)
+ role_transition $2 pacemaker_initrc_exec_t system_r;
+ allow $2 system_r;
+
+ files_search_var_lib($1)
+ admin_pattern($1, pacemaker_var_lib_t)
+
+ files_search_pids($1)
+ admin_pattern($1, pacemaker_var_run_t)
+')
diff --git a/pacemaker.te b/pacemaker.te
new file mode 100644
index 0000000..8a17a11
--- /dev/null
+++ b/pacemaker.te
@@ -0,0 +1,49 @@
+policy_module(pacemaker, 1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+type pacemaker_t;
+type pacemaker_exec_t;
+init_daemon_domain(pacemaker_t, pacemaker_exec_t)
+
+type pacemaker_initrc_exec_t;
+init_script_file(pacemaker_initrc_exec_t)
+
+type pacemaker_var_lib_t;
+files_type(pacemaker_var_lib_t)
+
+type pacemaker_var_run_t;
+files_pid_file(pacemaker_var_run_t)
+
+########################################
+#
+# Local policy
+#
+
+allow pacemaker_t self:capability { chown dac_override setuid };
+allow pacemaker_t self:process { setrlimit signal };
+allow pacemaker_t self:fifo_file rw_fifo_file_perms;
+allow pacemaker_t self:unix_stream_socket { accept listen };
+
+manage_dirs_pattern(pacemaker_t, pacemaker_var_lib_t, pacemaker_var_lib_t)
+manage_files_pattern(pacemaker_t, pacemaker_var_lib_t, pacemaker_var_lib_t)
+files_var_lib_filetrans(pacemaker_t, pacemaker_var_lib_t, { dir file })
+
+manage_dirs_pattern(pacemaker_t, pacemaker_var_run_t, pacemaker_var_run_t)
+manage_files_pattern(pacemaker_t, pacemaker_var_run_t, pacemaker_var_run_t)
+files_pid_filetrans(pacemaker_t, pacemaker_var_run_t, { dir file })
+
+domain_use_interactive_fds(pacemaker_t)
+
+auth_use_nsswitch(pacemaker_t)
+
+logging_send_syslog_msg(pacemaker_t)
+
+miscfiles_read_localization(pacemaker_t)
+
+optional_policy(`
+ corosync_stream_connect(pacemaker_t)
+')
^ permalink raw reply related [flat|nested] 101+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: /
@ 2012-10-22 18:15 Sven Vermeulen
0 siblings, 0 replies; 101+ messages in thread
From: Sven Vermeulen @ 2012-10-22 18:15 UTC (permalink / raw
To: gentoo-commits
commit: b4dc7016234346091028205292a1055eb4314e84
Author: Dominick Grift <dominick.grift <AT> gmail <DOT> com>
AuthorDate: Mon Oct 22 09:47:23 2012 +0000
Commit: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
CommitDate: Mon Oct 22 18:11:58 2012 +0000
URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=b4dc7016
Initial rabbitmq policy module
RabbitMQ is a complete and highly reliable enterprise messaging system
based on the emerging AMQP standard.
Ported from Fedora with changes
Signed-off-by: Dominick Grift <dominick.grift <AT> gmail.com>
---
rabbitmq.fc | 10 +++++
rabbitmq.if | 61 ++++++++++++++++++++++++++++++++++
rabbitmq.te | 106 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
3 files changed, 177 insertions(+), 0 deletions(-)
diff --git a/rabbitmq.fc b/rabbitmq.fc
new file mode 100644
index 0000000..c5ad6de
--- /dev/null
+++ b/rabbitmq.fc
@@ -0,0 +1,10 @@
+/etc/rc\.d/init\.d/rabbitmq-server -- gen_context(system_u:object_r:rabbitmq_initrc_exec_t,s0)
+
+/usr/lib/erlang/erts.*/bin/beam.* -- gen_context(system_u:object_r:rabbitmq_beam_exec_t,s0)
+/usr/lib/erlang/erts.*/bin/epmd -- gen_context(system_u:object_r:rabbitmq_epmd_exec_t,s0)
+
+/var/lib/rabbitmq(/.*)? gen_context(system_u:object_r:rabbitmq_var_lib_t,s0)
+
+/var/log/rabbitmq(/.*)? gen_context(system_u:object_r:rabbitmq_var_log_t,s0)
+
+/var/run/rabbitmq(/.*)? gen_context(system_u:object_r:rabbitmq_var_run_t,s0)
diff --git a/rabbitmq.if b/rabbitmq.if
new file mode 100644
index 0000000..2c3d338
--- /dev/null
+++ b/rabbitmq.if
@@ -0,0 +1,61 @@
+## <summary>AMQP server written in Erlang.</summary>
+
+########################################
+## <summary>
+## Execute rabbitmq in the rabbitmq domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`rabbitmq_domtrans',`
+ gen_require(`
+ type rabbitmq_t, rabbitmq_exec_t;
+ ')
+
+ corecmd_search_bin($1)
+ domtrans_pattern($1, rabbitmq_exec_t, rabbitmq_t)
+')
+
+########################################
+## <summary>
+## All of the rules required to
+## administrate an rabbitmq environment.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <param name="role">
+## <summary>
+## Role allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`rabbitmq_admin',`
+ gen_require(`
+ type rabbitmq_epmd_t, rabbitmq_beam_t, rabbitmq_initrc_exec_t;
+ type rabbitmq_var_lib_t, rabbitmq_var_log_t, rabbitmq_var_run_t;
+ ')
+
+ allow $1 { rabbitmq_epmd_t rabbitmq_beam_t }:process { ptrace signal_perms };
+ ps_process_pattern($1, { rabbitmq_epmd_t rabbitmq_beam_t })
+
+ init_labeled_script_domtrans($1, rabbitmq_initrc_exec_t)
+ domain_system_change_exemption($1)
+ role_transition $2 rabbitmq_initrc_exec_t system_r;
+ allow $2 system_r;
+
+ logging_search_logs($1)
+ admin_pattern($1, rabbitmq_var_log_t)
+
+ files_search_var_lib($1)
+ admin_pattern($1, rabbitmq_var_lib_t)
+
+ files_search_pids($1)
+ admin_pattern($1, rabbitmq_var_run_t)
+')
diff --git a/rabbitmq.te b/rabbitmq.te
new file mode 100644
index 0000000..3698b51
--- /dev/null
+++ b/rabbitmq.te
@@ -0,0 +1,106 @@
+policy_module(rabbitmq, 1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+type rabbitmq_epmd_t;
+type rabbitmq_epmd_exec_t;
+init_daemon_domain(rabbitmq_epmd_t, rabbitmq_epmd_exec_t)
+
+type rabbitmq_beam_t;
+type rabbitmq_beam_exec_t;
+init_daemon_domain(rabbitmq_beam_t, rabbitmq_beam_exec_t)
+
+type rabbitmq_initrc_exec_t;
+init_script_file(rabbitmq_initrc_exec_t)
+
+type rabbitmq_var_lib_t;
+files_type(rabbitmq_var_lib_t)
+
+type rabbitmq_var_log_t;
+logging_log_file(rabbitmq_var_log_t)
+
+type rabbitmq_var_run_t;
+files_pid_file(rabbitmq_var_run_t)
+
+######################################
+#
+# Beam local policy
+#
+
+allow rabbitmq_beam_t self:process { setsched signal signull };
+allow rabbitmq_beam_t self:fifo_file rw_fifo_file_perms;
+allow rabbitmq_beam_t self:tcp_socket { accept listen };
+
+manage_dirs_pattern(rabbitmq_beam_t, rabbitmq_var_lib_t, rabbitmq_var_lib_t)
+manage_files_pattern(rabbitmq_beam_t, rabbitmq_var_lib_t, rabbitmq_var_lib_t)
+
+manage_dirs_pattern(rabbitmq_beam_t, rabbitmq_var_log_t, rabbitmq_var_log_t)
+append_files_pattern(rabbitmq_beam_t, rabbitmq_var_log_t, rabbitmq_var_log_t)
+create_files_pattern(rabbitmq_beam_t, rabbitmq_var_log_t, rabbitmq_var_log_t)
+setattr_files_pattern(rabbitmq_beam_t, rabbitmq_var_log_t, rabbitmq_var_log_t)
+
+manage_dirs_pattern(rabbitmq_beam_t, rabbitmq_var_run_t, rabbitmq_var_run_t)
+manage_files_pattern(rabbitmq_beam_t, rabbitmq_var_run_t, rabbitmq_var_run_t)
+
+can_exec(rabbitmq_beam_t, rabbitmq_beam_exec_t)
+
+domtrans_pattern(rabbitmq_beam_t, rabbitmq_epmd_exec_t, rabbitmq_epmd_t)
+
+kernel_read_system_state(rabbitmq_beam_t)
+
+corecmd_exec_bin(rabbitmq_beam_t)
+corecmd_exec_shell(rabbitmq_beam_t)
+
+corenet_all_recvfrom_unlabeled(rabbitmq_beam_t)
+corenet_all_recvfrom_netlabel(rabbitmq_beam_t)
+corenet_tcp_sendrecv_generic_if(rabbitmq_beam_t)
+corenet_tcp_sendrecv_generic_node(rabbitmq_beam_t)
+corenet_tcp_bind_generic_node(rabbitmq_beam_t)
+
+corenet_sendrecv_amqp_server_packets(rabbitmq_beam_t)
+corenet_tcp_bind_amqp_port(rabbitmq_beam_t)
+corenet_tcp_sendrecv_amqp_port(rabbitmq_beam_t)
+
+corenet_sendrecv_epmd_client_packets(rabbitmq_beam_t)
+corenet_tcp_connect_epmd_port(rabbitmq_beam_t)
+corenet_tcp_sendrecv_epmd_port(rabbitmq_beam_t)
+
+dev_read_sysfs(rabbitmq_beam_t)
+
+files_read_etc_files(rabbitmq_beam_t)
+
+miscfiles_read_localization(rabbitmq_beam_t)
+
+sysnet_dns_name_resolve(rabbitmq_beam_t)
+
+########################################
+#
+# Epmd local policy
+#
+
+
+allow rabbitmq_epmd_t self:process signal;
+allow rabbitmq_epmd_t self:fifo_file rw_fifo_file_perms;
+allow rabbitmq_epmd_t self:tcp_socket create_stream_socket_perms;
+allow rabbitmq_epmd_t self:unix_stream_socket { accept listen };
+
+allow rabbitmq_epmd_t rabbitmq_var_log_t:file append_file_perms;
+
+corenet_all_recvfrom_unlabeled(rabbitmq_epmd_t)
+corenet_all_recvfrom_netlabel(rabbitmq_epmd_t)
+corenet_tcp_sendrecv_generic_if(rabbitmq_epmd_t)
+corenet_tcp_sendrecv_generic_node(rabbitmq_epmd_t)
+corenet_tcp_bind_generic_node(rabbitmq_epmd_t)
+
+corenet_sendrecv_epmd_server_packets(rabbitmq_epmd_t)
+corenet_tcp_bind_epmd_port(rabbitmq_epmd_t)
+corenet_tcp_sendrecv_epmd_port(rabbitmq_epmd_t)
+
+files_read_etc_files(rabbitmq_epmd_t)
+
+logging_send_syslog_msg(rabbitmq_epmd_t)
+
+miscfiles_read_localization(rabbitmq_epmd_t)
^ permalink raw reply related [flat|nested] 101+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: /
@ 2012-10-27 11:06 Sven Vermeulen
0 siblings, 0 replies; 101+ messages in thread
From: Sven Vermeulen @ 2012-10-27 11:06 UTC (permalink / raw
To: gentoo-commits
commit: 7f0063b12afb951c707a12b9b64f5590ec331158
Author: Dominick Grift <dominick.grift <AT> gmail <DOT> com>
AuthorDate: Fri Oct 26 09:27:57 2012 +0000
Commit: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
CommitDate: Sat Oct 27 11:03:12 2012 +0000
URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=7f0063b1
Initial firewallgui policy module
Graphical firewall management tool
Ported from Fedora with changes
Signed-off-by: Dominick Grift <dominick.grift <AT> gmail.com>
---
firewallgui.fc | 1 +
firewallgui.if | 41 ++++++++++++++++++++++++++++++++
firewallgui.te | 70 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++
3 files changed, 112 insertions(+), 0 deletions(-)
diff --git a/firewallgui.fc b/firewallgui.fc
new file mode 100644
index 0000000..ef1f43d
--- /dev/null
+++ b/firewallgui.fc
@@ -0,0 +1 @@
+/usr/share/system-config-firewall/system-config-firewall-mechanism.py -- gen_context(system_u:object_r:firewallgui_exec_t,s0)
diff --git a/firewallgui.if b/firewallgui.if
new file mode 100644
index 0000000..e6866d1
--- /dev/null
+++ b/firewallgui.if
@@ -0,0 +1,41 @@
+## <summary>system-config-firewall dbus system service.</summary>
+
+########################################
+## <summary>
+## Send and receive messages from
+## firewallgui over dbus.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`firewallgui_dbus_chat',`
+ gen_require(`
+ type firewallgui_t;
+ class dbus send_msg;
+ ')
+
+ allow $1 firewallgui_t:dbus send_msg;
+ allow firewallgui_t $1:dbus send_msg;
+')
+
+########################################
+## <summary>
+## Do not audit attempts to read and
+## write firewallgui unnamed pipes.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`firewallgui_dontaudit_rw_pipes',`
+ gen_require(`
+ type firewallgui_t;
+ ')
+
+ dontaudit $1 firewallgui_t:fifo_file rw_fifo_file_perms;
+')
diff --git a/firewallgui.te b/firewallgui.te
new file mode 100644
index 0000000..40dc5f9
--- /dev/null
+++ b/firewallgui.te
@@ -0,0 +1,70 @@
+policy_module(firewallgui, 1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+type firewallgui_t;
+type firewallgui_exec_t;
+dbus_system_domain(firewallgui_t, firewallgui_exec_t)
+init_daemon_domain(firewallgui_t, firewallgui_exec_t)
+
+type firewallgui_tmp_t;
+files_tmp_file(firewallgui_tmp_t)
+
+########################################
+#
+# Local policy
+#
+
+allow firewallgui_t self:capability { net_admin sys_rawio } ;
+allow firewallgui_t self:fifo_file rw_fifo_file_perms;
+
+manage_files_pattern(firewallgui_t,firewallgui_tmp_t,firewallgui_tmp_t)
+manage_dirs_pattern(firewallgui_t,firewallgui_tmp_t,firewallgui_tmp_t)
+files_tmp_filetrans(firewallgui_t,firewallgui_tmp_t, { file dir })
+
+kernel_read_system_state(firewallgui_t)
+kernel_read_network_state(firewallgui_t)
+kernel_rw_net_sysctls(firewallgui_t)
+kernel_rw_kernel_sysctl(firewallgui_t)
+kernel_rw_vm_sysctls(firewallgui_t)
+
+corecmd_exec_bin(firewallgui_t)
+corecmd_exec_shell(firewallgui_t)
+
+dev_read_sysfs(firewallgui_t)
+dev_read_urand(firewallgui_t)
+
+files_list_kernel_modules(firewallgui_t)
+files_read_usr_files(firewallgui_t)
+
+auth_use_nsswitch(firewallgui_t)
+
+miscfiles_read_localization(firewallgui_t)
+
+seutil_read_config(firewallgui_t)
+
+userdom_dontaudit_search_user_home_dirs(firewallgui_t)
+
+optional_policy(`
+ consoletype_exec(firewallgui_t)
+')
+
+optional_policy(`
+ gnome_read_generic_gconf_home_content(firewallgui_t)
+')
+
+optional_policy(`
+ iptables_domtrans(firewallgui_t)
+ iptables_initrc_domtrans(firewallgui_t)
+')
+
+optional_policy(`
+ modutils_getattr_module_deps(firewallgui_t)
+')
+
+optional_policy(`
+ policykit_dbus_chat(firewallgui_t)
+')
^ permalink raw reply related [flat|nested] 101+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: /
@ 2012-11-06 20:21 Sven Vermeulen
0 siblings, 0 replies; 101+ messages in thread
From: Sven Vermeulen @ 2012-11-06 20:21 UTC (permalink / raw
To: gentoo-commits
commit: 7e9b47c14b7e9165bbad0274d6d11624daf46f87
Author: Dominick Grift <dominick.grift <AT> gmail <DOT> com>
AuthorDate: Mon Nov 5 09:58:39 2012 +0000
Commit: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
CommitDate: Tue Nov 6 20:18:16 2012 +0000
URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=7e9b47c1
Initial smstools policy module
SMS Server Tools for GSM modems The SMS Server Tools make your server
into a central SMS gateway. You can send and receive SM using a simple
file-based interface.
Ported from Fedora with changes
Signed-off-by: Dominick Grift <dominick.grift <AT> gmail.com>
---
smstools.fc | 13 ++++++++++
smstools.if | 49 +++++++++++++++++++++++++++++++++++++++
smstools.te | 74 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
3 files changed, 136 insertions(+), 0 deletions(-)
diff --git a/smstools.fc b/smstools.fc
new file mode 100644
index 0000000..8e7d825
--- /dev/null
+++ b/smstools.fc
@@ -0,0 +1,13 @@
+/etc/smsd\.conf -- gen_context(system_u:object_r:smsd_conf_t,s0)
+
+/etc/rc\.d/init\.d/((smsd)|(smstools)) -- gen_context(system_u:object_r:smsd_initrc_exec_t,s0)
+
+/usr/sbin/smsd -- gen_context(system_u:object_r:smsd_exec_t,s0)
+
+/var/lib/smstools(/.*)? gen_context(system_u:object_r:smsd_var_lib_t,s0)
+
+/var/log/smsd(/.*)? gen_context(system_u:object_r:smsd_log_t,s0)
+
+/var/run/smsd(/.*)? gen_context(system_u:object_r:smsd_var_run_t,s0)
+
+/var/spool/sms(/.*)? gen_context(system_u:object_r:smsd_spool_t,s0)
diff --git a/smstools.if b/smstools.if
new file mode 100644
index 0000000..cbfe369
--- /dev/null
+++ b/smstools.if
@@ -0,0 +1,49 @@
+## <summary> Tools to send and receive short messages through GSM modems or mobile phones.</summary>
+
+########################################
+## <summary>
+## All of the rules required to
+## administrate an smstools environment.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <param name="role">
+## <summary>
+## Role allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`smstools_admin',`
+ gen_require(`
+ type smsd_t, smsd_initrc_exec_t, smsd_conf_t;
+ type smsd_log_t, smsd_var_lib_t, smsd_var_run_t;
+ type smsd_spool_t;
+ ')
+
+ allow $1 smsd_t:process { ptrace signal_perms };
+ ps_process_pattern($1, smsd_t)
+
+ init_labeled_script_domtrans($1, smsd_initrc_exec_t)
+ domain_system_change_exemption($1)
+ role_transition $2 smsd_initrc_exec_t system_r;
+ allow $2 system_r;
+
+ files_search_config($1)
+ admin_pattern($1, smsd_conf_t)
+
+ files_search_var_lib($1)
+ admin_pattern($1, smsd_var_lib_t)
+
+ files_search_spool($1)
+ admin_pattern($1, smsd_spool_t)
+
+ files_search_pids($1)
+ admin_pattern($1, smsd_var_run_t)
+
+ logging_search_logs($1)
+ admin_pattern($1, smsd_log_t)
+')
diff --git a/smstools.te b/smstools.te
new file mode 100644
index 0000000..5ccf83c
--- /dev/null
+++ b/smstools.te
@@ -0,0 +1,74 @@
+policy_module(smstools, 1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+type smsd_t;
+type smsd_exec_t;
+init_daemon_domain(smsd_t, smsd_exec_t)
+
+type smsd_initrc_exec_t;
+init_script_file(smsd_initrc_exec_t)
+
+type smsd_conf_t;
+files_config_file(smsd_conf_t)
+
+type smsd_log_t;
+logging_log_file(smsd_log_t)
+
+type smsd_var_lib_t;
+files_type(smsd_var_lib_t)
+
+type smsd_var_run_t;
+files_pid_file(smsd_var_run_t)
+
+type smsd_spool_t;
+files_type(smsd_spool_t)
+
+########################################
+#
+# Local policy
+#
+
+allow smsd_t self:capability { kill setgid setuid };
+allow smsd_t self:process signal;
+allow smsd_t self:fifo_file rw_fifo_file_perms;
+allow smsd_t self:unix_stream_socket { accept listen };
+
+allow smsd_t smsd_conf_t:file read_file_perms;
+
+manage_dirs_pattern(smsd_t, smsd_log_t, smsd_log_t)
+create_files_pattern(smsd_t, smsd_log_t, smsd_log_t)
+append_files_pattern(smsd_t, smsd_log_t, smsd_log_t)
+setattr_files_pattern(smsd_t, smsd_log_t, smsd_log_t)
+manage_lnk_files_pattern(smsd_t, smsd_log_t, smsd_log_t)
+logging_log_filetrans(smsd_t, smsd_log_t, { dir file })
+
+manage_dirs_pattern(smsd_t, smsd_var_lib_t, smsd_var_lib_t)
+manage_files_pattern(smsd_t, smsd_var_lib_t, smsd_var_lib_t)
+manage_lnk_files_pattern(smsd_t, smsd_var_lib_t, smsd_var_lib_t)
+
+manage_dirs_pattern(smsd_t, smsd_var_run_t, smsd_var_run_t)
+manage_files_pattern(smsd_t, smsd_var_run_t, smsd_var_run_t)
+manage_lnk_files_pattern(smsd_t, smsd_var_run_t, smsd_var_run_t)
+files_pid_filetrans(smsd_t, smsd_var_run_t, { dir file })
+
+manage_dirs_pattern(smsd_t, smsd_spool_t, smsd_spool_t)
+manage_files_pattern(smsd_t, smsd_spool_t, smsd_spool_t)
+manage_lnk_files_pattern(smsd_t, smsd_spool_t, smsd_spool_t)
+files_spool_filetrans(smsd_t, smsd_spool_t, dir)
+
+kernel_read_kernel_sysctls(smsd_t)
+kernel_read_system_state(smsd_t)
+
+corecmd_exec_shell(smsd_t)
+
+auth_use_nsswitch(smsd_t)
+
+logging_send_syslog_msg(smsd_t)
+
+optional_policy(`
+ mysql_stream_connect(smsd_t)
+')
^ permalink raw reply related [flat|nested] 101+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: /
@ 2012-12-03 9:35 Sven Vermeulen
0 siblings, 0 replies; 101+ messages in thread
From: Sven Vermeulen @ 2012-12-03 9:35 UTC (permalink / raw
To: gentoo-commits
commit: e72fdddbcbada2737ac790ce5d375cc47927ea47
Author: Dominick Grift <dominick.grift <AT> gmail <DOT> com>
AuthorDate: Thu Nov 29 12:41:57 2012 +0000
Commit: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
CommitDate: Mon Dec 3 09:32:38 2012 +0000
URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=e72fdddb
Initial jockey policy module
Ported from Fedora with changes
Jockey driver manager
Jockey backend probes the system for available
hardware
Signed-off-by: Dominick Grift <dominick.grift <AT> gmail.com>
---
jockey.fc | 6 ++++++
jockey.if | 1 +
jockey.te | 59 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
3 files changed, 66 insertions(+), 0 deletions(-)
diff --git a/jockey.fc b/jockey.fc
new file mode 100644
index 0000000..d57dad4
--- /dev/null
+++ b/jockey.fc
@@ -0,0 +1,6 @@
+/usr/share/jockey/jockey-backend -- gen_context(system_u:object_r:jockey_exec_t,s0)
+
+/var/cache/jockey(/.*)? gen_context(system_u:object_r:jockey_cache_t,s0)
+
+/var/log/jockey(/.*)? gen_context(system_u:object_r:jockey_var_log_t,s0)
+/var/log/jockey\.log.* -- gen_context(system_u:object_r:jockey_var_log_t,s0)
diff --git a/jockey.if b/jockey.if
new file mode 100644
index 0000000..2fb7a20
--- /dev/null
+++ b/jockey.if
@@ -0,0 +1 @@
+## <summary>Jockey driver manager.</summary>
diff --git a/jockey.te b/jockey.te
new file mode 100644
index 0000000..d59ec10
--- /dev/null
+++ b/jockey.te
@@ -0,0 +1,59 @@
+policy_module(jockey, 1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+type jockey_t;
+type jockey_exec_t;
+init_daemon_domain(jockey_t, jockey_exec_t)
+
+type jockey_cache_t;
+files_type(jockey_cache_t)
+
+type jockey_var_log_t;
+logging_log_file(jockey_var_log_t)
+
+########################################
+#
+# Local policy
+#
+
+allow jockey_t self:fifo_file rw_fifo_file_perms;
+
+manage_dirs_pattern(jockey_t, jockey_cache_t, jockey_cache_t)
+manage_files_pattern(jockey_t, jockey_cache_t, jockey_cache_t)
+manage_lnk_files_pattern(jockey_t, jockey_cache_t, jockey_cache_t)
+files_var_filetrans(jockey_t, jockey_cache_t, { dir file })
+
+manage_dirs_pattern(jockey_t, jockey_var_log_t, jockey_var_log_t)
+append_files_pattern(jockey_t, jockey_var_log_t, jockey_var_log_t)
+create_files_pattern(jockey_t, jockey_var_log_t, jockey_var_log_t)
+setattr_files_pattern(jockey_t, jockey_var_log_t, jockey_var_log_t)
+logging_log_filetrans(jockey_t, jockey_var_log_t, { file dir })
+
+kernel_read_system_state(jockey_t)
+
+corecmd_exec_bin(jockey_t)
+corecmd_exec_shell(jockey_t)
+
+dev_read_rand(jockey_t)
+dev_read_sysfs(jockey_t)
+dev_read_urand(jockey_t)
+
+domain_use_interactive_fds(jockey_t)
+
+files_read_etc_files(jockey_t)
+files_read_usr_files(jockey_t)
+
+miscfiles_read_localization(jockey_t)
+
+optional_policy(`
+ dbus_system_domain(jockey_t, jockey_exec_t)
+')
+
+optional_policy(`
+ modutils_domtrans_insmod(jockey_t)
+ modutils_read_module_config(jockey_t)
+')
^ permalink raw reply related [flat|nested] 101+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: /
@ 2012-12-03 21:03 Sven Vermeulen
0 siblings, 0 replies; 101+ messages in thread
From: Sven Vermeulen @ 2012-12-03 21:03 UTC (permalink / raw
To: gentoo-commits
commit: 8f1bc281bbe99c1ece6bc0b4c922ba4a99100b1a
Author: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Mon Dec 3 21:02:57 2012 +0000
Commit: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
CommitDate: Mon Dec 3 21:02:57 2012 +0000
URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=8f1bc281
Resolve merge conflict after rebase
policy/modules/system/userdomain.if | 1 -
1 files changed, 0 insertions(+), 1 deletions(-)
diff --cc policy/modules/system/userdomain.if
index 981b50a,6b5ed8f..760bab7
--- a/policy/modules/system/userdomain.if
+++ b/policy/modules/system/userdomain.if
@@@ -3453,9 -3453,7 +3453,8 @@@ interface(`userdom_dbus_send_all_users'
allow $1 userdomain:dbus send_msg;
')
-
-ifdef(`distro_gentoo',`
+# Gentoo added stuff, but cannot use an ifdef distro_gentoo for this
+
########################################
## <summary>
## Support creation of tunable access to user content
^ permalink raw reply [flat|nested] 101+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: /
@ 2012-12-08 12:41 Sven Vermeulen
0 siblings, 0 replies; 101+ messages in thread
From: Sven Vermeulen @ 2012-12-08 12:41 UTC (permalink / raw
To: gentoo-commits
commit: 98ae09b9aa4981d2b9c9ee92521c25093725efb7
Author: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Sat Dec 8 12:40:05 2012 +0000
Commit: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
CommitDate: Sat Dec 8 12:40:05 2012 +0000
URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=98ae09b9
Merge branch 'master' of git+ssh://git.overlays.gentoo.org/proj/hardened-refpolicy
policy/modules/system/userdomain.if | 4 ++++
1 files changed, 4 insertions(+), 0 deletions(-)
^ permalink raw reply [flat|nested] 101+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: /
@ 2013-01-16 19:48 Sven Vermeulen
0 siblings, 0 replies; 101+ messages in thread
From: Sven Vermeulen @ 2013-01-16 19:48 UTC (permalink / raw
To: gentoo-commits
commit: e5070153f1dca894728c49beea7031fcddc771ed
Author: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Wed Jan 16 19:38:38 2013 +0000
Commit: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
CommitDate: Wed Jan 16 19:38:38 2013 +0000
URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=e5070153
Merge branch 'master' of git+ssh://git.overlays.gentoo.org/proj/hardened-refpolicy
policy/modules/system/udev.fc | 1 +
1 files changed, 1 insertions(+), 0 deletions(-)
^ permalink raw reply [flat|nested] 101+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: /
@ 2013-05-01 18:23 Sven Vermeulen
0 siblings, 0 replies; 101+ messages in thread
From: Sven Vermeulen @ 2013-05-01 18:23 UTC (permalink / raw
To: gentoo-commits
commit: 260446e8ef6b1f240c49482cfa7cf4f3041e14f8
Author: Chris PeBenito <cpebenito <AT> tresys <DOT> com>
AuthorDate: Wed Apr 24 20:14:52 2013 +0000
Commit: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
CommitDate: Wed May 1 18:21:02 2013 +0000
URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=260446e8
Update Changelog and VERSION for release.
---
Changelog | 216 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
VERSION | 2 +-
2 files changed, 217 insertions(+), 1 deletions(-)
diff --git a/Changelog b/Changelog
index 5fcca55..85be207 100644
--- a/Changelog
+++ b/Changelog
@@ -214,3 +214,219 @@ Sven Vermeulen (27):
Introduce exec-check interfaces for passwd binaries and useradd binaries
chfn_t reads in file context information and executes nscd
+* Wed Apr 24 2013 Chris PeBenito <selinux@tresys.com> - 2.20130424
+Chris PeBenito (78):
+ Mcelog update from Guido Trentalancia.
+ Add bird contrib module from Dominick Grift.
+ Minor whitespace fix in udev.fc
+ Module version bump for udev binary location update from Sven Vermeulen.
+ clarify the file_contexts.subs_dist configuration file usage from Guido
+ Trentalancia
+ Update contrib.
+ Remove trailing / from paths
+ Module version bump for fc substitutions optimizations from Sven
+ Vermeulen.
+ Update contrib.
+ Module version bump for /run/dhcpc directory creation by dhcp from Sven
+ Vermeulen.
+ Module version bump for fc fixes in devices module from Dominick Grift.
+ Update contrib.
+ Module version bump for /dev/mei type and label from Dominick Grift.
+ Module version bump for init_daemon_run_dirs usage from Sven Vermeulen.
+ Module version bump for lost+found labeling in /var/log from Guido
+ Trentalancia.
+ Module version bump for loop-control patch.
+ Turn off all tunables by default, from Guido Trentalancia.
+ Add /usr/lib to TEST_TOOLCHAIN LD_LIBRARY_PATH.
+ Module version bump for various changes from Sven Vermeulen.
+ Module version bump for ports update from Dominick Grift.
+ Module version bump for Debian file context updates from Laurent
+ Bigonville.
+ Update contrib.
+ Update contrib.
+ split kmod fc into two lines.
+ Module version bump for kmod fc from Laurent Bigonville.
+ Module version bump for cfengine fc change from Dominick Grift.
+ Module verision bump for Debian cert file fc update from Laurent
+ Bigonville.
+ Module version bump for ipsec net sysctls reading from Miroslav Grepl.
+ Module version bump for srvloc port definition from Dominick Grift.
+ Rename cachefiles_dev_t to cachefiles_device_t.
+ Module version bump for cachefiles core support.
+ Module version bump for changes from Dominick Grift and Sven Vermeulen.
+ Module version bump for modutils patch from Dominick Grift.
+ Module version bump for dhcp6 ports, from Russell Coker.
+ Rearrange new xserver interfaces.
+ Rename new xserver interfaces.
+ Module version bump for xserver interfaces from Dominick Grift.
+ Move kernel_stream_connect() declaration.
+ Module version bump for kernel_stream_connect() from Dominick Grift.
+ Rename logging_search_all_log_dirs to logging_search_all_logs
+ Module version bump for minor logging and sysnet changes from Sven
+ Vermeulen.
+ Module version bump for dovecot libs from Mika Pflueger.
+ Rearrange interfaces in files, clock, and udev.
+ Module version bump for interfaces used by virt from Dominick Grift.
+ Module version bump for arping setcap from Dominick Grift.
+ Rearrange devices interfaces.
+ Module version bump/contrib sync.
+ Rearrange lines.
+ Module version bump for user home content fixes from Dominick Grift.
+ Rearrange files interfaces.
+ Module version bump for Gentoo openrc fixes for /run from Sven Vermeulen.
+ Update contrib.
+ Whitespace fix in miscfiles.fc.
+ Adjust man cache interface names.
+ Module version bump for man cache from Dominick Grift.
+ Module version bump for Debian ssh-keysign location from Laurent
+ Bigonville.
+ Module version bump for userdomain portion of XDG updates from Dominick
+ Grift.
+ Module version bump for iptables fc entry from Sven Vermeulen and inn log
+ from Dominick Grift.
+ Module version bump for logging and tcpdump fixes from Sven Vermeulen.
+ Move mcs_constrained() impementation.
+ Module version bump for mcs_constrained from Dominick Grift.
+ Update contrib.
+ Module version bump from Debian changes from Laurent Bigonville.
+ Module version bump for zfs labeling from Matthew Thode.
+ Module version bump for misc updates from Sven Vermeulen.
+ Update contrib.
+ Module version bump for fixes from Dominick Grift.
+ Module version bump for Debian updates from Laurent Bigonville.
+ Fix bug in userdom_delete_all_user_home_content_files() from Kohei KaiGai.
+ Update contrib
+ Fix fc_sort.c warning uncovered by recent gcc
+ Module version bump for chfn fixes from Sven Vermeulen.
+ Add swapoff fc entry.
+ Add conntrack fc entry.
+ Update contrib.
+ Update contrib
+ Archive old Changelog for log format change.
+ Bump module versions for release.
+
+Dominick Grift (40):
+ There can be more than a single watchdog interface
+ Fix a suspected typo
+ Intel® Active Management Technology
+ Declare a loop control device node type and label /dev/loop-control
+ accordingly
+ Declare port types for ports used by Fedora but use /etc/services for port
+ names rather than using fedora port names. If /etc/services does not
+ have a port name for a port used by Fedora, skip for now.
+ Remove var_log_t file context spec
+ svrloc port type declaration from slpd policy module
+ Declare a cachfiles device node type
+ Implement files_create_all_files_as() for cachefilesd
+ Restricted Xwindows user domains run windows managers in the windows
+ managers domain
+ Declare a cslistener port type for phpfpm
+ Changes to the sysnetwork policy module
+ Changes to the userdomain policy module
+ Changes to the bootloader policy module
+ Changes to the modutils policy module
+ Changes to the xserver policy module
+ Changes to various policy modules
+ Changes to the kernel policy module
+ For svirt_lxc_domain
+ For svirt_lxc_domain
+ For svirt_lxc_domain
+ For virtd lxc
+ For virtd_lxc
+ For virtd_lxc
+ For virtd lxc
+ For virtd lxc
+ For virtd
+ Arping needs setcap to cap_set_proc
+ For virtd
+ Changes to the user domain policy module
+ Samhain_admin() now requires a role for the role_transition from $1 to
+ initrc_t via samhain_initrc_exec_t
+ Changes to the user domain policy module
+ Label /var/cache/man with a private man cache type for mandb
+ Create a attribute user_home_content_type and assign it to all types that
+ are classified userdom_user_home_content()
+ These two attribute are unused
+ System logger creates innd log files with a named file transition
+ Implement mcs_constrained_type
+ Changes to the init policy module
+ Changes to the userdomain policy module
+ NSCD related changes in various policy modules
+
+Guido Trentalancia (1):
+ add lost+found filesystem labels to support NSA security guidelines
+
+Laurent Bigonville (21):
+ Add Debian locations for GDM 3
+ Add Debian location for udisks helpers
+ Add insmod_exec_t label for kmod executable
+ Add Debian location for PKI files
+ Add Debian location for ssh-keysign
+ Properly label all the ssh host keys
+ Allow udev_t domain to read files labeled as consolekit_var_run_t
+ authlogin.if: Add auth_create_pam_console_data_dirs and
+ auth_pid_filetrans_pam_var_console interfaces
+ Label /etc/rc.d/init.d/x11-common as xdm_exec_t
+ Drop /etc/rc.d/init.d/xfree86-common filecontext definition
+ Label /var/run/shm as tmpfs_t for Debian
+ Label /var/run/motd.dynamic as initrc_var_run_t
+ Label /var/run/initctl as initctl_t
+ udev.if: Call files_search_pid instead of files_search_var_lib in
+ udev_manage_pid_files
+ Label executables in /usr/lib/NetworkManager/ as bin_t
+ Add support for rsyslog
+ Label var_lock_t as a mountpoint
+ Add mount_var_run_t type and allow mount_t domain to manage the files and
+ directories
+ Add initrc_t to use block_suspend capability
+ Label executables under /usr/lib/gnome-settings-daemon/ as bin_t
+ Label nut drivers that are installed in /lib/nut on Debian as bin_t
+
+Matthew Thode (1):
+ Implement zfs support
+
+Mika Pflüger (2):
+ Debian locations of gvfs and kde4 libexec binaries in /usr/lib
+ Explicitly label dovecot libraries lib_t for debian
+
+Miroslav Grepl (1):
+ Allow ipsec to read kernel sysctl
+
+Paul Moore (1):
+ flask: add the attach_queue permission to the tun_socket object class
+
+Russell Coker (1):
+ Label port 5546 as dhcpc_port_t and allow dhcpc_t to bind to TCP for
+ client control
+
+Sven Vermeulen (27):
+ New location for udevd binary
+ Use substititions for /usr/local/lib and /etc/init.d
+ DHCP client's hooks create /run/dhcpc directory
+ Introduce init_daemon_run_dir transformation
+ Use the init_daemon_run_dir interface for udev
+ Allow initrc_t to create run dirs for core modules
+ Puppet uses mount output for verification
+ Allow syslogd to create /var/lib/syslog and
+ /var/lib/misc/syslog-ng.persist
+ Gentoo's openrc does not require initrc_exec_t for runscripts anymore
+ Allow init scripts to read courier configuration
+ Allow search within postgresql var directory for the stream connect
+ interface
+ Introduce logging_getattr_all_logs interface
+ Introduce logging_search_all_log_dirs interface
+ Support flushing routing cache
+ Allow init to set attributes on device_t
+ Introduce files_manage_all_pids interface
+ Gentoo openrc migrates /var/run and /var/lock data to /run(/lock)
+ Update files_manage_generic_locks with directory permissions
+ Run ipset in iptables domain
+ tcpdump chroots into /var/lib/tcpdump
+ Remove generic log label for cron location
+ Postgresql 9.2 connects to its unix stream socket
+ lvscan creates the /run/lock/lvm directory if nonexisting (v2)
+ Allow syslogger to manage cron log files (v2)
+ Allow initrc_t to read stunnel configuration
+ Introduce exec-check interfaces for passwd binaries and useradd binaries
+ chfn_t reads in file context information and executes nscd
+
diff --git a/VERSION b/VERSION
index 37b3df8..d060af8 100644
--- a/VERSION
+++ b/VERSION
@@ -1 +1 @@
-2.20120725
+2.20130424
^ permalink raw reply related [flat|nested] 101+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: /
@ 2013-05-01 18:23 Sven Vermeulen
0 siblings, 0 replies; 101+ messages in thread
From: Sven Vermeulen @ 2013-05-01 18:23 UTC (permalink / raw
To: gentoo-commits
commit: f71f05b9435fb78d1b6929d2d146e8381d8f4da6
Author: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Wed May 1 18:15:23 2013 +0000
Commit: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
CommitDate: Wed May 1 18:15:23 2013 +0000
URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=f71f05b9
Archive old Changelog for log format change
---
Changelog | 1162 ++++++++------------------------------------
Changelog => Changelog.old | 4 +
2 files changed, 219 insertions(+), 947 deletions(-)
diff --git a/Changelog b/Changelog
index 0090893..5fcca55 100644
--- a/Changelog
+++ b/Changelog
@@ -1,948 +1,216 @@
-* Wed Jul 25 2012 Chris PeBenito <selinux@tresys.com> - 2.20120725
-- Rename epollwakeup capability2 permission to block_suspend to match the
- corresponding kernel capability rename.
-- Udev and init changes to support /run, from Sven Vermeulen.
-- auth_use_nsswitch updates from Miroslav Grepl.
-- Mount runtime files fix from Guido Trentalancia.
-- Update Python scripts to support Python 3, from Sven Vermeulen.
-- Update capability2 object class for new wake_alarm and epollwakeup
- capabilities.
-- SEPostgresql updates from Kohei KaiGai.
-- Simplify file contexts based on file context path substitutions, from Sven
- Vermeulen.
-- Add optional name for kernel and system filetrans interfaces.
-- Non-auth file attribute to eliminate set expressions, from James Carter.
-- Virt updates from Sven Vermeulen.
-- Various dontaudits from Sven Vermeulen.
-- Fix base module and monolithic role declaration ordering issue now that
- role declarations must be explicit, from Harry Ciao.
-- Added contrib modules:
- bacula (Stan Sander/Sven Vermeulen)
- bcfg2 (Miroslav Grepl)
- blueman (Miroslav Grepl)
+* Wed Apr 24 2013 Chris PeBenito <selinux@tresys.com> - 2.20130424
+Chris PeBenito (78):
+ Mcelog update from Guido Trentalancia.
+ Add bird contrib module from Dominick Grift.
+ Minor whitespace fix in udev.fc
+ Module version bump for udev binary location update from Sven Vermeulen.
+ clarify the file_contexts.subs_dist configuration file usage from Guido
+ Trentalancia
+ Update contrib.
+ Remove trailing / from paths
+ Module version bump for fc substitutions optimizations from Sven
+ Vermeulen.
+ Update contrib.
+ Module version bump for /run/dhcpc directory creation by dhcp from Sven
+ Vermeulen.
+ Module version bump for fc fixes in devices module from Dominick Grift.
+ Update contrib.
+ Module version bump for /dev/mei type and label from Dominick Grift.
+ Module version bump for init_daemon_run_dirs usage from Sven Vermeulen.
+ Module version bump for lost+found labeling in /var/log from Guido
+ Trentalancia.
+ Module version bump for loop-control patch.
+ Turn off all tunables by default, from Guido Trentalancia.
+ Add /usr/lib to TEST_TOOLCHAIN LD_LIBRARY_PATH.
+ Module version bump for various changes from Sven Vermeulen.
+ Module version bump for ports update from Dominick Grift.
+ Module version bump for Debian file context updates from Laurent
+ Bigonville.
+ Update contrib.
+ Update contrib.
+ split kmod fc into two lines.
+ Module version bump for kmod fc from Laurent Bigonville.
+ Module version bump for cfengine fc change from Dominick Grift.
+ Module verision bump for Debian cert file fc update from Laurent
+ Bigonville.
+ Module version bump for ipsec net sysctls reading from Miroslav Grepl.
+ Module version bump for srvloc port definition from Dominick Grift.
+ Rename cachefiles_dev_t to cachefiles_device_t.
+ Module version bump for cachefiles core support.
+ Module version bump for changes from Dominick Grift and Sven Vermeulen.
+ Module version bump for modutils patch from Dominick Grift.
+ Module version bump for dhcp6 ports, from Russell Coker.
+ Rearrange new xserver interfaces.
+ Rename new xserver interfaces.
+ Module version bump for xserver interfaces from Dominick Grift.
+ Move kernel_stream_connect() declaration.
+ Module version bump for kernel_stream_connect() from Dominick Grift.
+ Rename logging_search_all_log_dirs to logging_search_all_logs
+ Module version bump for minor logging and sysnet changes from Sven
+ Vermeulen.
+ Module version bump for dovecot libs from Mika Pflueger.
+ Rearrange interfaces in files, clock, and udev.
+ Module version bump for interfaces used by virt from Dominick Grift.
+ Module version bump for arping setcap from Dominick Grift.
+ Rearrange devices interfaces.
+ Module version bump/contrib sync.
+ Rearrange lines.
+ Module version bump for user home content fixes from Dominick Grift.
+ Rearrange files interfaces.
+ Module version bump for Gentoo openrc fixes for /run from Sven Vermeulen.
+ Update contrib.
+ Whitespace fix in miscfiles.fc.
+ Adjust man cache interface names.
+ Module version bump for man cache from Dominick Grift.
+ Module version bump for Debian ssh-keysign location from Laurent
+ Bigonville.
+ Module version bump for userdomain portion of XDG updates from Dominick
+ Grift.
+ Module version bump for iptables fc entry from Sven Vermeulen and inn log
+ from Dominick Grift.
+ Module version bump for logging and tcpdump fixes from Sven Vermeulen.
+ Move mcs_constrained() impementation.
+ Module version bump for mcs_constrained from Dominick Grift.
+ Update contrib.
+ Module version bump from Debian changes from Laurent Bigonville.
+ Module version bump for zfs labeling from Matthew Thode.
+ Module version bump for misc updates from Sven Vermeulen.
+ Update contrib.
+ Module version bump for fixes from Dominick Grift.
+ Module version bump for Debian updates from Laurent Bigonville.
+ Fix bug in userdom_delete_all_user_home_content_files() from Kohei KaiGai.
+ Update contrib
+ Fix fc_sort.c warning uncovered by recent gcc
+ Module version bump for chfn fixes from Sven Vermeulen.
+ Add swapoff fc entry.
+ Add conntrack fc entry.
+ Update contrib.
+ Update contrib
+ Archive old Changelog for log format change.
+ Bump module versions for release.
+
+Dominick Grift (40):
+ There can be more than a single watchdog interface
+ Fix a suspected typo
+ Intel® Active Management Technology
+ Declare a loop control device node type and label /dev/loop-control
+ accordingly
+ Declare port types for ports used by Fedora but use /etc/services for port
+ names rather than using fedora port names. If /etc/services does not
+ have a port name for a port used by Fedora, skip for now.
+ Remove var_log_t file context spec
+ svrloc port type declaration from slpd policy module
+ Declare a cachfiles device node type
+ Implement files_create_all_files_as() for cachefilesd
+ Restricted Xwindows user domains run windows managers in the windows
+ managers domain
+ Declare a cslistener port type for phpfpm
+ Changes to the sysnetwork policy module
+ Changes to the userdomain policy module
+ Changes to the bootloader policy module
+ Changes to the modutils policy module
+ Changes to the xserver policy module
+ Changes to various policy modules
+ Changes to the kernel policy module
+ For svirt_lxc_domain
+ For svirt_lxc_domain
+ For svirt_lxc_domain
+ For virtd lxc
+ For virtd_lxc
+ For virtd_lxc
+ For virtd lxc
+ For virtd lxc
+ For virtd
+ Arping needs setcap to cap_set_proc
+ For virtd
+ Changes to the user domain policy module
+ Samhain_admin() now requires a role for the role_transition from $1 to
+ initrc_t via samhain_initrc_exec_t
+ Changes to the user domain policy module
+ Label /var/cache/man with a private man cache type for mandb
+ Create a attribute user_home_content_type and assign it to all types that
+ are classified userdom_user_home_content()
+ These two attribute are unused
+ System logger creates innd log files with a named file transition
+ Implement mcs_constrained_type
+ Changes to the init policy module
+ Changes to the userdomain policy module
+ NSCD related changes in various policy modules
+
+Guido Trentalancia (1):
+ add lost+found filesystem labels to support NSA security guidelines
+
+Laurent Bigonville (21):
+ Add Debian locations for GDM 3
+ Add Debian location for udisks helpers
+ Add insmod_exec_t label for kmod executable
+ Add Debian location for PKI files
+ Add Debian location for ssh-keysign
+ Properly label all the ssh host keys
+ Allow udev_t domain to read files labeled as consolekit_var_run_t
+ authlogin.if: Add auth_create_pam_console_data_dirs and
+ auth_pid_filetrans_pam_var_console interfaces
+ Label /etc/rc.d/init.d/x11-common as xdm_exec_t
+ Drop /etc/rc.d/init.d/xfree86-common filecontext definition
+ Label /var/run/shm as tmpfs_t for Debian
+ Label /var/run/motd.dynamic as initrc_var_run_t
+ Label /var/run/initctl as initctl_t
+ udev.if: Call files_search_pid instead of files_search_var_lib in
+ udev_manage_pid_files
+ Label executables in /usr/lib/NetworkManager/ as bin_t
+ Add support for rsyslog
+ Label var_lock_t as a mountpoint
+ Add mount_var_run_t type and allow mount_t domain to manage the files and
+ directories
+ Add initrc_t to use block_suspend capability
+ Label executables under /usr/lib/gnome-settings-daemon/ as bin_t
+ Label nut drivers that are installed in /lib/nut on Debian as bin_t
+
+Matthew Thode (1):
+ Implement zfs support
+
+Mika Pflüger (2):
+ Debian locations of gvfs and kde4 libexec binaries in /usr/lib
+ Explicitly label dovecot libraries lib_t for debian
+
+Miroslav Grepl (1):
+ Allow ipsec to read kernel sysctl
+
+Paul Moore (1):
+ flask: add the attach_queue permission to the tun_socket object class
+
+Russell Coker (1):
+ Label port 5546 as dhcpc_port_t and allow dhcpc_t to bind to TCP for
+ client control
+
+Sven Vermeulen (27):
+ New location for udevd binary
+ Use substititions for /usr/local/lib and /etc/init.d
+ DHCP client's hooks create /run/dhcpc directory
+ Introduce init_daemon_run_dir transformation
+ Use the init_daemon_run_dir interface for udev
+ Allow initrc_t to create run dirs for core modules
+ Puppet uses mount output for verification
+ Allow syslogd to create /var/lib/syslog and
+ /var/lib/misc/syslog-ng.persist
+ Gentoo's openrc does not require initrc_exec_t for runscripts anymore
+ Allow init scripts to read courier configuration
+ Allow search within postgresql var directory for the stream connect
+ interface
+ Introduce logging_getattr_all_logs interface
+ Introduce logging_search_all_log_dirs interface
+ Support flushing routing cache
+ Allow init to set attributes on device_t
+ Introduce files_manage_all_pids interface
+ Gentoo openrc migrates /var/run and /var/lock data to /run(/lock)
+ Update files_manage_generic_locks with directory permissions
+ Run ipset in iptables domain
+ tcpdump chroots into /var/lib/tcpdump
+ Remove generic log label for cron location
+ Postgresql 9.2 connects to its unix stream socket
+ lvscan creates the /run/lock/lvm directory if nonexisting (v2)
+ Allow syslogger to manage cron log files (v2)
+ Allow initrc_t to read stunnel configuration
+ Introduce exec-check interfaces for passwd binaries and useradd binaries
+ chfn_t reads in file context information and executes nscd
-* Wed Feb 15 2012 Chris PeBenito <selinux@tresys.com> - 2.20120215
-- Sshd usage of mkhomedir_helper via oddjob, from Sven Vermeulen.
-- Add slim and lxdm file contexts to xserver, from Sven Vermeulen.
-- Add userdom interfaces for user application domains, user tmp files,
- and user tmpfs files.
-- Asterisk administration fixes from Sven Vermeulen.
-- Fix makefiles to install files with the correct DAC permissions if the
- umask is not 022.
-- Remove deprecated support macros.
-- Remove rolemap and per-role template support.
-- Change corenetwork port declaration to apply the reserved port type
- attribute only, when the type has ports above and below 1024.
-- Change secure_mode_policyload to disable only toggling of this Boolean
- rather than disabling all Boolean toggling permissions.
-- Use role attributes to assist with domain transitions in interactive
- programs.
-- Milter ports patch from Paul Howarth.
-- Separate portage fetch rules out of portage_run() and portage_domtrans()
- from Sven Vermeulen.
-- Enhance corenetwork network_port() macro to support ports that do not have
- a well defined port number, such as stunnel.
-- Opendkim support in dkim module from Paul Howarth.
-- Wireshark updates from Sven Vermeulen.
-- Change secure_mode_insmod to control sys_module capability rather than
- controlling domain transitions to insmod.
-- Openrc and portage updates from Sven Vermeulen.
-- Allow user and role changes on dynamic transitions with the same
- constraints as regular transitions.
-- New git service features from Dominick Grift.
-- Corenetwork policy size optimization from Dan Walsh.
-- Silence spurious udp_socket listen denials.
-- Fix unexpanded MLS/MCS fields in monolithic seusers file.
-- Type transition fix in Postgresql database objects from KaiGai Kohei.
-- Support for file context path substitutions (file_contexts.subs).
-- Added contrib modules:
- glance (Dan Walsh)
- rhsmcertd (Dan Walsh)
- sanlock (Dan Walsh)
- sblim (Dan Walsh)
- uuidd (Dan Walsh)
- vdagent (Dan Walsh)
-
-* Tue Jul 26 2011 Chris PeBenito <selinux@tresys.com> - 2.20110726
-- Fix role declarations to handle role attribute compilers.
-- Rename audioentropy module to entropyd due to haveged support.
-- Add haveged support from Sven Vermeulen.
-- Authentication file patch from Matthew Ife.
-- Add agent support to zabbix from Sven Vermeulen.
-- Cyrus file context update for Gentoo from Corentin Labbe.
-- Portage updates from Sven Vermeulen.
-- Fix init_system_domain() description, pointed out by Elia Pinto.
-- Postgresql selabel_lookup update from KaiGai Kohei.
-- Dovecot managesieve support from Mika Pfluger.
-- Semicolon after interface/template calls cleanup from Elia Pinto.
-- Gentoo courier updates from Sven Vermeulen.
-- Amavis patch for connecting to nslcd from Miroslav Grepl.
-- Shorewall patch from Miroslav Grepl.
-- Cpufreqselector dbus patch from Guido Trentalancia.
-- Cron pam_namespace and pam_loginuid support from Harry Ciao.
-- Xserver update for startx from Sven Vermeulen.
-- Fix MLS constraint for contains permission from Harry Ciao.
-- Apache user webpages fix from Dominick Grift.
-- Change default build.conf to modular policy from Stephen Smalley.
-- Xen refinement patch from Stephen Smalley.
-- Sudo timestamp file location update from Sven Vermeulen.
-- XServer keyboard event patch from Sven Vermeulen.
-- RAID uevent patch from Sven Vermeulen.
-- Gentoo ALSA init script usage patch from Sven Vermeulen.
-- LVM semaphore usage patch from Sven Vermeulen.
-- Module load request patch for insmod from Sven Vermeulen.
-- Cron default contexts fix from Harry Ciao.
-- Man page fixes from Justin Mattock.
-- Add syslog capability.
-- Support for logging in to /dev/console, from Harry Ciao.
-- Database object class updates and associated SEPostgreSQL changes from
- KaiGai Kohei.
-- IPSEC SPD and Hadoop IPSEC updates from Paul Nuzzi.
-- Mount updates from Harry Ciao.
-- Semanage update for MLS systems from Harry Ciao.
-- Vlock terminal use update from Harry Ciao.
-- Hadoop CDH3 updates from Paul Nuzzi.
-- Add sepgsql_contexts appconfig files from KaiGai Kohei.
-- Added modules:
- aiccu
- bugzilla (Dan Walsh)
- colord (Dan Walsh)
- cmirrord (Miroslav Grepl)
- mediawiki (Miroslav Grepl)
- mpd (Miroslav Grepl)
- ncftool
- passenger (Miroslav Grepl)
- qpid (Dan Walsh)
- samhain (Harry Ciao)
- telepathy (Dominick Grift)
- tcsd (Stephen Smalley)
- vnstatd (Dan Walsh)
- zarafa (Miroslav Grepl)
-
-* Mon Dec 13 2010 Chris PeBenito <selinux@tresys.com> - 2.20101213
-- Git man page from Dominick Grift.
-- Alsa and oident home content cleanup from Dominick Grift.
-- Add support for custom build options.
-- Unconditional staff and user oidentd home config access from Dominick Grift.
-- Conditional mmap_zero support from Dominick Grift.
-- Added devtmpfs support.
-- Dbadm updates from KaiGai Kohei.
-- Virtio disk file context update from Mika Pfluger.
-- Increase bindreservport range to 512-1024 in corenetwork, from Dan Walsh.
-- Add JIT usage for freshclam.
-- Remove ethereal module since the application was renamed to wireshark.
-- Remove duplicate/redundant rules, from Russell Coker.
-- Increased default number of categories to 1024, from Russell Coker.
-- Added modules:
- accountsd (Dan Walsh)
- cgroup (Dominick Grift)
- hadoop (Paul Nuzzi)
- kdumpgui (Dan Walsh)
- livecd (Dan Walsh)
- mojomojo (Iain Arnell)
- sambagui (Dan Walsh)
- shutdown (Dan Walsh)
- sosreport (Dan Walsh)
- vlock (Harry Ciao)
-
-* Mon May 24 2010 Chris PeBenito <selinux@tresys.com> - 2.20100524
-- Merged a significant portion of Fedora policy.
-- Move rules from mta mailserver delivery from interface to .te to use
- attributes.
-- Remove concept of users from terminal module interfaces since the
- attributes are not specific to users.
-- Add non-drawing X client support, for consolekit usage.
-- Misc Gentoo fixes from Chris Richards.
-- AFS and abrt fixes from Dominick Grift.
-- Improved the XML docs of 55 most-used interfaces.
-- Apcupsd and amavis fixes from Dominick Grift.
-- Fix network_port() in corenetwork to correctly handle port ranges.
-- SE-Postgresql updates from KaiGai Kohei.
-- X object manager revisions from Eamon Walsh.
-- Added modules:
- aisexec (Dan Walsh)
- chronyd (Miroslav Grepl)
- cobbler (Dominick Grift)
- corosync (Dan Walsh)
- dbadm (KaiGai Kohei)
- denyhosts (Dan Walsh)
- nut (Stefan Schulze Frielinghaus, Miroslav Grepl)
- likewise (Scott Salley)
- plymouthd (Dan Walsh)
- pyicqt (Stefan Schulze Frielinghaus)
- rhcs (Dan Walsh)
- rgmanager (Dan Walsh)
- sectoolm (Miroslav Grepl)
- usbmuxd (Dan Walsh)
- vhostmd (Dan Walsh)
-
-* Tue Nov 17 2009 Chris PeBenito <selinux@tresys.com> - 2.20091117
-- Add separate x_pointer and x_keyboard classes inheriting from x_device.
- From Eamon Walsh.
-- Deprecated the userdom_xwindows_client_template().
-- Misc Gentoo fixes from Corentin Labbe.
-- Debian policykit fixes from Martin Orr.
-- Fix unconfined_r use of unconfined_java_t.
-- Add missing x_device rules for XI2 functions, from Eamon Walsh.
-- Add missing rules to make unconfined_cronjob_t a valid cron job domain.
-- Add btrfs and ext4 to labeling targets.
-- Fix infrastructure to expand macros in initrc_context when installing.
-- Handle unix_chkpwd usage by useradd and groupadd.
-- Add missing compatibility aliases for xdm_xserver*_t types.
-- Added modules:
- abrt (Dan Walsh)
- dkim (Stefan Schulze Frielinghaus)
- gitosis (Miroslav Grepl)
- gnomeclock (Dan Walsh)
- hddtemp (Dan Walsh)
- kdump (Dan Walsh)
- modemmanager(Dan Walsh)
- nslcd (Dan Walsh)
- puppet (Craig Grube)
- rtkit (Dan Walsh)
- seunshare (Dan Walsh)
- shorewall (Dan Walsh)
- tgtd (Matthew Ife)
- tuned (Miroslav Grepl)
- xscreensaver (Corentin Labbe)
-
-* Thu Jul 30 2009 Chris PeBenito <selinux@tresys.com> - 2.20090730
-- Gentoo fixes for init scripts and system startup.
-- Remove read_default_t tunable.
-- Greylist milter from Paul Howarth.
-- Crack db access for su to handle password expiration, from Brandon Whalen.
-- Misc fixes for unix_update from Brandon Whalen.
-- Add x_device permissions for XI2 functions, from Eamon Walsh.
-- MLS constraints for the x_selection class, from Eamon Walsh.
-- Postgresql updates from KaiGai Kohei.
-- Milter state directory patch from Paul Howarth.
-- Add MLS constrains for ingress/egress and secmark from Paul Moore.
-- Drop write permission from fs_read_rpc_sockets().
-- Remove unused udev_runtime_t type.
-- Patch for RadSec port from Glen Turner.
-- Enable network_peer_controls policy capability from Paul Moore.
-- Btrfs xattr support from Paul Moore.
-- Add db_procedure install permission from KaiGai Kohei.
-- Add support for network interfaces with access controlled by a Boolean
- from the CLIP project.
-- Several fixes from the CLIP project.
-- Add support for labeled Booleans.
-- Remove node definitions and change node usage to generic nodes.
-- Add kernel_service access vectors, from Stephen Smalley.
-- Added modules:
- certmaster (Dan Walsh)
- cpufreqselector (Dan Walsh)
- devicekit (Dan Walsh)
- fprintd (Dan Walsh)
- git (Dan Walsh)
- gpsd (Miroslav Grepl)
- guest (Dan Walsh)
- ifplugd (Dan Walsh)
- lircd (Miroslav Grepl)
- logadm (Dan Walsh)
- pads (Dan Walsh)
- pingd (Dan Walsh)
- policykit (Dan Walsh)
- pulseaudio (Dan Walsh)
- psad (Dan Walsh)
- portreserve (Dan Walsh)
- sssd (Dan Walsh)
- ulogd (Dan Walsh)
- varnishd (Dan Walsh)
- webadm (Dan Walsh)
- wm (Dan Walsh)
- xguest (Dan Walsh)
- zosremote (Dan Walsh)
-
-* Wed Dec 10 2008 Chris PeBenito <selinux@tresys.com> - 2.20081210
-- Fix consistency of audioentropy and iscsi module naming.
-- Debian file context fix for xen from Russell Coker.
-- Xserver MLS fix from Eamon Walsh.
-- Add omapi port for dhcpcd.
-- Deprecate per-role templates and rolemap support.
-- Implement user-based access control for use as role separations.
-- Move shared library calls from individual modules to the domain module.
-- Enable open permission checks policy capability.
-- Remove hierarchy from portage module as it is not a good example of
- hieararchy.
-- Remove enableaudit target from modular build as semodule -DB supplants it.
-- Added modules:
- milter (Paul Howarth)
-
-* Tue Oct 14 2008 Chris PeBenito <selinux@tresys.com> - 20081014
-- Debian update for NetworkManager/wpa_supplicant from Martin Orr.
-- Logrotate and Bind updates from Vaclav Ovsik.
-- Init script file and domain support.
-- Glibc 2.7 fix from Vaclav Ovsik.
-- Samba/winbind update from Mike Edenfield.
-- Policy size optimization with a non-security file attribute from James
- Carter.
-- Database labeled networking update from KaiGai Kohei.
-- Several misc changes from the Fedora policy, cherry picked by David
- Hardeman.
-- Large whitespace fix from Dominick Grift.
-- Pam_mount fix for local login from Stefan Schulze Frielinghaus.
-- Issuing commands to upstart is over a datagram socket, not the initctl
- named pipe. Updated init_telinit() to match.
-- Added modules:
- cyphesis (Dan Walsh)
- memcached (Dan Walsh)
- oident (Dominick Grift)
- w3c (Dan Walsh)
-
-* Wed Jul 02 2008 Chris PeBenito <selinux@tresys.com> - 20080702
-- Fix httpd_enable_homedirs to actually provide the access it is supposed to
- provide.
-- Add unused interface/template parameter metadata in XML.
-- Patch to handle postfix data_directory from Vaclav Ovsik.
-- SE-Postgresql policy from KaiGai Kohei.
-- Patch for X.org dbus support from Martin Orr.
-- Patch for labeled networking controls in 2.6.25 from Paul Moore.
-- Module loading now requires setsched on kernel threads.
-- Patch to allow gpg agent --write-env-file option from Vaclav Ovsik.
-- X application data class from Eamon Walsh and Ted Toth.
-- Move user roles into individual modules.
-- Make hald_log_t a log file.
-- Cryptsetup runs shell scripts. Patch from Martin Orr.
-- Add file for enabling policy capabilities.
-- Patch to fix leaky interface/template call depth calculator from Vaclav
- Ovsik.
-- Added modules:
- kerneloops (Dan Walsh)
- kismet (Dan Walsh)
- podsleuth (Dan Walsh)
- prelude (Dan Walsh)
- qemu (Dan Walsh)
- virt (Dan Walsh)
-
-* Wed Apr 02 2008 Chris PeBenito <selinux@tresys.com> - 20080402
-- Add core Security Enhanced X Windows support.
-- Fix winbind socket connection interface for default location of the
- sock_file.
-- Add wireshark module based on ethereal module.
-- Revise upstart support in init module to use a tunable, as upstart is now
- used in Fedora too.
-- Add iferror.m4 rather generate it out of the Makefiles.
-- Definitions for open permisson on file and similar objects from Eric
- Paris.
-- Apt updates for ptys and logs, from Martin Orr.
-- RPC update from Vaclav Ovsik.
-- Exim updates on Debian from Devin Carrawy.
-- Pam and samba updates from Stefan Schulze Frielinghaus.
-- Backup update on Debian from Vaclav Ovsik.
-- Cracklib update on Debian from Vaclav Ovsik.
-- Label /proc/kallsyms with system_map_t.
-- 64-bit capabilities from Stephen Smalley.
-- Labeled networking peer object class updates.
-
-* Fri Dec 14 2007 Chris PeBenito <selinux@tresys.com> - 20071214
-- Patch for debian logrotate to handle syslogd-listfiles, from Vaclav Ovsik.
-- Improve several tunables descriptions from Dan Walsh.
-- Patch to clean up ns switch usage in the policy from Dan Walsh.
-- More complete labeled networking infrastructure from KaiGai Kohei.
-- Add interface for libselinux constructor, for libselinux-linked
- SELinux-enabled programs.
-- Patch to restructure user role templates to create restricted user roles
- from Dan Walsh.
-- Russian man page translations from Andrey Markelov.
-- Remove unused types from dbus.
-- Add infrastructure for managing all user web content.
-- Deprecate some old file and dir permission set macros in favor of the
- newer, more consistently-named macros.
-- Patch to clean up unescaped periods in several file context entries from
- Jan-Frode Myklebust.
-- Merge shlib_t into lib_t.
-- Merge strict and targeted policies. The policy will now behave like the
- strict policy if the unconfined module is not present. If it is, it will
- behave like the targeted policy. Added an unconfined role to have a mix
- of confined and unconfined users.
-- Added modules:
- exim (Dan Walsh)
- postfixpolicyd (Jan-Frode Myklebust)
-
-* Fri Sep 28 2007 Chris PeBenito <selinux@tresys.com> - 20070928
-- Add support for setting the unknown permissions handling.
-- Fix XML building for external reference builds and headers builds.
-- Patch to add missing requirements in userdomain interfaces from Shintaro
- Fujiwara.
-- Add tcpd_wrapped_domain() for services that use tcp wrappers.
-- Update MLS constraints from LSPP evaluated policy.
-- Allow initrc_t file descriptors to be inherited regardless of MLS level.
- Accordingly drop MLS permissions from daemons that inherit from any level.
-- Files and radvd updates from Stefan Schulze Frielinghaus.
-- Deprecate mls_file_write_down() and mls_file_read_up(), replaced with
- mls_write_all_levels() and mls_read_all_levels(), for consistency.
-- Add make kernel and init ranged interfaces pass the range transition MLS
- constraints. Also remove calls to mls_rangetrans_target() in modules that use
- the kernel and init interfaces, since its redundant.
-- Add interfaces for all MLS attributes except X object classes.
-- Require all sensitivities and categories for MLS and MCS policies, not just
- the low and high sensitivity and category.
-- Database userspace object manager classes from KaiGai Kohei.
-- Add third-party interface for Apache CGI.
-- Add getserv and shmemserv nscd permissions.
-- Add debian apcupsd binary location, from Stefan Schulze Frielinghaus.
-- Added modules:
- application
- awstats (Stefan Schulze Frielinghaus)
- bitlbee (Devin Carraway)
- brctl (Dan Walsh)
-
-* Fri Jun 29 2007 Chris PeBenito <selinux@tresys.com> - 20070629
-- Fix incorrectly named files_lib_filetrans_shared_lib() interface in the
- libraries module.
-- Unified labeled networking policy from Paul Moore.
-- Use netmsg initial SID for MLS-only Netlabel packets, from Paul Moore.
-- Xen updates from Dan Walsh.
-- Filesystem updates from Dan Walsh.
-- Large samba update from Dan Walsh.
-- Drop snmpd_etc_t.
-- Confine sendmail and logrotate on targeted.
-- Tunable connection to postgresql for users from KaiGai Kohei.
-- Memprotect support patch from Stephen Smalley.
-- Add logging_send_audit_msgs() interface and deprecate
- send_audit_msgs_pattern().
-- Openct updates patch from Dan Walsh.
-- Merge restorecon into setfiles.
-- Patch to begin separating out hald helper programs from Dan Walsh.
-- Fixes for squid, dovecot, and snmp from Dan Walsh.
-- Miscellaneous consolekit fixes from Dan Walsh.
-- Patch to have avahi use the nsswitch interface rather than individual
- permissions from Dan Walsh.
-- Patch to dontaudit logrotate searching avahi pid directory from Dan Walsh.
-- Patch to allow insmod to mount kvmfs and dontaudit rw unconfined_t pipes
- to handle usage from userhelper from Dan Walsh.
-- Patch to allow amavis to read spamassassin libraries from Dan Walsh.
-- Patch to allow slocate to getattr other filesystems and directories on those
- filesystems from Dan Walsh.
-- Fixes for RHEL4 from the CLIP project.
-- Replace the old lrrd fc entries with munin ones.
-- Move program admin template usage out of userdom_admin_user_template() to
- sysadm policy in userdomain.te to fix usage of the template for third
- parties.
-- Fix clockspeed_run_cli() declaration, it was incorrectly defined as a
- template instead of an interface.
-- Added modules:
- amtu (Dan Walsh)
- apcupsd (Dan Walsh)
- rpcbind (Dan Walsh)
- rwho (Nalin Dahyabhai)
-
-* Tue Apr 17 2007 Chris PeBenito <selinux@tresys.com> - 20070417
-- Patch for sasl's use of kerberos from Dan Walsh.
-- Patches to confine ldconfig, udev, and insmod in the targeted policy from Dan Walsh.
-- Man page updates from Dan Walsh.
-- Two patches from Paul Moore to for ipsec to remove redundant rules and
- have setkey read the config file.
-- Move booleans and tunables to modules when it is only used in a single
- module.
-- Add support for tunables and booleans local to a module.
-- Merge sbin_t and ls_exec_t into bin_t.
-- Remove disable_trans booleans.
-- Output different header sets for kernel and userland from flask headers.
-- Marked the pax class as deprecated, changed it to userland so
- it will be removed from the kernel.
-- Stop including netfilter contexts by default.
-- Add dontaudits for init fds and console to init_daemon_domain().
-- Patch to allow gpg to create user keys dir.
-- Patch to support kvmfs from Dan Walsh.
-- Patch for misc fixes in sudo from Dan Walsh.
-- Patch to fix netlabel recvfrom MLS constraint from Paul Moore.
-- Patch for handling restart of nscd when ran from useradd, groupadd, and
- admin passwd, from Dan Walsh.
-- Patch for procmail, spamassassin, and pyzor updates from Dan Walsh.
-- Patch for setroubleshoot for validating file contexts from Dan Walsh.
-- Patch for gssd fixes from Dan Walsh.
-- Patch for lvm fixes from Dan Walsh.
-- Patch for ricci fixes from Dan Walsh.
-- Patch for postfix lmtp labeling and pickup rule fix from Dan Walsh.
-- Patch for kerberized telnet fixes from Dan Walsh.
-- Patch for kerberized ftp and other ftp fixes from Dan Walsh.
-- Patch for an additional wine executable from Dan Walsh.
-- Eight patches for file contexts in games, wine, networkmanager, miscfiles,
- corecommands, devices, and java from Dan Walsh.
-- Add support for libselinux 2.0.5 init_selinuxmnt() changes.
-- Patch for misc fixes to bluetooth from Dan Walsh.
-- Patch for misc fixes to kerberos from Dan Walsh.
-- Patch to start deprecating usercanread attribute from Ryan Bradetich.
-- Add dccp_socket object class which was added in kernel 2.6.20.
-- Patch for prelink relabefrom it's temp files from Dan Walsh.
-- Patch for capability fix for auditd and networking fix for syslogd from
- Dan Walsh.
-- Patch to remove redundant mls_trusted_object() call from Dan Walsh.
-- Patch for misc fixes to nis ypxfr policy from Dan Walsh.
-- Patch to allow apmd to telinit from Dan Walsh.
-- Patch for additional labeling of samba files from Stefan Schulze
- Frielinghaus.
-- Patch to remove incorrect cron labeling in apache.fc from Ryan Bradetich.
-- Fix ptys and ttys to be device nodes.
-- Fix explicit use of httpd_t in openca_domtrans().
-- Clean up file context regexes in apache and java, from Eamon Walsh.
-- Patches from Dan Walsh:
- Thu, 25 Jan 2007
-- Added modules:
- consolekit (Dan Walsh)
- fail2ban (Dan Walsh)
- zabbix (Dan Walsh)
-
-* Tue Dec 12 2006 Chris PeBenito <selinux@tresys.com> - 20061212
-- Add policy patterns support macros. This changes the behavior of
- the create_dir_perms and create_file_perms permission sets.
-- Association polmatch MLS constraint making unlabeled_t an exception
- is no longer needed, patch from Venkat Yekkirala.
-- Context contains checking for PAM and cron from James Antill.
-- Add a reload target to Modules.devel and change the load
- target to only insert modules that were changed.
-- Allow semanage to read from /root on strict non-MLS for
- local policy modules.
-- Gentoo init script fixes for udev.
-- Allow udev to read kernel modules.inputmap.
-- Dnsmasq fixes from testing.
-- Allow kernel NFS server to getattr filesystems so df can work
- on clients.
-- Patch from Matt Anderson for a MLS constraint exemption on a
- file that can be written to from a subject whose range is
- within the object's range.
-- Enhanced setransd support from Darrel Goeddel.
-- Patches from Dan Walsh:
- Tue, 24 Oct 2006
- Wed, 29 Nov 2006
-- Added modules:
- aide (Matt Anderson)
- ccs (Dan Walsh)
- iscsi (Dan Walsh)
- ricci (Dan Walsh)
-
-* Wed Oct 18 2006 Chris PeBenito <selinux@tresys.com> - 20061018
-- Patch from Russell Coker Thu, 5 Oct 2006
-- Move range transitions to modules.
-- Make number of MLS sensitivities, and number of MLS and MCS
- categories configurable as build options.
-- Add role infrastructure.
-- Debian updates from Erich Schubert.
-- Add nscd_socket_use() to auth_use_nsswitch().
-- Remove old selopt rules.
-- Full support for netfilter_contexts.
-- MRTG patch for daemon operation from Stefan.
-- Add authlogin interface to abstract common access for login programs.
-- Remove setbool auditallow, except for RHEL4.
-- Change eventpollfs to task SID labeling.
-- Add key support from Michael LeMay.
-- Add ftpdctl domain to ftp, from Paul Howarth.
-- Fix build system to not move type declarations out of optionals.
-- Add gcc-config domain to portage.
-- Add packet object class and support in corenetwork.
-- Add a copy of genhomedircon for monolithic policy building, so that a
- policycoreutils package update is not required for RHEL4 systems.
-- Add appletalk sockets for use in cups.
-- Add Make target to validate module linking.
-- Make duplicate template and interface declarations a fatal error.
-- Patch to stabilize modules.conf `make conf` output, from Erich Schubert.
-- Move xconsole_device_t from devices to xserver since it is
- not actually a device, it is a named pipe.
-- Handle nonexistant .fc and .if files in devel Makefile by
- automatically creating empty files.
-- Remove unused devfs_control_t.
-- Add rhel4 distro, which also implies redhat distro.
-- Remove unneeded range_transition for su_exec_t and move the
- type declaration back to the su module.
-- Constrain transitions in MCS so unconfined_t cannot have
- arbitrary category sets.
-- Change reiserfs from xattr filesystem to genfscon as it's xattrs
- are currently nonfunctional.
-- Change files and filesystem modules to use their own interfaces.
-- Add user fonts to xserver.
-- Additional interfaces in corecommands, miscfiles, and userdomain
- from Joy Latten.
-- Miscellaneous fixes from Thomas Bleher.
-- Deprecate module name as first parameter of optional_policy()
- now that optionals are allowed everywhere.
-- Enable optional blocks in base module and monolithic policy.
- This requires checkpolicy 1.30.1.
-- Fix vpn module declaration.
-- Numerous fixes from Dan Walsh.
-- Change build order to preserve m4 line number information so policy
- compile errors are useful again.
-- Additional MLS interfaces from Chad Hanson.
-- Move some rules out of domain_type() and domain_base_type()
- to the TE file, to use the domain attribute to take advantage
- of space savings from attribute use.
-- Add global stack smashing protector rule for urandom access from
- Petre Rodan.
-- Fix temporary rules at the bottom of portmap.
-- Updated comments in mls file from Chad Hanson.
-- Patches from Dan Walsh:
- Fri, 17 Mar 2006
- Wed, 29 Mar 2006
- Tue, 11 Apr 2006
- Fri, 14 Apr 2006
- Tue, 18 Apr 2006
- Thu, 20 Apr 2006
- Tue, 02 May 2006
- Mon, 15 May 2006
- Thu, 18 May 2006
- Tue, 06 Jun 2006
- Mon, 12 Jun 2006
- Tue, 20 Jun 2006
- Wed, 26 Jul 2006
- Wed, 23 Aug 2006
- Thu, 31 Aug 2006
- Fri, 01 Sep 2006
- Tue, 05 Sep 2006
- Wed, 20 Sep 2006
- Fri, 22 Sep 2006
- Mon, 25 Sep 2006
-- Added modules:
- afs
- amavis (Erich Schubert)
- apt (Erich Schubert)
- asterisk
- audioentropy
- authbind
- backup
- calamaris
- cipe
- clamav (Erich Schubert)
- clockspeed (Petre Rodan)
- courier
- dante
- dcc
- ddclient
- dpkg (Erich Schubert)
- dnsmasq
- ethereal
- evolution
- games
- gatekeeper
- gift
- gnome (James Carter)
- imaze
- ircd
- jabber
- monop
- mozilla
- mplayer
- munin
- nagios
- nessus
- netlabel (Paul Moore)
- nsd
- ntop
- nx
- oav
- oddjob (Dan Walsh)
- openca
- openvpn (Petre Rodan)
- perdition
- portslave
- postgrey
- pxe
- pyzor (Dan Walsh)
- qmail (Petre Rodan)
- razor
- resmgr
- rhgb
- rssh
- snort
- soundserver
- speedtouch
- sxid
- thunderbird
- tor (Erich Schubert)
- transproxy
- tripwire
- uptime
- uwimap
- vmware
- watchdog
- xen (Dan Walsh)
- xprint
- yam
-
-* Tue Mar 07 2006 Chris PeBenito <selinux@tresys.com> - 20060307
-- Make all interface parameters required.
-- Move boot_t, system_map_t, and modules_object_t to files module,
- and move bootloader to admin layer.
-- Add semanage policy for semodule from Dan Walsh.
-- Remove allow_execmem from targeted policy domain_base_type().
-- Add users_extra and seusers support.
-- Postfix fixes from Serge Hallyn.
-- Run python and shell directly to interpret scripts so policy
- sources need not be executable.
-- Add desc tag XML to booleans and tunables, and add summary
- to param XML tag, to make future translations possible.
-- Remove unused lvm_vg_t.
-- Many interface renames to improve naming consistency.
-- Merge xdm into xserver.
-- Remove kernel module reversed interfaces.
-- Add filename attribute to module XML tag and lineno attribute to
- interface XML tag.
-- Changed QUIET build option to a yes or no option.
-- Add a Makefile used for compiling loadable modules in a
- user's development environment, building against policy headers.
-- Add Make target for installing policy headers.
-- Separate per-userdomain template expansion from the userdomain
- module and add infrastructure to expand templates in the modules
- that own the template.
-- Enable secadm only for MLS policies.
-- Remove role change rules in su and sudo since this functionality has been
- removed from these programs.
-- Add ctags Make target from Thomas Bleher.
-- Collapse commands with grep piped to sed into one sed command.
-- Fix type_change bug in term_user_pty().
-- Move ice_tmp_t from miscfiles to xserver.
-- Login fixes from Serge Hallyn.
-- Move xserver_log_t from xdm to xserver.
-- Add lpr per-userdomain policy to lpd.
-- Miscellaneous fixes from Dan Walsh.
-- Change initrc_var_run_t interface noun from script_pid to utmp,
- for greater clarity.
-- Added modules:
- certwatch
- mono (Dan Walsh)
- mrtg
- portage
- tvtime
- userhelper
- usernetctl
- wine (Dan Walsh)
- xserver
-
-* Tue Jan 17 2006 Chris PeBenito <selinux@tresys.com> - 20060117
-- Adds support for generating corenetwork interfaces based on attributes
- in addition to types.
-- Permits the listing of multiple nodes in a network_node() that will be
- given the same type.
-- Add two new permission sets for stream sockets.
-- Rename file type transition interfaces verb from create to
- filetrans to differentiate it from create interfaces without
- type transitions.
-- Fix expansion of interfaces from disabled modules.
-- Rsync can be long running from init,
- added rules to allow this.
-- Add polyinstantiation build option.
-- Add setcontext to the association object class.
-- Add apache relay and db connect tunables.
-- Rename texrel_shlib_t to textrel_shlib_t.
-- Add swat to samba module.
-- Numerous miscellaneous fixes from Dan Walsh.
-- Added modules:
- alsa
- automount
- cdrecord
- daemontools (Petre Rodan)
- ddcprobe
- djbdns (Petre Rodan)
- fetchmail
- irc
- java
- lockdev
- logwatch (Dan Walsh)
- openct
- prelink (Dan Walsh)
- publicfile (Petre Rodan)
- readahead
- roundup
- screen
- slocate (Dan Walsh)
- slrnpull
- smartmon
- sysstat
- ucspitcp (Petre Rodan)
- usbmodules
- vbetool (Dan Walsh)
-
-* Wed Dec 07 2005 Chris PeBenito <selinux@tresys.com> - 20051207
-- Add unlabeled IPSEC association rule to domains with
- networking permissions.
-- Merge systemuser back in to users, as these files
- do not need to be split.
-- Add check for duplicate interface/template definitions.
-- Move domain, files, and corecommands modules to kernel
- layer to resolve some layering inconsistencies.
-- Move policy build options out of Makefile into build.conf.
-- Add yppasswd to nis module.
-- Change optional_policy() to refer to the module name
- rather than modulename.te.
-- Fix labeling targets to use installed file_contexts rather
- than partial file_contexts in the policy source directory.
-- Fix build process to use make's internal vpath functions
- to detect modules rather than using subshells and find.
-- Add install target for modular policy.
-- Add load target for modular policy.
-- Add appconfig dependency to the load target.
-- Miscellaneous fixes from Dan Walsh.
-- Fix corenetwork gen_context()'s to expand during the policy
- build phase instead of during the generation phase.
-- Added policies:
- amanda
- avahi
- canna
- cyrus
- dbskk
- dovecot
- distcc
- i18n_input
- irqbalance
- lpd
- networkmanager
- pegasus
- postfix
- procmail
- radius
- rdisc
- rpc
- spamassassin
- timidity
- xdm
- xfs
-
-* Wed Oct 19 2005 Chris PeBenito <selinux@tresys.com> - 20051019
-- Many fixes to make loadable modules build.
-- Add targets for sechecker.
-- Updated to sedoctool to read bool files and tunable
- files separately.
-- Changed the xml tag of <boolean> to <bool> to be consistent
- with gen_bool().
-- Modified the implementation of segenxml to use regular
- expressions.
-- Rename context_template() to gen_context() to clarify
- that its not a Reference Policy template, but a support
- macro.
-- Add disable_*_trans bool support for targeted policy.
-- Add MLS module to handle MLS constraint exceptions,
- such as reading up and writing down.
-- Fix errors uncovered by sediff.
-- Added policies:
- anaconda
- apache
- apm
- arpwatch
- bluetooth
- dmidecode
- finger
- ftp
- kudzu
- mailman
- ppp
- radvd
- sasl
- webalizer
-
-* Thu Sep 22 2005 Chris PeBenito <selinux@tresys.com> - 20050922
-- Make logrotate, sendmail, sshd, and rpm policies
- unconfined in the targeted policy so no special
- modules.conf is required.
-- Add experimental MCS support.
-- Add appconfig for MLS.
-- Add equivalents for old can_resolve(), can_ldap(), and
- can_portmap() to sysnetwork.
-- Fix base module compile issues.
-- Added policies:
- cpucontrol
- cvs
- ktalk
- portmap
- postgresql
- rlogin
- samba
- snmp
- stunnel
- telnet
- tftp
- uucp
- vpn
- zebra
-
-* Wed Sep 07 2005 Chris PeBenito <selinux@tresys.com> - 20050907
-- Fix errors uncovered by sediff.
-- Doc tool will explicitly say a module does not have interfaces
- or templates on the module page.
-- Added policies:
- comsat
- dbus
- dhcp
- dictd
- hal
- inn
- ntp
- squid
-
-* Fri Aug 26 2005 Chris PeBenito <selinux@tresys.com> - 20050826
-- Add Makefile support for building loadable modules.
-- Add genclassperms.py tool to add require blocks
- for loadable modules.
-- Change sedoctool to make required modules part of base
- by default, otherwise make as modules, in modules.conf.
-- Fix segenxml to handle modules with no interfaces.
-- Rename ipsec connect interface for consistency.
-- Add missing parts of unix stream socket connect interface
- of ipsec.
-- Rename inetd connect interface for consistency.
-- Rename interface for purging contents of tmp, for clarity,
- since it allows deletion of classes other than file.
-- Misc. cleanups.
-- Added policies:
- acct
- bind
- firstboot
- gpm
- howl
- ldap
- loadkeys
- mysql
- privoxy
- quota
- rshd
- rsync
- su
- sudo
- tcpd
- tmpreaper
- updfstab
-
-* Tue Aug 2 2005 Chris PeBenito <selinux@tresys.com> - 20050802
-- Fix comparison bug in fc_sort.
-- Fix handling of ordered and unordered HTML lists.
-- Corenetwork now supports multiple network interfaces having the
- same type.
-- Doc tool now creates pages for global Booleans and global tunables.
-- Doc tool now links directly to the interface/template in the
- module page when it is selected in the interface/template index.
-- Added support for layer summaries.
-- Added policies:
- ipsec
- nscd
- pcmcia
- raid
-
-* Thu Jul 7 2005 Chris PeBenito <selinux@tresys.com> - 20050707
-- Changed xml to have modules encapsulated by layer tags, rather
- than putting layer="foo" in the module tags. Also in the future
- we can put a summary and description for each layer.
-- Added tool to infer interface, module, and layer tags. This will
- now list all interfaces, even if they are missing xml docs.
-- Shortened xml tag names.
-- Added macros to declare interfaces and templates.
-- Added interface call trace.
-- Updated all xml documentation for shorter and inferred tags.
-- Doc tool now displays templates in the web pages.
-- Doc tool retains the user's settings in modules.conf and
- tunables.conf if the files already exist.
-- Modules.conf behavior has been changed to be a list of all
- available modules, and the user can specify if the module is
- built as a loadable module, included in the monolithic policy,
- or excluded.
-- Added policies:
- fstools (fsck, mkfs, swapon, etc. tools)
- logrotate
- inetd
- kerberos
- nis (ypbind and ypserv)
- ssh (server, client, and agent)
- unconfined
-- Added infrastructure for targeted policy support, only missing
- transition boolean support.
-
-* Wed Jun 15 2005 Chris PeBenito <selinux@tresys.com> - 20050615
- - Initial release
diff --git a/Changelog b/Changelog.old
similarity index 99%
copy from Changelog
copy to Changelog.old
index 0090893..672e632 100644
--- a/Changelog
+++ b/Changelog.old
@@ -1,3 +1,7 @@
+- Mcelog update from Guido Trentalancia.
+- Added contrib modules:
+ bird (Dominick Grift)
+
* Wed Jul 25 2012 Chris PeBenito <selinux@tresys.com> - 2.20120725
- Rename epollwakeup capability2 permission to block_suspend to match the
corresponding kernel capability rename.
^ permalink raw reply related [flat|nested] 101+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: /
@ 2013-09-23 13:31 Sven Vermeulen
0 siblings, 0 replies; 101+ messages in thread
From: Sven Vermeulen @ 2013-09-23 13:31 UTC (permalink / raw
To: gentoo-commits
commit: 712f8c525da8aaf0bd8588d00aa1ab1b38cc3bcc
Author: Lukas Vrabec <lvrabec <AT> redhat <DOT> com>
AuthorDate: Thu Aug 22 14:37:11 2013 +0000
Commit: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
CommitDate: Mon Sep 23 06:26:47 2013 +0000
URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=712f8c52
Add policy for lsmd
---
lsm.fc | 5 ++++
lsm.if | 103 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
lsm.te | 31 ++++++++++++++++++++
3 files changed, 139 insertions(+)
diff --git a/lsm.fc b/lsm.fc
new file mode 100644
index 0000000..711c04b
--- /dev/null
+++ b/lsm.fc
@@ -0,0 +1,5 @@
+/usr/bin/lsmd -- gen_context(system_u:object_r:lsmd_exec_t,s0)
+
+/usr/lib/systemd/system/libstoragemgmt.* -- gen_context(system_u:object_r:lsmd_unit_file_t,s0)
+
+/var/run/lsm(/.*)? -- gen_context(system_u:object_r:lsmd_var_run_t,s0)
diff --git a/lsm.if b/lsm.if
new file mode 100644
index 0000000..f3e94d7
--- /dev/null
+++ b/lsm.if
@@ -0,0 +1,103 @@
+
+## <summary>lsmd SELINUX policy </summary>
+
+########################################
+## <summary>
+## Execute TEMPLATE in the lsmd domin.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`lsmd_domtrans',`
+ gen_require(`
+ type lsmd_t, lsmd_exec_t;
+ ')
+
+ corecmd_search_bin($1)
+ domtrans_pattern($1, lsmd_exec_t, lsmd_t)
+')
+########################################
+## <summary>
+## Read lsmd PID files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`lsmd_read_pid_files',`
+ gen_require(`
+ type lsmd_var_run_t;
+ ')
+
+ files_search_pids($1)
+ read_files_pattern($1, lsmd_var_run_t, lsmd_var_run_t)
+')
+
+########################################
+## <summary>
+## Execute lsmd server in the lsmd domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`lsmd_systemctl',`
+ gen_require(`
+ type lsmd_t;
+ type lsmd_unit_file_t;
+ ')
+
+ systemd_exec_systemctl($1)
+ systemd_read_fifo_file_password_run($1)
+ allow $1 lsmd_unit_file_t:file read_file_perms;
+ allow $1 lsmd_unit_file_t:service manage_service_perms;
+
+ ps_process_pattern($1, lsmd_t)
+')
+
+
+########################################
+## <summary>
+## All of the rules required to administrate
+## an lsmd environment
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <param name="role">
+## <summary>
+## Role allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`lsmd_admin',`
+ gen_require(`
+ type lsmd_t;
+ type lsmd_var_run_t;
+ type lsmd_unit_file_t;
+ ')
+
+ allow $1 lsmd_t:process { ptrace signal_perms };
+ ps_process_pattern($1, lsmd_t)
+
+ files_search_pids($1)
+ admin_pattern($1, lsmd_var_run_t)
+
+ lsmd_systemctl($1)
+ admin_pattern($1, lsmd_unit_file_t)
+ allow $1 lsmd_unit_file_t:service all_service_perms;
+ optional_policy(`
+ systemd_passwd_agent_exec($1)
+ systemd_read_fifo_file_passwd_run($1)
+ ')
+')
diff --git a/lsm.te b/lsm.te
new file mode 100644
index 0000000..14fe4d7
--- /dev/null
+++ b/lsm.te
@@ -0,0 +1,31 @@
+policy_module(lsm, 1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+type lsmd_t;
+type lsmd_exec_t;
+init_daemon_domain(lsmd_t, lsmd_exec_t)
+
+type lsmd_var_run_t;
+files_pid_file(lsmd_var_run_t)
+
+type lsmd_unit_file_t;
+systemd_unit_file(lsmd_unit_file_t)
+
+########################################
+#
+# lsmd local policy
+#
+allow lsmd_t self:capability { setgid };
+allow lsmd_t self:process { fork };
+allow lsmd_t self:unix_stream_socket create_stream_socket_perms;
+
+manage_dirs_pattern(lsmd_t, lsmd_var_run_t, lsmd_var_run_t)
+manage_files_pattern(lsmd_t, lsmd_var_run_t, lsmd_var_run_t)
+manage_lnk_files_pattern(lsmd_t, lsmd_var_run_t, lsmd_var_run_t)
+manage_sock_files_pattern(lsmd_t, lsmd_var_run_t, lsmd_var_run_t)
+
+logging_send_syslog_msg(lsmd_t)
^ permalink raw reply related [flat|nested] 101+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: /
2013-09-23 6:29 [gentoo-commits] proj/hardened-refpolicy:merge " Sven Vermeulen
@ 2013-09-23 13:31 ` Sven Vermeulen
0 siblings, 0 replies; 101+ messages in thread
From: Sven Vermeulen @ 2013-09-23 13:31 UTC (permalink / raw
To: gentoo-commits
commit: a1a159555aa5f11921596367e318cb987325c61e
Author: Lukas Vrabec <lvrabec <AT> redhat <DOT> com>
AuthorDate: Wed Aug 7 13:33:55 2013 +0000
Commit: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
CommitDate: Mon Sep 23 06:27:39 2013 +0000
URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=a1a15955
Add policy for hypervkvpd
---
hypervkvp.fc | 3 +++
hypervkvp.if | 21 +++++++++++++++++++++
hypervkvp.te | 30 ++++++++++++++++++++++++++++++
3 files changed, 54 insertions(+)
diff --git a/hypervkvp.fc b/hypervkvp.fc
new file mode 100644
index 0000000..2a69ee4
--- /dev/null
+++ b/hypervkvp.fc
@@ -0,0 +1,3 @@
+/etc/rc\.d/init\.d/hypervkvpd -- gen_context(system_u:object_r:hypervkvp_initrc_exec_t,s0)
+
+/usr/sbin/hv_kvp_daemon -- gen_context(system_u:object_r:hypervkvp_exec_t,s0)
diff --git a/hypervkvp.if b/hypervkvp.if
new file mode 100644
index 0000000..7743be5
--- /dev/null
+++ b/hypervkvp.if
@@ -0,0 +1,21 @@
+
+## <summary>policy for hypervkvp</summary>
+
+########################################
+## <summary>
+## Execute TEMPLATE in the hypervkvp domin.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`hypervkvp_domtrans',`
+ gen_require(`
+ type hypervkvp_t, hypervkvp_exec_t;
+ ')
+
+ corecmd_search_bin($1)
+ domtrans_pattern($1, hypervkvp_exec_t, hypervkvp_t)
+')
diff --git a/hypervkvp.te b/hypervkvp.te
new file mode 100644
index 0000000..631ed79
--- /dev/null
+++ b/hypervkvp.te
@@ -0,0 +1,30 @@
+policy_module(hypervkvp, 1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+type hypervkvp_t;
+type hypervkvp_exec_t;
+init_daemon_domain(hypervkvp_t, hypervkvp_exec_t)
+
+type hypervkvp_initrc_exec_t;
+init_script_file(hypervkvp_initrc_exec_t)
+
+
+########################################
+#
+# hypervkvp local policy
+#
+#
+allow hypervkvp_t self:fifo_file rw_fifo_file_perms;
+allow hypervkvp_t self:unix_stream_socket create_stream_socket_perms;
+
+domain_use_interactive_fds(hypervkvp_t)
+
+logging_send_syslog_msg(hypervkvp_t)
+
+miscfiles_read_localization(hypervkvp_t)
+
+sysnet_dns_name_resolve(hypervkvp_t)
^ permalink raw reply related [flat|nested] 101+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: /
2013-09-23 6:29 [gentoo-commits] proj/hardened-refpolicy:merge " Sven Vermeulen
@ 2013-09-23 13:31 ` Sven Vermeulen
0 siblings, 0 replies; 101+ messages in thread
From: Sven Vermeulen @ 2013-09-23 13:31 UTC (permalink / raw
To: gentoo-commits
commit: cc29211b9a8299a1793c2158c66fc5058c50d98f
Author: Lukas Vrabec <lvrabec <AT> redhat <DOT> com>
AuthorDate: Tue Aug 6 12:14:52 2013 +0000
Commit: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
CommitDate: Mon Sep 23 06:28:05 2013 +0000
URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=cc29211b
Add policy for redis-server
---
redis.fc | 11 +++
redis.if | 271 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
redis.te | 62 +++++++++++++++
3 files changed, 344 insertions(+)
diff --git a/redis.fc b/redis.fc
new file mode 100644
index 0000000..638d6b4
--- /dev/null
+++ b/redis.fc
@@ -0,0 +1,11 @@
+/etc/rc\.d/init\.d/redis -- gen_context(system_u:object_r:redis_initrc_exec_t,s0)
+
+/usr/lib/systemd/system/redis.* -- gen_context(system_u:object_r:redis_unit_file_t,s0)
+
+/usr/sbin/redis-server -- gen_context(system_u:object_r:redis_exec_t,s0)
+
+/var/lib/redis(/.*)? gen_context(system_u:object_r:redis_var_lib_t,s0)
+
+/var/log/redis(/.*)? gen_context(system_u:object_r:redis_log_t,s0)
+
+/var/run/redis(/.*)? gen_context(system_u:object_r:redis_var_run_t,s0)
diff --git a/redis.if b/redis.if
new file mode 100644
index 0000000..e3efff0
--- /dev/null
+++ b/redis.if
@@ -0,0 +1,271 @@
+
+## <summary>policy for redis</summary>
+
+########################################
+## <summary>
+## Execute TEMPLATE in the redis domin.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`redis_domtrans',`
+ gen_require(`
+ type redis_t, redis_exec_t;
+ ')
+
+ corecmd_search_bin($1)
+ domtrans_pattern($1, redis_exec_t, redis_t)
+')
+
+########################################
+## <summary>
+## Execute redis server in the redis domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`redis_initrc_domtrans',`
+ gen_require(`
+ type redis_initrc_exec_t;
+ ')
+
+ init_labeled_script_domtrans($1, redis_initrc_exec_t)
+')
+########################################
+## <summary>
+## Read redis's log files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`redis_read_log',`
+ gen_require(`
+ type redis_log_t;
+ ')
+
+ logging_search_logs($1)
+ read_files_pattern($1, redis_log_t, redis_log_t)
+')
+
+########################################
+## <summary>
+## Append to redis log files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`redis_append_log',`
+ gen_require(`
+ type redis_log_t;
+ ')
+
+ logging_search_logs($1)
+ append_files_pattern($1, redis_log_t, redis_log_t)
+')
+
+########################################
+## <summary>
+## Manage redis log files
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`redis_manage_log',`
+ gen_require(`
+ type redis_log_t;
+ ')
+
+ logging_search_logs($1)
+ manage_dirs_pattern($1, redis_log_t, redis_log_t)
+ manage_files_pattern($1, redis_log_t, redis_log_t)
+ manage_lnk_files_pattern($1, redis_log_t, redis_log_t)
+')
+
+########################################
+## <summary>
+## Search redis lib directories.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`redis_search_lib',`
+ gen_require(`
+ type redis_var_lib_t;
+ ')
+
+ allow $1 redis_var_lib_t:dir search_dir_perms;
+ files_search_var_lib($1)
+')
+
+########################################
+## <summary>
+## Read redis lib files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`redis_read_lib_files',`
+ gen_require(`
+ type redis_var_lib_t;
+ ')
+
+ files_search_var_lib($1)
+ read_files_pattern($1, redis_var_lib_t, redis_var_lib_t)
+')
+
+########################################
+## <summary>
+## Manage redis lib files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`redis_manage_lib_files',`
+ gen_require(`
+ type redis_var_lib_t;
+ ')
+
+ files_search_var_lib($1)
+ manage_files_pattern($1, redis_var_lib_t, redis_var_lib_t)
+')
+
+########################################
+## <summary>
+## Manage redis lib directories.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`redis_manage_lib_dirs',`
+ gen_require(`
+ type redis_var_lib_t;
+ ')
+
+ files_search_var_lib($1)
+ manage_dirs_pattern($1, redis_var_lib_t, redis_var_lib_t)
+')
+
+########################################
+## <summary>
+## Read redis PID files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`redis_read_pid_files',`
+ gen_require(`
+ type redis_var_run_t;
+ ')
+
+ files_search_pids($1)
+ read_files_pattern($1, redis_var_run_t, redis_var_run_t)
+')
+
+########################################
+## <summary>
+## Execute redis server in the redis domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`redis_systemctl',`
+ gen_require(`
+ type redis_t;
+ type redis_unit_file_t;
+ ')
+
+ systemd_exec_systemctl($1)
+ systemd_read_fifo_file_password_run($1)
+ allow $1 redis_unit_file_t:file read_file_perms;
+ allow $1 redis_unit_file_t:service manage_service_perms;
+
+ ps_process_pattern($1, redis_t)
+')
+
+
+########################################
+## <summary>
+## All of the rules required to administrate
+## an redis environment
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <param name="role">
+## <summary>
+## Role allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`redis_admin',`
+ gen_require(`
+ type redis_t;
+ type redis_initrc_exec_t;
+ type redis_log_t;
+ type redis_var_lib_t;
+ type redis_var_run_t;
+ type redis_unit_file_t;
+ ')
+
+ allow $1 redis_t:process { ptrace signal_perms };
+ ps_process_pattern($1, redis_t)
+
+ redis_initrc_domtrans($1)
+ domain_system_change_exemption($1)
+ role_transition $2 redis_initrc_exec_t system_r;
+ allow $2 system_r;
+
+ logging_search_logs($1)
+ admin_pattern($1, redis_log_t)
+
+ files_search_var_lib($1)
+ admin_pattern($1, redis_var_lib_t)
+
+ files_search_pids($1)
+ admin_pattern($1, redis_var_run_t)
+
+ redis_systemctl($1)
+ admin_pattern($1, redis_unit_file_t)
+ allow $1 redis_unit_file_t:service all_service_perms;
+ optional_policy(`
+ systemd_passwd_agent_exec($1)
+ systemd_read_fifo_file_passwd_run($1)
+ ')
+')
diff --git a/redis.te b/redis.te
new file mode 100644
index 0000000..e5e9cf7
--- /dev/null
+++ b/redis.te
@@ -0,0 +1,62 @@
+policy_module(redis, 1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+type redis_t;
+type redis_exec_t;
+init_daemon_domain(redis_t, redis_exec_t)
+
+type redis_initrc_exec_t;
+init_script_file(redis_initrc_exec_t)
+
+type redis_log_t;
+logging_log_file(redis_log_t)
+
+type redis_var_lib_t;
+files_type(redis_var_lib_t)
+
+type redis_var_run_t;
+files_pid_file(redis_var_run_t)
+
+type redis_unit_file_t;
+systemd_unit_file(redis_unit_file_t)
+
+########################################
+#
+# redis local policy
+#
+
+allow redis_t self:process { setrlimit signal_perms };
+allow redis_t self:fifo_file rw_fifo_file_perms;
+allow redis_t self:unix_stream_socket create_stream_socket_perms;
+allow redis_t self:tcp_socket create_stream_socket_perms;
+
+manage_dirs_pattern(redis_t, redis_log_t, redis_log_t)
+manage_files_pattern(redis_t, redis_log_t, redis_log_t)
+manage_lnk_files_pattern(redis_t, redis_log_t, redis_log_t)
+
+manage_dirs_pattern(redis_t, redis_var_lib_t, redis_var_lib_t)
+manage_files_pattern(redis_t, redis_var_lib_t, redis_var_lib_t)
+manage_lnk_files_pattern(redis_t, redis_var_lib_t, redis_var_lib_t)
+
+manage_dirs_pattern(redis_t, redis_var_run_t, redis_var_run_t)
+manage_files_pattern(redis_t, redis_var_run_t, redis_var_run_t)
+manage_lnk_files_pattern(redis_t, redis_var_run_t, redis_var_run_t)
+
+kernel_read_system_state(redis_t)
+
+corenet_tcp_bind_generic_node(redis_t)
+corenet_tcp_bind_redis_port(redis_t)
+
+dev_read_sysfs(redis_t)
+dev_read_urand(redis_t)
+
+logging_send_syslog_msg(redis_t)
+
+miscfiles_read_localization(redis_t)
+
+sysnet_dns_name_resolve(redis_t)
+
^ permalink raw reply related [flat|nested] 101+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: /
@ 2013-09-26 13:19 Sven Vermeulen
0 siblings, 0 replies; 101+ messages in thread
From: Sven Vermeulen @ 2013-09-26 13:19 UTC (permalink / raw
To: gentoo-commits
commit: c040f2842c3567cbd888b4436c54a2005d37e20a
Author: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Thu Sep 26 08:39:16 2013 +0000
Commit: Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Thu Sep 26 08:39:16 2013 +0000
URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=c040f284
Add /usr/lib to TEST_TOOLCHAIN LD_LIBRARY_PATH
---
Makefile | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/Makefile b/Makefile
index bc47580..d46865a 100644
--- a/Makefile
+++ b/Makefile
@@ -47,9 +47,9 @@ endif
BINDIR ?= /usr/bin
SBINDIR ?= /usr/sbin
ifdef TEST_TOOLCHAIN
-tc_usrbindir := env LD_LIBRARY_PATH="$(TEST_TOOLCHAIN)/lib" $(TEST_TOOLCHAIN)$(BINDIR)
-tc_usrsbindir := env LD_LIBRARY_PATH="$(TEST_TOOLCHAIN)/lib" $(TEST_TOOLCHAIN)$(SBINDIR)
-tc_sbindir := env LD_LIBRARY_PATH="$(TEST_TOOLCHAIN)/lib" $(TEST_TOOLCHAIN)/sbin
+tc_usrbindir := env LD_LIBRARY_PATH="$(TEST_TOOLCHAIN)/lib:$(TEST_TOOLCHAIN)/usr/lib" $(TEST_TOOLCHAIN)$(BINDIR)
+tc_usrsbindir := env LD_LIBRARY_PATH="$(TEST_TOOLCHAIN)/lib:$(TEST_TOOLCHAIN)/usr/lib" $(TEST_TOOLCHAIN)$(SBINDIR)
+tc_sbindir := env LD_LIBRARY_PATH="$(TEST_TOOLCHAIN)/lib:$(TEST_TOOLCHAIN)/usr/lib" $(TEST_TOOLCHAIN)/sbin
else
tc_usrbindir := $(BINDIR)
tc_usrsbindir := $(SBINDIR)
^ permalink raw reply related [flat|nested] 101+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: /
@ 2013-09-30 19:03 Sven Vermeulen
0 siblings, 0 replies; 101+ messages in thread
From: Sven Vermeulen @ 2013-09-30 19:03 UTC (permalink / raw
To: gentoo-commits
commit: bfd3a1c8be8744da6db2648be14a1c0ffc0e2cd3
Author: Dominick Grift <dominick.grift <AT> gmail <DOT> com>
AuthorDate: Fri Sep 27 15:43:02 2013 +0000
Commit: Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Mon Sep 30 19:03:04 2013 +0000
URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=bfd3a1c8
Initial minissdpd policy module
MiniSSDPd is a small daemon used by MiniUPnPc (a UPnP control point for
IGD devices) to speed up device discoveries. MiniSSDPd keeps memory of
all UPnP devices that announced themselves on the network through SSDP
NOTIFY packets. MiniSSDPd also has the ability to handle all SSDP
traffic received on a computer via the multicast group
239.255.255.250:1900.
MiniSSDPd receives NOTIFY packets and stores information contained for
later use by UPnP Control Points on the machine. MiniSSDPd receives
M-SEARCH packets and answers on behalf of the UPnP devices running on
the machine. MiniUPnPd and MiniUPnPc are designed to take automatically
advantage of MiniSSDPd running on the same computer. Just make sure that
MiniSSDPd is started before any other UPnP program on the computer.
Signed-off-by: Dominick Grift <dominick.grift <AT> gmail.com>
---
minissdpd.fc | 8 ++++++++
minissdpd.if | 39 +++++++++++++++++++++++++++++++++++++++
minissdpd.te | 46 ++++++++++++++++++++++++++++++++++++++++++++++
3 files changed, 93 insertions(+)
diff --git a/minissdpd.fc b/minissdpd.fc
new file mode 100644
index 0000000..4970404
--- /dev/null
+++ b/minissdpd.fc
@@ -0,0 +1,8 @@
+/etc/default/minissdpd -- gen_context(system_u:object_r:minissdpd_conf_t,s0)
+
+/etc/rc\.d/init\.d/minissdpd -- gen_context(system_u:object_r:minissdpd_initrc_exec_t,s0)
+
+/usr/sbin/minissdpd -- gen_context(system_u:object_r:minissdpd_exec_t,s0)
+
+/var/run/minissdpd\.pid -- gen_context(system_u:object_r:minissdpd_var_run_t,s0)
+/var/run/minissdpd\.sock -s gen_context(system_u:object_r:minissdpd_var_run_t,s0)
diff --git a/minissdpd.if b/minissdpd.if
new file mode 100644
index 0000000..20de8ef
--- /dev/null
+++ b/minissdpd.if
@@ -0,0 +1,39 @@
+## <summary>Daemon used by MiniUPnPc to speed up device discoveries.</summary>
+
+########################################
+## <summary>
+## All of the rules required to
+## administrate an minissdpd environment.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <param name="role">
+## <summary>
+## Role allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`minissdpd_admin',`
+ gen_require(`
+ type minissdpd_t, minissdpd_initrc_exec_t, minissdpd_conf_t;
+ type minissdpd_var_run_t
+ ')
+
+ allow $1 minissdpd_t:process { ptrace signal_perms };
+ ps_process_pattern($1, minissdpd_t)
+
+ init_labeled_script_domtrans($1, minissdpd_initrc_exec_t)
+ domain_system_change_exemption($1)
+ role_transition $2 minissdpd_initrc_exec_t system_r;
+ allow $2 system_r;
+
+ files_search_etc($1)
+ admin_pattern($1, minissdpd_conf_t)
+
+ files_search_pids($1)
+ admin_pattern($1, minissdpd_var_run_t)
+')
diff --git a/minissdpd.te b/minissdpd.te
new file mode 100644
index 0000000..ae9004b
--- /dev/null
+++ b/minissdpd.te
@@ -0,0 +1,46 @@
+policy_module(minissdpd, 1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+type minissdpd_t;
+type minissdpd_exec_t;
+init_daemon_domain(minissdpd_t, minissdpd_exec_t)
+
+type minissdpd_initrc_exec_t;
+init_script_file(minissdpd_initrc_exec_t)
+
+type minissdpd_conf_t;
+files_config_file(minissdpd_conf_t)
+
+type minissdpd_var_run_t;
+files_pid_file(minissdpd_var_run_t)
+
+########################################
+#
+# Local policy
+#
+
+allow minissdpd_t self:capability { sys_module net_admin };
+allow minissdpd_t self:netlink_route_socket r_netlink_socket_perms;
+allow minissdpd_t self:udp_socket create_socket_perms;
+allow minissdpd_t self:unix_dgram_socket create_socket_perms;
+
+allow minissdpd_t minissdpd_var_run_t:file manage_file_perms;
+allow minissdpd_t minissdpd_var_run_t:sock_file manage_sock_file_perms;
+files_pid_filetrans(minissdpd_t, minissdpd_var_run_t, { file sock_file })
+
+kernel_read_network_state(minissdpd_t)
+kernel_request_load_module(minissdpd_t)
+
+corenet_all_recvfrom_unlabeled(minissdpd_t)
+corenet_all_recvfrom_netlabel(minissdpd_t)
+corenet_udp_sendrecv_generic_if(minissdpd_t)
+corenet_udp_sendrecv_generic_node(minissdpd_t)
+corenet_udp_bind_generic_node(minissdpd_t)
+
+corenet_sendrecv_ssdp_server_packets(minissdpd_t)
+corenet_udp_bind_ssdp_port(minissdpd_t)
+corenet_udp_sendrecv_ssdp_port(minissdpd_t)
^ permalink raw reply related [flat|nested] 101+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: /
@ 2013-09-30 19:03 Sven Vermeulen
0 siblings, 0 replies; 101+ messages in thread
From: Sven Vermeulen @ 2013-09-30 19:03 UTC (permalink / raw
To: gentoo-commits
commit: 55711c0625e3572f837117e46493b3601d40db2d
Author: Dominick Grift <dominick.grift <AT> gmail <DOT> com>
AuthorDate: Fri Sep 27 11:05:57 2013 +0000
Commit: Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Mon Sep 30 19:03:03 2013 +0000
URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=55711c06
Initial gdomap policy module
The gdomap daemon is used by GNUstep programs to look up distributed
objects of processes running across the network (and between different
user accounts on a single machine).
Signed-off-by: Dominick Grift <dominick.grift <AT> gmail.com>
---
gdomap.fc | 7 +++++++
gdomap.if | 39 +++++++++++++++++++++++++++++++++++++++
gdomap.te | 42 ++++++++++++++++++++++++++++++++++++++++++
3 files changed, 88 insertions(+)
diff --git a/gdomap.fc b/gdomap.fc
new file mode 100644
index 0000000..0735238
--- /dev/null
+++ b/gdomap.fc
@@ -0,0 +1,7 @@
+/etc/default/gdomap -- gen_context(system_u:object_r:gdomap_conf_t,s0)
+
+/etc/rc\.d/init\.d/gdomap -- gen_context(system_u:object_r:gdomap_initrc_exec_t,s0)
+
+/usr/bin/gdomap -- gen_context(system_u:object_r:gdomap_exec_t,s0)
+
+/var/run/gdomap\.pid -- gen_context(system_u:object_r:gdomap_var_run_t,s0)
diff --git a/gdomap.if b/gdomap.if
new file mode 100644
index 0000000..f2cf3ad
--- /dev/null
+++ b/gdomap.if
@@ -0,0 +1,39 @@
+## <summary>GNUstep distributed object mapper.</summary>
+
+########################################
+## <summary>
+## All of the rules required to
+## administrate an gdomap environment.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <param name="role">
+## <summary>
+## Role allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`gdomap_admin',`
+ gen_require(`
+ type gdomap_t, gdomap_conf_t, gdomap_initrc_exec_t;
+ type gdomap_var_run_t;
+ ')
+
+ allow $1 gdomap_t:process { ptrace signal_perms };
+ ps_process_pattern($1, gdomap_t)
+
+ init_labeled_script_domtrans($1, gdomap_initrc_exec_t)
+ domain_system_change_exemption($1)
+ role_transition $2 gdomap_initrc_exec_t system_r;
+ allow $2 system_r;
+
+ files_search_etc($1)
+ admin_pattern($1, gdomap_conf_t)
+
+ files_search_pids($1)
+ admin_pattern($1, gdomap_var_run_t)
+')
diff --git a/gdomap.te b/gdomap.te
new file mode 100644
index 0000000..0d2c4f4
--- /dev/null
+++ b/gdomap.te
@@ -0,0 +1,42 @@
+policy_module(gdomap, 1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+type gdomap_t;
+type gdomap_exec_t;
+init_daemon_domain(gdomap_t, gdomap_exec_t)
+
+type gdomap_initrc_exec_t;
+init_script_file(gdomap_initrc_exec_t)
+
+type gdomap_conf_t;
+files_config_file(gdomap_conf_t)
+
+type gdomap_var_run_t;
+files_pid_file(gdomap_var_run_t)
+
+########################################
+#
+# Local policy
+#
+
+allow gdomap_t self:capability { setuid sys_chroot net_bind_service setgid };
+allow gdomap_t self:tcp_socket { listen accept };
+
+allow gdomap_t gdomap_var_run_t:file manage_file_perms;
+files_pid_filetrans(gdomap_t, gdomap_var_run_t, file, "gdomap.pid")
+
+# corenet_sendrecv_gdomap_server_packets(gdomap_t)
+# corenet_tcp_bind_gdomap_port(gdomap_t)
+# corenet_tcp_sendrecv_gdomap_port(gdomap_t)
+# corenet_udp_bind_gdomap_port(gdomap_t)
+# corenet_udp_sendrecv_gdomap_port(gdomap_t)
+
+domain_use_interactive_fds(gdomap_t)
+
+auth_use_nsswitch(gdomap_t)
+
+logging_send_syslog_msg(gdomap_t)
^ permalink raw reply related [flat|nested] 101+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: /
@ 2014-01-19 19:01 Sven Vermeulen
0 siblings, 0 replies; 101+ messages in thread
From: Sven Vermeulen @ 2014-01-19 19:01 UTC (permalink / raw
To: gentoo-commits
commit: a7ae2e69783f6d628b525bd0deb118cc477dc35f
Author: Chris PeBenito <cpebenito <AT> tresys <DOT> com>
AuthorDate: Thu Jan 16 16:25:42 2014 +0000
Commit: Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Sun Jan 19 18:56:26 2014 +0000
URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=a7ae2e69
Make the QUIET build option apply to clean and bare targets.
---
Makefile | 28 ++++++++++++++--------------
Rules.modular | 10 +++++-----
Rules.monolithic | 14 +++++++-------
3 files changed, 26 insertions(+), 26 deletions(-)
diff --git a/Makefile b/Makefile
index d46865a..c1c6b2e 100644
--- a/Makefile
+++ b/Makefile
@@ -611,27 +611,27 @@ resetlabels:
# Clean everything
#
bare: clean
- rm -f $(polxml)
- rm -f $(layerxml)
- rm -f $(modxml)
- rm -f $(tunxml)
- rm -f $(boolxml)
- rm -f $(mod_conf)
- rm -f $(booleans)
- rm -fR $(htmldir)
- rm -f $(tags)
+ $(verbose) rm -f $(polxml)
+ $(verbose) rm -f $(layerxml)
+ $(verbose) rm -f $(modxml)
+ $(verbose) rm -f $(tunxml)
+ $(verbose) rm -f $(boolxml)
+ $(verbose) rm -f $(mod_conf)
+ $(verbose) rm -f $(booleans)
+ $(verbose) rm -fR $(htmldir)
+ $(verbose) rm -f $(tags)
# don't remove these files if we're given a local root
ifndef LOCAL_ROOT
- rm -f $(fcsort)
- rm -f $(support)/*.pyc
+ $(verbose) rm -f $(fcsort)
+ $(verbose) rm -f $(support)/*.pyc
ifneq ($(generated_te),)
- rm -f $(generated_te)
+ $(verbose) rm -f $(generated_te)
endif
ifneq ($(generated_if),)
- rm -f $(generated_if)
+ $(verbose) rm -f $(generated_if)
endif
ifneq ($(generated_fc),)
- rm -f $(generated_fc)
+ $(verbose) rm -f $(generated_fc)
endif
endif
diff --git a/Rules.modular b/Rules.modular
index 313d837..58e94da 100644
--- a/Rules.modular
+++ b/Rules.modular
@@ -208,10 +208,10 @@ validate: $(base_pkg) $(mod_pkgs)
# Clean the sources
#
clean:
- rm -f $(base_conf)
- rm -f $(base_fc)
- rm -f $(builddir)*.pp
- rm -f $(net_contexts)
- rm -fR $(tmpdir)
+ $(verbose) rm -f $(base_conf)
+ $(verbose) rm -f $(base_fc)
+ $(verbose) rm -f $(builddir)*.pp
+ $(verbose) rm -f $(net_contexts)
+ $(verbose) rm -fR $(tmpdir)
.PHONY: default all policy base modules install load clean validate
diff --git a/Rules.monolithic b/Rules.monolithic
index 808a539..7e77c03 100644
--- a/Rules.monolithic
+++ b/Rules.monolithic
@@ -245,12 +245,12 @@ $(installdir)/seusers: $(seusers)
# Clean the sources
#
clean:
- rm -f $(policy_conf)
- rm -f $(polver)
- rm -f $(fc)
- rm -f $(homedir_template)
- rm -f $(net_contexts)
- rm -f *.res
- rm -fR $(tmpdir)
+ $(verbose) rm -f $(policy_conf)
+ $(verbose) rm -f $(polver)
+ $(verbose) rm -f $(fc)
+ $(verbose) rm -f $(homedir_template)
+ $(verbose) rm -f $(net_contexts)
+ $(verbose) rm -f *.res
+ $(verbose) rm -fR $(tmpdir)
.PHONY: default policy install load reload enableaudit checklabels restorelabels relabel check longcheck clean
^ permalink raw reply related [flat|nested] 101+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: /
@ 2014-03-06 15:20 Sven Vermeulen
0 siblings, 0 replies; 101+ messages in thread
From: Sven Vermeulen @ 2014-03-06 15:20 UTC (permalink / raw
To: gentoo-commits
commit: 8894cbd2d794b065be29b131b35291f341cce856
Author: Nicolas Iooss <nicolas.iooss <AT> m4x <DOT> org>
AuthorDate: Wed Mar 5 22:08:14 2014 +0000
Commit: Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Thu Mar 6 15:18:22 2014 +0000
URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=8894cbd2
Create .gitignore
This .gitignore file ignores every file which is removed by "make clean"
---
.gitignore | 20 ++++++++++++++++++++
1 file changed, 20 insertions(+)
diff --git a/.gitignore b/.gitignore
new file mode 100644
index 0000000..7eaab24
--- /dev/null
+++ b/.gitignore
@@ -0,0 +1,20 @@
+*.pp
+*.py[co]
+*.res
+
+/base.conf
+/base.fc
+/doc/global_booleans.xml
+/doc/global_tunables.xml
+/doc/html/
+/doc/policy.xml
+/file_contexts
+/homedir_template
+/net_contexts
+/policy.conf
+/policy.[0-9]*
+/policy/booleans.conf
+/policy/modules.conf
+/policy/modules/kernel/corenetwork.if
+/policy/modules/kernel/corenetwork.te
+/tmp/
^ permalink raw reply related [flat|nested] 101+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: /
@ 2014-03-17 8:24 Sven Vermeulen
0 siblings, 0 replies; 101+ messages in thread
From: Sven Vermeulen @ 2014-03-17 8:24 UTC (permalink / raw
To: gentoo-commits
commit: e51e839b198fb014732315fa4b8398134a31c3a8
Author: Nicolas Iooss <nicolas.iooss <AT> m4x <DOT> org>
AuthorDate: Tue Feb 18 23:26:33 2014 +0000
Commit: Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Mon Mar 17 08:19:25 2014 +0000
URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=e51e839b
Fix parallel build of the policy
Before this commit, "make -j2" would execute twice at the same time the rules
written to build tmp/all_post.conf because these rules were applied every time
tmp/all_post.conf, tmp/all_attrs_types.conf and tmp/only_te_rules.conf needed
to be built. However, executing twice in parallel such line is buggy:
$(GREP) '^fs_use_(xattr|task|trans)' $(tmpdir)/all_te_files.conf >> \
tmpdir)/all_post.conf
This is why "make" reports following error for parallel builds:
Compiling refpolicy-patched base module
/usr/bin/checkmodule -M -U allow base.conf -o tmp/base.mod
/usr/bin/checkmodule: loading policy configuration from base.conf
policy/modules/kernel/ubac.te":710:ERROR 'syntax error' at token
'fs_use_trans' on line 26520:
fs_use_trans devtmpfs system_u:object_r:device_t:s0;
/usr/bin/checkmodule: error(s) encountered while parsing configuration
make: *** [tmp/base.mod] Error 1
This commit fixes this bug by splitting the rules in 3 different targets, in
both monolithic and modular builds.
---
Rules.modular | 24 ++++++++++++++----------
Rules.monolithic | 24 ++++++++++++++----------
2 files changed, 28 insertions(+), 20 deletions(-)
diff --git a/Rules.modular b/Rules.modular
index 58e94da..2c5f5ff 100644
--- a/Rules.modular
+++ b/Rules.modular
@@ -157,17 +157,21 @@ $(tmpdir)/post_te_files.conf: $(m4support) $(tmpdir)/generated_definitions.conf
# extract attributes and put them first. extract post te stuff
# like genfscon and put last.
-$(tmpdir)/all_attrs_types.conf $(tmpdir)/only_te_rules.conf $(tmpdir)/all_post.conf: $(tmpdir)/all_te_files.conf $(tmpdir)/post_te_files.conf
- $(verbose) $(get_type_attr_decl) $(tmpdir)/all_te_files.conf | $(SORT) > $(tmpdir)/all_attrs_types.conf
- $(verbose) cat $(tmpdir)/post_te_files.conf > $(tmpdir)/all_post.conf
+$(tmpdir)/all_attrs_types.conf: $(tmpdir)/all_te_files.conf
+ $(verbose) $(get_type_attr_decl) $^ | $(SORT) > $@
+
+$(tmpdir)/all_post.conf: $(tmpdir)/all_te_files.conf $(tmpdir)/post_te_files.conf
+ $(verbose) cat $(tmpdir)/post_te_files.conf > $@
# these have to run individually because order matters:
- $(verbose) $(GREP) '^sid ' $(tmpdir)/all_te_files.conf >> $(tmpdir)/all_post.conf || true
- $(verbose) $(GREP) '^fs_use_(xattr|task|trans)' $(tmpdir)/all_te_files.conf >> $(tmpdir)/all_post.conf || true
- $(verbose) $(GREP) ^genfscon $(tmpdir)/all_te_files.conf >> $(tmpdir)/all_post.conf || true
- $(verbose) $(GREP) ^portcon $(tmpdir)/all_te_files.conf >> $(tmpdir)/all_post.conf || true
- $(verbose) $(GREP) ^netifcon $(tmpdir)/all_te_files.conf >> $(tmpdir)/all_post.conf || true
- $(verbose) $(GREP) ^nodecon $(tmpdir)/all_te_files.conf >> $(tmpdir)/all_post.conf || true
- $(verbose) $(comment_move_decl) $(tmpdir)/all_te_files.conf > $(tmpdir)/only_te_rules.conf
+ $(verbose) $(GREP) '^sid ' $(tmpdir)/all_te_files.conf >> $@ || true
+ $(verbose) $(GREP) '^fs_use_(xattr|task|trans)' $(tmpdir)/all_te_files.conf >> $@ || true
+ $(verbose) $(GREP) ^genfscon $(tmpdir)/all_te_files.conf >> $@ || true
+ $(verbose) $(GREP) ^portcon $(tmpdir)/all_te_files.conf >> $@ || true
+ $(verbose) $(GREP) ^netifcon $(tmpdir)/all_te_files.conf >> $@ || true
+ $(verbose) $(GREP) ^nodecon $(tmpdir)/all_te_files.conf >> $@ || true
+
+$(tmpdir)/only_te_rules.conf: $(tmpdir)/all_te_files.conf
+ $(verbose) $(comment_move_decl) $^ > $@
########################################
#
diff --git a/Rules.monolithic b/Rules.monolithic
index 7e77c03..b635952 100644
--- a/Rules.monolithic
+++ b/Rules.monolithic
@@ -144,17 +144,21 @@ $(tmpdir)/post_te_files.conf: $(m4support) $(tmpdir)/generated_definitions.conf
# extract attributes and put them first. extract post te stuff
# like genfscon and put last.
-$(tmpdir)/all_attrs_types.conf $(tmpdir)/only_te_rules.conf $(tmpdir)/all_post.conf: $(tmpdir)/all_te_files.conf $(tmpdir)/post_te_files.conf
- $(verbose) $(get_type_attr_decl) $(tmpdir)/all_te_files.conf | $(SORT) > $(tmpdir)/all_attrs_types.conf
- $(verbose) cat $(tmpdir)/post_te_files.conf > $(tmpdir)/all_post.conf
+$(tmpdir)/all_attrs_types.conf: $(tmpdir)/all_te_files.conf
+ $(verbose) $(get_type_attr_decl) $^ | $(SORT) > $@
+
+$(tmpdir)/all_post.conf: $(tmpdir)/all_te_files.conf $(tmpdir)/post_te_files.conf
+ $(verbose) cat $(tmpdir)/post_te_files.conf > $@
# these have to run individually because order matters:
- $(verbose) $(GREP) '^sid ' $(tmpdir)/all_te_files.conf >> $(tmpdir)/all_post.conf || true
- $(verbose) $(GREP) '^fs_use_(xattr|task|trans)' $(tmpdir)/all_te_files.conf >> $(tmpdir)/all_post.conf || true
- $(verbose) $(GREP) ^genfscon $(tmpdir)/all_te_files.conf >> $(tmpdir)/all_post.conf || true
- $(verbose) $(GREP) ^portcon $(tmpdir)/all_te_files.conf >> $(tmpdir)/all_post.conf || true
- $(verbose) $(GREP) ^netifcon $(tmpdir)/all_te_files.conf >> $(tmpdir)/all_post.conf || true
- $(verbose) $(GREP) ^nodecon $(tmpdir)/all_te_files.conf >> $(tmpdir)/all_post.conf || true
- $(verbose) $(comment_move_decl) $(tmpdir)/all_te_files.conf > $(tmpdir)/only_te_rules.conf
+ $(verbose) $(GREP) '^sid ' $(tmpdir)/all_te_files.conf >> $@ || true
+ $(verbose) $(GREP) '^fs_use_(xattr|task|trans)' $(tmpdir)/all_te_files.conf >> $@ || true
+ $(verbose) $(GREP) ^genfscon $(tmpdir)/all_te_files.conf >> $@ || true
+ $(verbose) $(GREP) ^portcon $(tmpdir)/all_te_files.conf >> $@ || true
+ $(verbose) $(GREP) ^netifcon $(tmpdir)/all_te_files.conf >> $@ || true
+ $(verbose) $(GREP) ^nodecon $(tmpdir)/all_te_files.conf >> $@ || true
+
+$(tmpdir)/only_te_rules.conf: $(tmpdir)/all_te_files.conf
+ $(verbose) $(comment_move_decl) $^ > $@
########################################
#
^ permalink raw reply related [flat|nested] 101+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: /
@ 2014-03-17 8:24 Sven Vermeulen
0 siblings, 0 replies; 101+ messages in thread
From: Sven Vermeulen @ 2014-03-17 8:24 UTC (permalink / raw
To: gentoo-commits
commit: 1c87eadb60ce644917ec8a2812dd08363a7e3679
Author: Chris PeBenito <cpebenito <AT> tresys <DOT> com>
AuthorDate: Fri Mar 14 15:00:00 2014 +0000
Commit: Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Mon Mar 17 08:19:33 2014 +0000
URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=1c87eadb
Add symlink to contrib Changelog for easy reference.
---
Changelog.contrib | 1 +
1 file changed, 1 insertion(+)
diff --git a/Changelog.contrib b/Changelog.contrib
new file mode 120000
index 0000000..452cbbb
--- /dev/null
+++ b/Changelog.contrib
@@ -0,0 +1 @@
+policy/modules/contrib/Changelog
\ No newline at end of file
^ permalink raw reply related [flat|nested] 101+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: /
@ 2014-03-17 8:24 Sven Vermeulen
0 siblings, 0 replies; 101+ messages in thread
From: Sven Vermeulen @ 2014-03-17 8:24 UTC (permalink / raw
To: gentoo-commits
commit: 2b5cfabb44b7bbd8e7870c5a424e0f561846afba
Author: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Mon Mar 17 08:21:02 2014 +0000
Commit: Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Mon Mar 17 08:21:02 2014 +0000
URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=2b5cfabb
Update Changelog and VERSION for release (by Chris PeBenito)
---
Changelog | 424 +++++++++++++++++++++++++++++++++-----------------------------
VERSION | 2 +-
2 files changed, 229 insertions(+), 197 deletions(-)
diff --git a/Changelog b/Changelog
index 85be207..4444be1 100644
--- a/Changelog
+++ b/Changelog
@@ -1,218 +1,250 @@
-* Wed Apr 24 2013 Chris PeBenito <selinux@tresys.com> - 2.20130424
-Chris PeBenito (78):
- Mcelog update from Guido Trentalancia.
- Add bird contrib module from Dominick Grift.
- Minor whitespace fix in udev.fc
- Module version bump for udev binary location update from Sven Vermeulen.
- clarify the file_contexts.subs_dist configuration file usage from Guido
- Trentalancia
+* Tue Mar 11 2014 Chris PeBenito <selinux@tresys.com> - 2.20140311
+Chris PeBenito (96):
+ Update contrib to pull in minidlna.
+ Remove general unlabeled packet usage.
Update contrib.
- Remove trailing / from paths
- Module version bump for fc substitutions optimizations from Sven
- Vermeulen.
+ Use python libselinux bindings to determine policy version.
+ Add MLS constraints for x_pointer and x_keyboard.
+ Add label for parted.
+ Fix support/policyvers.py not to error if building policy on a
+ SELinux-disabled system.
+ Module version bump for kerberos keytab changes for ssh from Dominick
+ Grift.
+ Module version bump for pstore filesystem support from Dominick Grift.
+ Module version bump for redis port from Dominick Grift.
Update contrib.
- Module version bump for /run/dhcpc directory creation by dhcp from Sven
- Vermeulen.
- Module version bump for fc fixes in devices module from Dominick Grift.
+ Add comment for setfiles using /dev/console when it needs to be relabeled.
+ Module version bump for xserver and selinuxutil updates from Dominick
+ Grift.
+ Module version bump for tmpfs associate to device_t from Dominick Grift.
+ Module version bump for syslog reading overcommit_memory from Dominick
+ Grift.
+ Module version bump for ethtool reading pm-powersave.lock from Dominick
+ Grift.
+ Module version bump for sysadm fix for git role usage from Dominick Grift.
+ Module version bump for lvm update from Dominick Grift.
+ Module version bump for fc fix in authlogin from Dominick Grift.
+ Module version bump for restricted x user template fix from Dominick
+ Grift.
+ Add comment for debian avahi-daemon-check-dns.sh usage by udev
+ Module version bump for udev Debian fixes from Dominick Grift.
+ Module version bump for selinuxfs location change from Dominick Grift.
Update contrib.
- Module version bump for /dev/mei type and label from Dominick Grift.
- Module version bump for init_daemon_run_dirs usage from Sven Vermeulen.
- Module version bump for lost+found labeling in /var/log from Guido
- Trentalancia.
- Module version bump for loop-control patch.
- Turn off all tunables by default, from Guido Trentalancia.
- Add /usr/lib to TEST_TOOLCHAIN LD_LIBRARY_PATH.
- Module version bump for various changes from Sven Vermeulen.
- Module version bump for ports update from Dominick Grift.
- Module version bump for Debian file context updates from Laurent
- Bigonville.
+ Module version bump for unconfined dbus fixes from Dominick Grift.
+ Whitespace fix in terminal.te.
+ Module version bump for virtio console from Dominick Grift.
+ Module version bump for init interface and corecommand fc from Dominick
+ Grift.
+ Module version bump for ping capabilities from Sven Vermeulen.
+ Module version bump for slim fc entries from Sven Vermeulen.
+ Module version bump for xdm dbus access from Dominick Grift.
+ Rearrange sysnet if blocks.
+ Module version bump for debian ifstate changes from Dominick Grift.
+ Module version bump for xserver console and fc fixes from Dominick Grift.
+ Module version bump for gdomap port from Dominick Grift.
+ Module version bumps for dhcpc leaked fds to hostname.
+ Module version bump for ssh server caps for Debian from Dominick Grift.
+ Move stray Debian rule in udev.
+ Update contrib
+ Module version bumps for Debian udev updates from Dominick Grift.
+ Module version bump for mount updates from Dominick Grift.
+ Silence symlink reading by setfiles since it doesn't follow symlinks
+ anyway.
+ Reorder dhcpc additions.
+ Module version bump for dhcpc fixes from Dominick Grift.
+ Add comments about new capabilities for syslogd_t.
+ Module version bumps for syslog-ng and semodule updates.
Update contrib.
+ Module version bump for first batch of patches from Dominick Grift.
Update contrib.
- split kmod fc into two lines.
- Module version bump for kmod fc from Laurent Bigonville.
- Module version bump for cfengine fc change from Dominick Grift.
- Module verision bump for Debian cert file fc update from Laurent
+ Rearrage userdom_delete_user_tmpfs_files() interface.
+ setrans: needs to be able to get attributes of selinuxfs, else fails to
+ start in Debian
+ Whitespace fix in fstools.
+ Add comment in policy for lvm sysfs write.
+ Module version bump for second lot of patches from Dominick Grift.
+ Whitespace fix in usermanage.
+ Whitespace fix in libraries.
+ Module version bump for patches from Dominick Grift.
+ Whitespace fix in init.te.
+ init: init_script_domain() allow system_r role the init script domain type
+ init: creates /run/utmp
+ Module version bump for 4 init patches from Dominick Grift.
+ Fix Debian compile issue.
+ Module version bump for 2 patches from Dominick Grift.
+ Module version bump for patch from Laurent Bigonville.
+ Update contrib.
+ Module version bump for patch from Laurent Bigonville.
+ Module version bump for xserver change from Dominick Grift.
+ Merge file_t into unlabeled_t, as they are security equivalent.
+ Update modules for file_t merge into unlabeled_t.
+ Make the QUIET build option apply to clean and bare targets.
+ Module version bump for direct initrc fixes from Dominick Grift.
+ Module version bump for module store labeling fixes from Laurent
Bigonville.
- Module version bump for ipsec net sysctls reading from Miroslav Grepl.
- Module version bump for srvloc port definition from Dominick Grift.
- Rename cachefiles_dev_t to cachefiles_device_t.
- Module version bump for cachefiles core support.
- Module version bump for changes from Dominick Grift and Sven Vermeulen.
- Module version bump for modutils patch from Dominick Grift.
- Module version bump for dhcp6 ports, from Russell Coker.
- Rearrange new xserver interfaces.
- Rename new xserver interfaces.
- Module version bump for xserver interfaces from Dominick Grift.
- Move kernel_stream_connect() declaration.
- Module version bump for kernel_stream_connect() from Dominick Grift.
- Rename logging_search_all_log_dirs to logging_search_all_logs
- Module version bump for minor logging and sysnet changes from Sven
- Vermeulen.
- Module version bump for dovecot libs from Mika Pflueger.
- Rearrange interfaces in files, clock, and udev.
- Module version bump for interfaces used by virt from Dominick Grift.
- Module version bump for arping setcap from Dominick Grift.
- Rearrange devices interfaces.
- Module version bump/contrib sync.
- Rearrange lines.
- Module version bump for user home content fixes from Dominick Grift.
- Rearrange files interfaces.
- Module version bump for Gentoo openrc fixes for /run from Sven Vermeulen.
+ Remove ZFS symlink labeling.
+ Fix ZFS fc escaping in mount.
+ Rearrange ZFS fc entries.
+ Module version bump for ZFS tools fc entries from Matthew Thode.
+ Module version bump for unconfined transition to dpkg from Laurent
+ Bigonville.
+ Module version bump for logging fc patch from Laurent Bigonville.
Update contrib.
- Whitespace fix in miscfiles.fc.
- Adjust man cache interface names.
- Module version bump for man cache from Dominick Grift.
- Module version bump for Debian ssh-keysign location from Laurent
+ Module version bump for pid file directory from Russell Coker/Laurent
Bigonville.
- Module version bump for userdomain portion of XDG updates from Dominick
- Grift.
- Module version bump for iptables fc entry from Sven Vermeulen and inn log
- from Dominick Grift.
- Module version bump for logging and tcpdump fixes from Sven Vermeulen.
- Move mcs_constrained() impementation.
- Module version bump for mcs_constrained from Dominick Grift.
+ Rename gpg_agent_connect to gpg_stream_connect_agent.
+ Rearrange gpg agent calls.
+ Module version bump for ssh use of gpg-agent from Luis Ressel.
+ Module version bump for files_dontaudit_list_var() interface from Luis
+ Ressel.
+ Move bin_t fc from couchdb to corecommands.
Update contrib.
- Module version bump from Debian changes from Laurent Bigonville.
- Module version bump for zfs labeling from Matthew Thode.
- Module version bump for misc updates from Sven Vermeulen.
+ Module version bump for sesh fc from Nicolas Iooss.
+ Move loop control interface definition.
+ Rename mount_read_mount_loopback() to mount_read_loopback_file().
+ Module version bump for loopback file mounting fixes from Luis Ressel.
+ Fix read loopback file interface.
+ Update contrib.
+ Module version bump for bootloader fc fixes from Luis Ressel.
Update contrib.
- Module version bump for fixes from Dominick Grift.
- Module version bump for Debian updates from Laurent Bigonville.
- Fix bug in userdom_delete_all_user_home_content_files() from Kohei KaiGai.
- Update contrib
- Fix fc_sort.c warning uncovered by recent gcc
- Module version bump for chfn fixes from Sven Vermeulen.
- Add swapoff fc entry.
- Add conntrack fc entry.
Update contrib.
- Update contrib
- Archive old Changelog for log format change.
Bump module versions for release.
-Dominick Grift (40):
- There can be more than a single watchdog interface
- Fix a suspected typo
- Intel® Active Management Technology
- Declare a loop control device node type and label /dev/loop-control
- accordingly
- Declare port types for ports used by Fedora but use /etc/services for port
- names rather than using fedora port names. If /etc/services does not
- have a port name for a port used by Fedora, skip for now.
- Remove var_log_t file context spec
- svrloc port type declaration from slpd policy module
- Declare a cachfiles device node type
- Implement files_create_all_files_as() for cachefilesd
- Restricted Xwindows user domains run windows managers in the windows
- managers domain
- Declare a cslistener port type for phpfpm
- Changes to the sysnetwork policy module
- Changes to the userdomain policy module
- Changes to the bootloader policy module
- Changes to the modutils policy module
- Changes to the xserver policy module
- Changes to various policy modules
- Changes to the kernel policy module
- For svirt_lxc_domain
- For svirt_lxc_domain
- For svirt_lxc_domain
- For virtd lxc
- For virtd_lxc
- For virtd_lxc
- For virtd lxc
- For virtd lxc
- For virtd
- Arping needs setcap to cap_set_proc
- For virtd
- Changes to the user domain policy module
- Samhain_admin() now requires a role for the role_transition from $1 to
- initrc_t via samhain_initrc_exec_t
- Changes to the user domain policy module
- Label /var/cache/man with a private man cache type for mandb
- Create a attribute user_home_content_type and assign it to all types that
- are classified userdom_user_home_content()
- These two attribute are unused
- System logger creates innd log files with a named file transition
- Implement mcs_constrained_type
- Changes to the init policy module
- Changes to the userdomain policy module
- NSCD related changes in various policy modules
+Dominick Grift (58):
+ The kerberos_keytab_template() template is deprecated: Breaks monolithic
+ built (out-of-scope)
+ Initial pstore support
+ Support redis port tcp,6379
+ These regular expressions were not matched
+ Restorecon reads, and writes /dev/console before it is properly labeled
+ filesystem: associate tmpfs_t (shm) to device_t (devtmpfs) file systems
+ logging: syslog (rs:main Q:Reg) reading sysctl_vm files
+ (overcommit_memory) in Debian
+ sysnetwork: ethtool reads /run/pm-utils/locks/pm-powersave.lock
+ sysadm: Doesnt work with direct_initrc = y
+ lvm: lvm and udisks-lvm-pv-e read /run/udev/queue.bin
+ authlogin: Sudo file context specification did not catch paths (squash me)
+ userdomain: restricted xwindows user (squash me)
+ udev: This is specific to debian i think. Some how the
+ /usr/lib/avahi/avahi-daemon-check-dns\.sh ends up in the udev_t domain
+ selinux: selinuxfs is now mounted under /sys/fs/selinux instead of
+ /selinux, so we need to allow domains that use selinuxfs to interface
+ with SELinux to traverse /sys/fs to be able to get to /sys/fs/selinux
+ Unconfined domains have unconfined access to all of dbus rather than only
+ system bus
+ Initial virtio console device
+ init: create init_use_inherited_script_ptys() for tmpreaper (Debian)
+ corecmd: avahi-daemon executes /usr/lib/avahi/avahi-daemon-check-dns.sh
+ xdm: is a system bus client and acquires service on the system bus xdm:
+ dbus chat with accounts-daemon
+ sysnetwork: Debian stores network interface configuration in /run/network
+ (ifstate), That directory is created by the /etc/init.d/networking
+ script.
+ xserver: catch /run/gdm3
+ xserver: associate xconsole_device_t (/dev/xconsole) to device_t
+ (devtmpfs)
+ corenetwork: Declare gdomap port, tcp/udp:538
+ hostname: do not audit attempts by hostname to read and write dhcpc udp
+ sockets (looks like a leaked fd)
+ ssh: Debian sshd is configured to use capabilities
+ udev-acl.ck lists /run/udev/tags/udev-acl udev blocks suspend, and
+ compromises kernel
+ udev: runs: /usr/lib/avahi/avahi-daemon-check-dns.sh which creates
+ /run/avahi-daemon directory
+ mount: sets kernel thread priority mount: mount reads
+ /lib/modules/3.10-2-amd64/modules.dep mount: mount lists all mount
+ points
+ sysnetwork: dhcpc binds socket to random high udp ports sysnetwork: do not
+ audit attempts by ifconfig to read, and write dhcpc udp sockets (looks
+ like a leaked fd)
+ mount: fs_list_auto_mountpoint() is now redundant because autofs_t is
+ covered by files_list_all_mountpoints()
+ udev: this fc spec does not make sense, as there is no corresponding file
+ type transition for it
+ udev: the avahi dns check script run by udev in Debian chmods
+ /run/avahi-daemon
+ authlogin: unix_chkpwd traverses / on sysfs device on Debian
+ setrans: mcstransd reads filesystems file in /proc
+ udev: reads modules config: /etc/modprobe.d/alsa-base-blacklist.conf
+ fstools: hdparm append (what seems inherited from devicekit )
+ /var/log/pm-powersave.log fstools: hdparm reads
+ /run/pm-utils/locks/pm-powersave.lock
+ sysnetwork: dhcpc: networkmanager interface calls from Fedora. In Debian i
+ was able to confirm the need for
+ networkmanager_manage_lib_files(dhcpc_t) since dhclient reads
+ /var/lib/NetworkManager/dhclient-eth0.conf
+ sysbnetwork: dhclient searches /var/lib/ntp
+ sshd/setrans: make respective init scripts create pid dirs with proper
+ contexts
+ kernel: cryptomgr_test (kernel_t) requests kernel to load
+ cryptd(__driver-ecb-aes-aesni
+ xserver: already allowed by auth_login_pgm_domain(xdm_t)
+ unconfined: Do not domain transition to xserver_t (unconfined_t is
+ xserver_unconfined)
+ userdomain: add userdom_delete_user_tmpfs_files() for pulseaudio clients
+ These { read write } tty_device_t chr files on boot up in Debian
+ udev: udevd executable location changed
+ lvm: lvm writes read_ahead_kb
+ udev: in debian udevadm is located in /bin/udevadm
+ usermanage: Run /etc/cron\.daily/cracklib-runtime in the crack_t domain in
+ Debian
+ iptables: calls to firewalld interfaces from Fedora. The
+ firewalld_dontaudit_rw_tmp_files(iptables_t) was confirmed on Debian.
+ libraries: for now i can only confirm mmap, might need to be changed to
+ bin_t later if it turns out to need execute_no_trans
+ users: calls pulseaudio_role() for restricted xwindows users and
+ staff_t/user_t
+ init: for a specified automatic role transition to work. the source role
+ must be allowed to change manually to the target role
+ init: this is a bug in debian where tmpfs is mounted on /run, and so early
+ on in the boot process init creates /run/utmp and /run/initctl in a
+ tmpfs directory (/) tmpfs
+ init: exim init script runs various helper apps that create and manage
+ /var/lib/exim4/config.autogenerated.tmp file
+ init: the gdomap and minissdpd init scripts read the respective environ
+ files in /etc/default. We need to give them a private type so that we
+ can give the gdomap_admin() and minissdpd_admin() access to it, but it
+ seems overengineering to create private environ types for these files
+ xserver: These are no longer needed
+ Change behavior of init_run_daemon()
+ Apply direct_initrc to unconfined_r:unconfined_t
-Guido Trentalancia (1):
- add lost+found filesystem labels to support NSA security guidelines
+Laurent Bigonville (7):
+ Label /bin/fusermount like /usr/bin/fusermount
+ Allow udev to write in /etc/udev/rules.d
+ Label /etc/selinux/([^/]*/)?modules(/.*)? as semanage_store_t
+ Allow unconfined users to transition to dpkg_t domain
+ Add fcontext for rsyslog pidfile
+ Add fcontext for sshd pidfile and directory used for privsep
+ Move the ifdef at the end of the declaration block
-Laurent Bigonville (21):
- Add Debian locations for GDM 3
- Add Debian location for udisks helpers
- Add insmod_exec_t label for kmod executable
- Add Debian location for PKI files
- Add Debian location for ssh-keysign
- Properly label all the ssh host keys
- Allow udev_t domain to read files labeled as consolekit_var_run_t
- authlogin.if: Add auth_create_pam_console_data_dirs and
- auth_pid_filetrans_pam_var_console interfaces
- Label /etc/rc.d/init.d/x11-common as xdm_exec_t
- Drop /etc/rc.d/init.d/xfree86-common filecontext definition
- Label /var/run/shm as tmpfs_t for Debian
- Label /var/run/motd.dynamic as initrc_var_run_t
- Label /var/run/initctl as initctl_t
- udev.if: Call files_search_pid instead of files_search_var_lib in
- udev_manage_pid_files
- Label executables in /usr/lib/NetworkManager/ as bin_t
- Add support for rsyslog
- Label var_lock_t as a mountpoint
- Add mount_var_run_t type and allow mount_t domain to manage the files and
- directories
- Add initrc_t to use block_suspend capability
- Label executables under /usr/lib/gnome-settings-daemon/ as bin_t
- Label nut drivers that are installed in /lib/nut on Debian as bin_t
+Luis Ressel (10):
+ Conditionally allow ssh to use gpg-agent
+ kernel/files.if: Add files_dontaudit_list_var interface
+ kernel/devices.if: Add dev_rw_loop_control interface
+ system/mount.if: Add mount_read_mount_loopback interface
+ Allow mount_t usage of /dev/loop-control
+ Grant kernel_t necessary permissions for loopback mounts
+ Use xattr-labeling for squashfs.
+ Label fatsort as fsadm_exec_t.
+ Generalize grub2 pattern
+ Label grub2-install as bootloader_exec_t
Matthew Thode (1):
- Implement zfs support
-
-Mika Pflüger (2):
- Debian locations of gvfs and kde4 libexec binaries in /usr/lib
- Explicitly label dovecot libraries lib_t for debian
-
-Miroslav Grepl (1):
- Allow ipsec to read kernel sysctl
+ Extending support for SELinux on ZFS
-Paul Moore (1):
- flask: add the attach_queue permission to the tun_socket object class
+Nicolas Iooss (2):
+ Label /usr/lib/sudo/sesh as shell_exec_t
+ Create .gitignore
-Russell Coker (1):
- Label port 5546 as dhcpc_port_t and allow dhcpc_t to bind to TCP for
- client control
-
-Sven Vermeulen (27):
- New location for udevd binary
- Use substititions for /usr/local/lib and /etc/init.d
- DHCP client's hooks create /run/dhcpc directory
- Introduce init_daemon_run_dir transformation
- Use the init_daemon_run_dir interface for udev
- Allow initrc_t to create run dirs for core modules
- Puppet uses mount output for verification
- Allow syslogd to create /var/lib/syslog and
- /var/lib/misc/syslog-ng.persist
- Gentoo's openrc does not require initrc_exec_t for runscripts anymore
- Allow init scripts to read courier configuration
- Allow search within postgresql var directory for the stream connect
- interface
- Introduce logging_getattr_all_logs interface
- Introduce logging_search_all_log_dirs interface
- Support flushing routing cache
- Allow init to set attributes on device_t
- Introduce files_manage_all_pids interface
- Gentoo openrc migrates /var/run and /var/lock data to /run(/lock)
- Update files_manage_generic_locks with directory permissions
- Run ipset in iptables domain
- tcpdump chroots into /var/lib/tcpdump
- Remove generic log label for cron location
- Postgresql 9.2 connects to its unix stream socket
- lvscan creates the /run/lock/lvm directory if nonexisting (v2)
- Allow syslogger to manage cron log files (v2)
- Allow initrc_t to read stunnel configuration
- Introduce exec-check interfaces for passwd binaries and useradd binaries
- chfn_t reads in file context information and executes nscd
+Sven Vermeulen (7):
+ Add trivnet1 port (8200)
+ Get grub2-install to work properly
+ Support named file transition for fixed_disk_device_t
+ Allow ping to get/set capabilities
+ Extend slim /var/run expression
+ Allow semodule to create symlink in semanage_store_t
+ Allow capabilities for syslog-ng
* Wed Apr 24 2013 Chris PeBenito <selinux@tresys.com> - 2.20130424
Chris PeBenito (78):
diff --git a/VERSION b/VERSION
index d060af8..d2354ef 100644
--- a/VERSION
+++ b/VERSION
@@ -1 +1 @@
-2.20130424
+2.20140311
^ permalink raw reply related [flat|nested] 101+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: /
@ 2014-06-25 19:06 Sven Vermeulen
0 siblings, 0 replies; 101+ messages in thread
From: Sven Vermeulen @ 2014-06-25 19:06 UTC (permalink / raw
To: gentoo-commits
commit: fbd16c79b07f6bc3fa4b7555d395d9eb8f2d0514
Author: Chris PeBenito <cpebenito <AT> tresys <DOT> com>
AuthorDate: Thu Jun 19 14:48:38 2014 +0000
Commit: Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Wed Jun 25 18:59:13 2014 +0000
URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=fbd16c79
Always use the unknown permissions handling build option.
This compile-time feature is in the minimum-required checkpolicy/checkmodule
for building the policy, so it should always be used.
---
Makefile | 2 +-
Rules.modular | 5 +----
Rules.monolithic | 10 ++--------
build.conf | 2 +-
4 files changed, 5 insertions(+), 14 deletions(-)
diff --git a/Makefile b/Makefile
index 7e5bf4b..70b213a 100644
--- a/Makefile
+++ b/Makefile
@@ -209,7 +209,7 @@ endif
NAME ?= $(TYPE)
# default unknown permissions setting
-#UNK_PERMS ?= deny
+UNK_PERMS ?= deny
ifeq ($(DIRECT_INITRC),y)
M4PARAM += -D direct_sysadm_daemon
diff --git a/Rules.modular b/Rules.modular
index b2d2ac4..c3c914a 100644
--- a/Rules.modular
+++ b/Rules.modular
@@ -94,12 +94,9 @@ $(base_pkg): $(base_mod) $(base_fc) $(users_extra) $(tmpdir)/seusers
@test -d $(builddir) || mkdir -p $(builddir)
$(verbose) $(SEMOD_PKG) -o $@ -m $(base_mod) -f $(base_fc) -u $(users_extra) -s $(tmpdir)/seusers
-ifneq "$(UNK_PERMS)" ""
-$(base_mod): CHECKMODULE += -U $(UNK_PERMS)
-endif
$(base_mod): $(base_conf)
@echo "Compiling $(NAME) base module"
- $(verbose) $(CHECKMODULE) $^ -o $@
+ $(verbose) $(CHECKMODULE) -U $(UNK_PERMS) $^ -o $@
$(tmpdir)/seusers: $(seusers)
@mkdir -p $(tmpdir)
diff --git a/Rules.monolithic b/Rules.monolithic
index b8d180e..6505550 100644
--- a/Rules.monolithic
+++ b/Rules.monolithic
@@ -63,9 +63,6 @@ resetlabels: $(fcpath)
#
# Build a binary policy locally
#
-ifneq "$(UNK_PERMS)" ""
-$(polver): CHECKPOLICY += -U $(UNK_PERMS)
-endif
$(polver): $(policy_conf)
@echo "Compiling $(NAME) $(polver)"
ifneq ($(pv),$(kv))
@@ -73,15 +70,12 @@ ifneq ($(pv),$(kv))
@echo "WARNING: Policy version mismatch! Is your OUTPUT_POLICY set correctly?"
@echo
endif
- $(verbose) $(CHECKPOLICY) $^ -o $@
+ $(verbose) $(CHECKPOLICY) -U $(UNK_PERMS) $^ -o $@
########################################
#
# Install a binary policy
#
-ifneq "$(UNK_PERMS)" ""
-$(loadpath): CHECKPOLICY += -U $(UNK_PERMS)
-endif
$(loadpath): $(policy_conf)
@echo "Compiling and installing $(NAME) $(loadpath)"
ifneq ($(pv),$(kv))
@@ -90,7 +84,7 @@ ifneq ($(pv),$(kv))
@echo
endif
@$(INSTALL) -d -m 0755 $(@D)
- $(verbose) $(CHECKPOLICY) $^ -o $@
+ $(verbose) $(CHECKPOLICY) -U $(UNK_PERMS) $^ -o $@
########################################
#
diff --git a/build.conf b/build.conf
index 5a521c4..0fffc2a 100644
--- a/build.conf
+++ b/build.conf
@@ -35,7 +35,7 @@ NAME = refpolicy
# can either be allowed, denied, or the policy loading
# can be rejected.
# allow, deny, and reject are current options.
-#UNK_PERMS = deny
+UNK_PERMS = deny
# Direct admin init
# Setting this will allow sysadm to directly
^ permalink raw reply related [flat|nested] 101+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: /
2014-09-21 14:08 [gentoo-commits] proj/hardened-refpolicy:mailinfra " Sven Vermeulen
@ 2014-09-13 9:38 ` Sven Vermeulen
0 siblings, 0 replies; 101+ messages in thread
From: Sven Vermeulen @ 2014-09-13 9:38 UTC (permalink / raw
To: gentoo-commits
commit: 01b5ed1e8b50ce80a59870a3175a8d5b318b8e8a
Author: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Sat Sep 13 09:37:33 2014 +0000
Commit: Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Sat Sep 13 09:37:33 2014 +0000
URL: http://sources.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=01b5ed1e
Merge branch 'master' of git+ssh://git.overlays.gentoo.org/proj/hardened-refpolicy
policy/modules/contrib/bluetooth.fc | 5 +++++
1 file changed, 5 insertions(+)
^ permalink raw reply [flat|nested] 101+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: /
@ 2014-11-22 16:25 Sven Vermeulen
0 siblings, 0 replies; 101+ messages in thread
From: Sven Vermeulen @ 2014-11-22 16:25 UTC (permalink / raw
To: gentoo-commits
commit: 8417dc67710b700fb07902f2061e4e5856a6dfa6
Author: Nicolas Iooss <nicolas.iooss <AT> m4x <DOT> org>
AuthorDate: Mon Nov 10 18:05:29 2014 +0000
Commit: Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Sat Nov 22 16:24:37 2014 +0000
URL: http://sources.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=8417dc67
Update Python requirement in INSTALL
PyXML has not been required to build the policy and its documentation
since at least Python 2.6, which comes with an "xml" module.
Moreover, some support scripts requires Python 2.6 or above (and are
compatible with Python 3.4, maybe also with other versions of Python 3).
Add the minimum supported version of Python in INSTALL.
ML thread: http://oss.tresys.com/pipermail/refpolicy/2014-November/007440.html
---
INSTALL | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/INSTALL b/INSTALL
index f168ff5..5250cbe 100644
--- a/INSTALL
+++ b/INSTALL
@@ -3,7 +3,7 @@ Reference Policy has the following build requirements:
* libsemanage 2.1.6
* checkpolicy 2.1.8
* policycoreutils 2.1.10
- * Python PyXML
+ * Python >= 2.6
* GCC
To install Reference Policy sources into /etc/selinux/refpolicy/src/policy:
^ permalink raw reply related [flat|nested] 101+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: /
@ 2014-11-27 8:31 Jason Zaman
0 siblings, 0 replies; 101+ messages in thread
From: Jason Zaman @ 2014-11-27 8:31 UTC (permalink / raw
To: gentoo-commits
commit: 6fa8e312341c91ad17a237666d45f188bd867da3
Author: Jason Zaman <jason <AT> perfinion <DOT> com>
AuthorDate: Wed Nov 26 08:00:45 2014 +0000
Commit: Jason Zaman <gentoo <AT> perfinion <DOT> com>
CommitDate: Wed Nov 26 16:29:04 2014 +0000
URL: http://sources.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=6fa8e312
add in travis config for testing
---
.travis.yml | 113 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
1 file changed, 113 insertions(+)
diff --git a/.travis.yml b/.travis.yml
new file mode 100644
index 0000000..ce213a3
--- /dev/null
+++ b/.travis.yml
@@ -0,0 +1,113 @@
+# Originally by Nicolas Iooss from: https://github.com/fishilico/selinux-refpolicy-patched/blob/travis-upstream/.travis.yml
+
+language: python
+python:
+ - "2.7"
+
+# for T in standard mls mcs ; do for D in arch debian gentoo ; do for I in n y ; do for M in y n ; do
+# echo " - TYPE=$T DISTRO=$D DIRECT_INITRC=$I MONOLITHIC=$M" ; done ; done ; done ; done
+env:
+ - TYPE=standard DISTRO=gentoo DIRECT_INITRC=n MONOLITHIC=n
+ - TYPE=mls DISTRO=gentoo DIRECT_INITRC=n MONOLITHIC=n
+ - TYPE=mcs DISTRO=gentoo DIRECT_INITRC=n MONOLITHIC=n
+
+# Install SELinux userspace utilities dependencies
+before_install:
+# Show OS version information
+ - lsb_release -a
+ - sudo apt-get update -qq
+ - sudo apt-get install -qq libaudit-dev libcap-ng-dev libustr-dev swig
+
+# Compile and install a newer version of SELinux userspace utilities
+install:
+ # Setup the directory where SELinux utilities will be installed
+ - export DESTDIR="$HOME/selinux-project"
+ - mkdir "$DESTDIR"
+ - export PATH="$DESTDIR/usr/bin:$DESTDIR/usr/sbin:$DESTDIR/bin:$DESTDIR/sbin:$PATH"
+ - export LD_LIBRARY_PATH="$DESTDIR/usr/lib:$DESTDIR/lib:$LD_LIBRARY_PATH"
+
+ # On Ubuntu 12.04, default CFLAGS make the build fail in libsepol/cil with:
+ # error: declaration of 'index' shadows a global declarationo
+ # So define our own CFLAGS
+ - export CFLAGS="-O2 -pipe -fPIC -Wall"
+
+ # Download SELinux userspace tools and libraries
+ - wget https://github.com/SELinuxProject/selinux/archive/20140826-rc6.tar.gz
+ - tar -xzf 20140826-rc6.tar.gz
+ - mv selinux-20140826-rc6 selinux-src
+
+ # Download setools
+ - wget https://github.com/TresysTechnology/setools3/archive/setools-3.3.8.tar.gz
+ - tar -xzf setools-3.3.8.tar.gz
+ - mv setools3-setools-3.3.8 setools-src
+
+ # Ubuntu 12.04 coreutils is too old to provide "ln --relative" :(
+ - sed 's/ln -sf --relative /ln -sf /' -i selinux-src/libsepol/src/Makefile
+ - sed 's/ln -sf --relative /ln -sf /' -i selinux-src/libselinux/src/Makefile
+
+ # Compile and install SELinux libraries first
+ - make -C selinux-src/libsepol install
+ - make -C selinux-src/libselinux install
+ - make -C selinux-src/libsemanage install
+
+ # Now that the libraries are installed, use them to compile the tools
+ - export CFLAGS="$CFLAGS -I$DESTDIR/usr/include"
+ - export LDFLAGS="$LDFLAGS -L$DESTDIR/usr/lib"
+
+ # Compile and install setools
+ - cd setools-src
+ - aclocal && autoreconf -if && automake
+ - ./configure
+ --prefix="$DESTDIR/usr"
+ --disable-gui --disable-swig-tcl
+ --disable-bwidget-check --disable-selinux-check
+ --with-sepol-devel="$DESTDIR/usr"
+ --with-selinux-devel="$DESTDIR/usr"
+ - make -C libqpol DESTDIR= install
+ - make -C libapol DESTDIR= install
+ - cd ..
+
+ # Compile and install SELinux tools
+ - export LIBDIR="$DESTDIR/usr/lib"
+ - export LIBEXECDIR="$DESTDIR/usr/lib"
+ - export SHLIBDIR="$DESTDIR/usr/lib"
+ - export SEMODULE_PATH="$DESTDIR/usr/bin"
+ - make -C selinux-src/sepolgen install
+ - make -C selinux-src/checkpolicy install
+ - make -C selinux-src/policycoreutils install
+
+ # Use the newly-built toolchain
+ - export TEST_TOOLCHAIN="$DESTDIR"
+
+# XXX: not sure whether the definition in make command line are useful or whether the env definitions are enough
+# Use a heartbeat loop to produce output while compiling the policy, which takes quite a long time.
+script:
+ - make bare
+ - make TYPE="$TYPE" MONOLITHIC="$MONOLITHIC" conf
+
+# - if [ "$MONOLITHIC" = y ]; then
+# ( for A in $(seq 8) ; do sleep 300 ; echo "Heartbeat $((A*5)) minutes" ; done ) &
+# make TYPE="$TYPE" DISTRO="$DISTRO" DIRECT_INITRC="$DIRECT_INITRC" MONOLITHIC=y ;
+# fi
+# - if [ "$MONOLITHIC" = y ]; then make TYPE="$TYPE" DISTRO="$DISTRO" DIRECT_INITRC="$DIRECT_INITRC" MONOLITHIC=y file_contexts ; fi
+# - if [ "$MONOLITHIC" = y ]; then setfiles -c policy.$(checkpolicy -V | cut -d' ' -f1) file_contexts ; fi
+# - if [ "$MONOLITHIC" = n ]; then make TYPE="$TYPE" DISTRO="$DISTRO" DIRECT_INITRC="$DIRECT_INITRC" MONOLITHIC=n base ; fi
+# - if [ "$MONOLITHIC" = n ]; then make TYPE="$TYPE" DISTRO="$DISTRO" DIRECT_INITRC="$DIRECT_INITRC" MONOLITHIC=n modules ; fi
+# - if [ "$MONOLITHIC" = n ]; then
+# ( for A in $(seq 8) ; do sleep 300 ; echo "Heartbeat $((A*5)) minutes" ; done ) &
+# make TYPE="$TYPE" DISTRO="$DISTRO" DIRECT_INITRC="$DIRECT_INITRC" MONOLITHIC=n validate ;
+# fi
+
+ - make TYPE="$TYPE" DISTRO="$DISTRO" DIRECT_INITRC="$DIRECT_INITRC" MONOLITHIC=n base
+ - make TYPE="$TYPE" DISTRO="$DISTRO" DIRECT_INITRC="$DIRECT_INITRC" MONOLITHIC=n modules
+ - ( for A in $(seq 8) ; do sleep 300 ; echo "Heartbeat $((A*5)) minutes" ; done ) &
+ make TYPE="$TYPE" DISTRO="$DISTRO" DIRECT_INITRC="$DIRECT_INITRC" MONOLITHIC=n validate
+
+# Only build travis branches
+branches:
+ only:
+ - /^travis-.*/
+
+notifications:
+ email: false
+
^ permalink raw reply related [flat|nested] 101+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: /
@ 2014-12-04 1:46 Jason Zaman
0 siblings, 0 replies; 101+ messages in thread
From: Jason Zaman @ 2014-12-04 1:46 UTC (permalink / raw
To: gentoo-commits
commit: 1e9ecfc88b2f1567c523abe231864544edf9bf24
Author: Chris PeBenito <cpebenito <AT> tresys <DOT> com>
AuthorDate: Wed Dec 3 18:37:38 2014 +0000
Commit: Jason Zaman <gentoo <AT> perfinion <DOT> com>
CommitDate: Wed Dec 3 20:32:15 2014 +0000
URL: http://sources.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=1e9ecfc8
Update Changelog and VERSION for release.
---
Changelog | 186 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
VERSION | 2 +-
2 files changed, 187 insertions(+), 1 deletion(-)
diff --git a/Changelog b/Changelog
index 4444be1..1f53185 100644
--- a/Changelog
+++ b/Changelog
@@ -1,3 +1,189 @@
+* Wed Dec 03 2014 Chris PeBenito <selinux@tresys.com> - 2.20141203
+Artyom Smirnov (3):
+ New database object classes
+ Fixes for db_domain and db_exception
+ Renamed db_type to db_datatype, to avoid confusion with SELinux "type"
+
+Chris PeBenito (69):
+ Whitespace fix in postgresql.fc
+ Module version bump for postgresql fc entries from Luis Ressel.
+ Add symlink to contrib Changelog for easy reference.
+ Move lightdm line in xserver.fc.
+ Whitespace fix in xserver.fc.
+ Update contrib.
+ Module version bump for userdomain kernel symbol table fix from Nicolas
+ Iooss.
+ Module version bump for 2 Gentoo patches from Sven Vermeulen.
+ Update contrib.
+ Module version bump for 2 patch sets from Laurent Bigonville.
+ Update contrib.
+ Module version bump for gnome keyring fix from Laurent Bigonville.
+ Update contrib.
+ Module version bump for /sys/fs/selinux support from Sven Vermeulen.
+ Module version bump for fixes from Laurent Bigonville.
+ Update contrib.
+ Module version bumps for fc fixes from Nicolas Iooss.
+ Update contrib.
+ Add file for placing default_* statements.
+ Fix error in default_user example.
+ Module version bump for unconfined->lvm transition from Nicolas Iooss.
+ Need the __future__ import for python2 if using print().
+ Module version bump for ifconfig fc entry from Sven Vermeulen.
+ Module version bump for deprecated interface usage removal from Nicolas
+ Iooss.
+ Update contrib.
+ Module version bump for rcs2log and xserver updates from Sven Vermeulen.
+ Module version bump for shutdown transitions from Luis Ressel.
+ Remove firstboot_rw_t as FC5 has been gone for a long time.
+ Module version bump for firstboot_rw_t alias removal.
+ Module version bump for dropbox port from Sven Vermeulen.
+ Module version bump for unconfined syslog cap from Nicolas Iooss.
+ Always use the unknown permissions handling build option.
+ Merge pull request #1 from artyom-smirnov/master
+ Module version bump for zram fc entry from Jason Zaman.
+ Update contrib.
+ Module version bump for init_daemon_pid_file from Sven Vermeulen.
+ Move tumblerd fc entry
+ Module version bump for tumblerd fc entry from Jason Zaman.
+ Module version bump for libraries fc fix from Nicolas Iooss.
+ Update contrib.
+ Module version bump for fstools fc entries from Luis Ressel.
+ Module version bump for missing unlabeled interfaces from Sven Vermeulen.
+ Module version bump for ping rawip socket fix from Luis Ressel.
+ Module version bump for full IRC ports from Luis Ressel.
+ Move losetup addition in fstools.
+ Module version bump for losetup fixes from Luis Ressel.
+ Update contrib.
+ Module version bump for postgres fc revisions from Luis Ressel.
+ Module version bump for FUSE fix for mount from Luis Ressel.
+ Module version bump for misc fixes from Nicolas Iooss.
+ Move systemd fc entry.
+ Whitespace change in logging.fc.
+ Add comment for journald ring buffer reading.
+ Module version bumps for systemd/journald patches from Nicolas Iooss.
+ Update contrib.
+ /dev/log symlinks are not labeled devlog_t.
+ Module version bump for CIL fixes from Yuli Khodorkovskiy.
+ Drop RHEL4 and RHEL5 support.
+ Merge pull request #3 from bigon/arping
+ Merge pull request #4 from fishilico/minor-typo
+ Module version bump for Debian arping fc entries from Laurent Bigonville.
+ Add comment for iw generic netlink socket usage
+ Module version bump for /sbin/iw support from Nicolas Iooss.
+ Merge pull request #5 from bigon/audit_read
+ Update contrib.
+ Module version bump for misc fixes from Sven Vermeulen.
+ Update contrib.
+ Module version bump for module store move from Steve Lawrence.
+ Bump module versions for release.
+
+Elia Pinto (1):
+ Fix misspelling
+
+Jason Zaman (2):
+ File contexts for zram
+ File Context for tumbler
+
+Laurent Bigonville (14):
+ Properly label git-shell and other git commands for Debian
+ Label /usr/sbin/lightdm as xdm_exec_t
+ Create new xattrfs attribute and fs_getattr_all_xattr_fs() interface
+ Associate the new xattrfs attribute to fs_t and some pseudo-fs
+ Use new fs_getattr_all_xattr_fs interface for setfiles_t and restorecond_t
+ Add telepathy role for user_r and staff_r
+ Properly label the manpages installed by postgresql
+ Label /usr/local/share/ca-certificates(/.*)? as cert_t
+ Allow the xdm_t domain to enter all the gkeyringd ones
+ Label /etc/locale.alias as locale_t on Debian
+ Allow hugetlbfs_t to be associated to /dev
+ On Debian iputils-arping is installed in /usr/bin/arping
+ Debian also ship a different arping implementation
+ Add new audit_read access vector in capability2 class
+
+Luis Ressel (13):
+ Add two postgresql file contexts from gentoo policy
+ Allow init to execute shutdown
+ Allow xdm_t to transition to shutdown_t domain
+ Some of the fsadm tools can also be in /usr/sbin instead of /sbin
+ Label /usr/sbin/{add, del}part as fsadm_exec_t
+ Grant ping_t getattr on rawip_socket
+ kernel/corenetwork.te: Add all registered IRC ports
+ system/mount.if: Add mount_rw_loopback_files interface
+ system/fstools.if: Add fstools_use_fds interface
+ Add neccessary permissions for losetup
+ Only label administrative postgres commands as postgresql_exec_t
+ Also apply the new postgres labeling scheme on Debian
+ Grant mount permission to access /dev/fuse
+
+Nicolas Iooss (31):
+ Fix parallel build of the policy
+ fc_sort: fix typos in comments
+ fc_sort: initialize allocated memory to fix execution on an empty file
+ fc_sort: make outfile argument optional
+ userdomain: no longer allow unprivileged users to read kernel symbols
+ Label syslog-ng.pid as syslogd_var_run_t
+ filesystem: label cgroup symlinks
+ Label /usr/lib/getconf as bin_t
+ Label /usr/share/virtualbox/VBoxCreateUSBNode.sh as udev_helper_exec_t
+ Make support/policyvers.py compatible with Python 3
+ Make unconfined user run lvm programs in confined domain
+ No longer use deprecated MLS interfaces
+ Allow unconfined domains to use syslog capability
+ Label /lib symlink as lib_t for every distro
+ Label /usr/lib/networkmanager/ like /usr/lib/NetworkManager/
+ Add ioctl and lock to manage_lnk_file_perms
+ Label (/var)?/tmp/systemd-private-.../tmp like /tmp
+ Fix typo in fs_getattr_all_fs description
+ Label systemd files in init module
+ Introduce init_search_run interface
+ Label systemd-journald files and directories
+ Support logging with /run/systemd/journal/dev-log
+ Allow journald to read the kernel ring buffer and to use /dev/kmsg
+ Allow journald to access to the state of all processes
+ Remove redundant Gentoo-specific term_append_unallocated_ttys(syslogd_t)
+ Fix minor typo in init.if
+ Label /sbin/iw as ifconfig_exec_t
+ Allow iw to create generic netlink sockets
+ Use create_netlink_socket_perms when allowing netlink socket creation
+ Update Python requirement in INSTALL
+ Create tmp directory when compiling a .mod.fc file in a modular way
+
+Steve Lawrence (1):
+ Update policy for selinux userspace moving the policy store to
+ /var/lib/selinux
+
+Sven Vermeulen (24):
+ Hide getattr denials upon sudo invocation
+ Support /sys/devices/system/cpu/online
+ The security_t file system can be at /sys/fs/selinux
+ Dontaudit access on security_t file system at /sys/fs/selinux
+ ifconfig can also be in /bin
+ xserver_t needs to ender dirs labeled xdm_var_run_t
+ Enable rcs2log location for all distributions
+ Add dropbox_port_t support
+ Support initrc_t generated pid files with file transition
+ Deprecate init_daemon_run_dir interface
+ Use init_daemon_pid_file instead of init_daemon_run_dir
+ Introduce kernel_delete_unlabeled_symlinks
+ Introduce kernel_delete_unlabeled_pipes
+ Introduce kernel_delete_unlabeled_sockets
+ Introduce kernel_delete_unlabeled_blk_files
+ Introduce kernel_delete_unlabeled_chr_files
+ Run grub(2)-mkconfig in bootloader domain
+ Add auth_pid_filetrans_pam_var_run
+ New sudo manages timestamp directory in /var/run/sudo
+ xfce4-notifyd is an executable
+ Mark f2fs as a SELinux capable file system
+ Add in LightDM contexts
+ Add gfisk and efibootmgr as fsadm_exec_t
+ Add /var/lib/racoon as runtime directory for ipsec
+
+Yuli Khodorkovskiy (1):
+ Remove duplicate role declarations
+
+cgarst (1):
+ Updating submodule URL to github
+
* Tue Mar 11 2014 Chris PeBenito <selinux@tresys.com> - 2.20140311
Chris PeBenito (96):
Update contrib to pull in minidlna.
diff --git a/VERSION b/VERSION
index d2354ef..a9e4840 100644
--- a/VERSION
+++ b/VERSION
@@ -1 +1 @@
-2.20140311
+2.20141203
^ permalink raw reply related [flat|nested] 101+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: /
@ 2015-02-15 17:39 Sven Vermeulen
0 siblings, 0 replies; 101+ messages in thread
From: Sven Vermeulen @ 2015-02-15 17:39 UTC (permalink / raw
To: gentoo-commits
commit: 7b3f359e242a5ec1b31229ccfa3e6dec82b69a87
Author: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Sun Feb 15 17:37:15 2015 +0000
Commit: Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Sun Feb 15 17:37:15 2015 +0000
URL: http://sources.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=7b3f359e
Add validate target for monolithic policy
---
Rules.monolithic | 9 +++++++++
1 file changed, 9 insertions(+)
diff --git a/Rules.monolithic b/Rules.monolithic
index d2de916..c2c2147 100644
--- a/Rules.monolithic
+++ b/Rules.monolithic
@@ -207,6 +207,15 @@ $(ncpath): $(net_contexts)
########################################
#
+# Validate file contexts
+#
+validate: $(fc) $(polver)
+ @echo "Validating $(NAME) file_contexts."
+ $(verbose) $(SETFILES) -q -c $(polver) $(fc)
+ @echo "Success."
+
+########################################
+#
# Run policy source checks
#
check: $(builddir)check.res
^ permalink raw reply related [flat|nested] 101+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: /
@ 2015-03-29 9:59 Jason Zaman
0 siblings, 0 replies; 101+ messages in thread
From: Jason Zaman @ 2015-03-29 9:59 UTC (permalink / raw
To: gentoo-commits
commit: 68026ee4a044cb3664ff3ea64d534104928d78b8
Author: Jason Zaman <jason <AT> perfinion <DOT> com>
AuthorDate: Wed Mar 25 16:37:18 2015 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sun Mar 29 09:55:25 2015 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=68026ee4
update travis file to newer userland (much faster)
.travis.yml | 105 +++++++++++++++---------------------------------------------
1 file changed, 26 insertions(+), 79 deletions(-)
diff --git a/.travis.yml b/.travis.yml
index ce213a3..41c4a1f 100644
--- a/.travis.yml
+++ b/.travis.yml
@@ -1,4 +1,4 @@
-# Originally by Nicolas Iooss from: https://github.com/fishilico/selinux-refpolicy-patched/blob/travis-upstream/.travis.yml
+# Derived from Nicolas Iooss: https://github.com/fishilico/selinux-refpolicy-patched/blob/travis-upstream/.travis.yml
language: python
python:
@@ -8,105 +8,52 @@ python:
# echo " - TYPE=$T DISTRO=$D DIRECT_INITRC=$I MONOLITHIC=$M" ; done ; done ; done ; done
env:
- TYPE=standard DISTRO=gentoo DIRECT_INITRC=n MONOLITHIC=n
- - TYPE=mls DISTRO=gentoo DIRECT_INITRC=n MONOLITHIC=n
- TYPE=mcs DISTRO=gentoo DIRECT_INITRC=n MONOLITHIC=n
+ - TYPE=mls DISTRO=gentoo DIRECT_INITRC=n MONOLITHIC=n
+ - TYPE=standard DISTRO=gentoo DIRECT_INITRC=y MONOLITHIC=n
+ - TYPE=mcs DISTRO=gentoo DIRECT_INITRC=y MONOLITHIC=n
+ - TYPE=mls DISTRO=gentoo DIRECT_INITRC=y MONOLITHIC=n
-# Install SELinux userspace utilities dependencies
before_install:
-# Show OS version information
- lsb_release -a
+ - bison -V
+ - flex -V
- sudo apt-get update -qq
- - sudo apt-get install -qq libaudit-dev libcap-ng-dev libustr-dev swig
-
-# Compile and install a newer version of SELinux userspace utilities
-install:
- # Setup the directory where SELinux utilities will be installed
- - export DESTDIR="$HOME/selinux-project"
- - mkdir "$DESTDIR"
- - export PATH="$DESTDIR/usr/bin:$DESTDIR/usr/sbin:$DESTDIR/bin:$DESTDIR/sbin:$PATH"
- - export LD_LIBRARY_PATH="$DESTDIR/usr/lib:$DESTDIR/lib:$LD_LIBRARY_PATH"
-
- # On Ubuntu 12.04, default CFLAGS make the build fail in libsepol/cil with:
- # error: declaration of 'index' shadows a global declarationo
- # So define our own CFLAGS
- - export CFLAGS="-O2 -pipe -fPIC -Wall"
- # Download SELinux userspace tools and libraries
- - wget https://github.com/SELinuxProject/selinux/archive/20140826-rc6.tar.gz
- - tar -xzf 20140826-rc6.tar.gz
- - mv selinux-20140826-rc6 selinux-src
+ # Install SELinux userspace utilities dependencies
+ - sudo apt-get install -qq libaudit-dev libcap-ng-dev libustr-dev libpcre3-dev swig
- # Download setools
- - wget https://github.com/TresysTechnology/setools3/archive/setools-3.3.8.tar.gz
- - tar -xzf setools-3.3.8.tar.gz
- - mv setools3-setools-3.3.8 setools-src
+install:
+ # Download current SELinux userspace tools and libraries
+ - curl -sS -L https://github.com/SELinuxProject/selinux/archive/20150202.tar.gz | tar xz
+ - mv selinux-20150202 selinux-src
# Ubuntu 12.04 coreutils is too old to provide "ln --relative" :(
- sed 's/ln -sf --relative /ln -sf /' -i selinux-src/libsepol/src/Makefile
- sed 's/ln -sf --relative /ln -sf /' -i selinux-src/libselinux/src/Makefile
- # Compile and install SELinux libraries first
- - make -C selinux-src/libsepol install
- - make -C selinux-src/libselinux install
- - make -C selinux-src/libsemanage install
-
- # Now that the libraries are installed, use them to compile the tools
- - export CFLAGS="$CFLAGS -I$DESTDIR/usr/include"
- - export LDFLAGS="$LDFLAGS -L$DESTDIR/usr/lib"
+ # Drop sepolicy to break setools dependence (sepolicy isn't used anyway)
+ - sed -i -e 's/sepolicy//' selinux-src/policycoreutils/Makefile
- # Compile and install setools
- - cd setools-src
- - aclocal && autoreconf -if && automake
- - ./configure
- --prefix="$DESTDIR/usr"
- --disable-gui --disable-swig-tcl
- --disable-bwidget-check --disable-selinux-check
- --with-sepol-devel="$DESTDIR/usr"
- --with-selinux-devel="$DESTDIR/usr"
- - make -C libqpol DESTDIR= install
- - make -C libapol DESTDIR= install
- - cd ..
-
- # Compile and install SELinux tools
- - export LIBDIR="$DESTDIR/usr/lib"
- - export LIBEXECDIR="$DESTDIR/usr/lib"
- - export SHLIBDIR="$DESTDIR/usr/lib"
- - export SEMODULE_PATH="$DESTDIR/usr/bin"
- - make -C selinux-src/sepolgen install
- - make -C selinux-src/checkpolicy install
- - make -C selinux-src/policycoreutils install
+ # Compile and install SELinux toolchain
+ # On Ubuntu 12.04, default CFLAGS make the build fail in libsepol/cil with:
+ # error: declaration of 'index' shadows a global declarationo
+ - sudo make CFLAGS="-O2 -pipe -fPIC -Wall" -C selinux-src install
- # Use the newly-built toolchain
- - export TEST_TOOLCHAIN="$DESTDIR"
+ # Drop build.conf settings to listen to env vars
+ - sed -r -i -e '/(DIRECT_INITRC|MONOLITHIC|TYPE|DISTRO)/d' build.conf
-# XXX: not sure whether the definition in make command line are useful or whether the env definitions are enough
-# Use a heartbeat loop to produce output while compiling the policy, which takes quite a long time.
script:
+ - echo $TYPE $DISTRO $DIRECT_INITRC $MONOLITHIC
- make bare
- - make TYPE="$TYPE" MONOLITHIC="$MONOLITHIC" conf
-
-# - if [ "$MONOLITHIC" = y ]; then
-# ( for A in $(seq 8) ; do sleep 300 ; echo "Heartbeat $((A*5)) minutes" ; done ) &
-# make TYPE="$TYPE" DISTRO="$DISTRO" DIRECT_INITRC="$DIRECT_INITRC" MONOLITHIC=y ;
-# fi
-# - if [ "$MONOLITHIC" = y ]; then make TYPE="$TYPE" DISTRO="$DISTRO" DIRECT_INITRC="$DIRECT_INITRC" MONOLITHIC=y file_contexts ; fi
-# - if [ "$MONOLITHIC" = y ]; then setfiles -c policy.$(checkpolicy -V | cut -d' ' -f1) file_contexts ; fi
-# - if [ "$MONOLITHIC" = n ]; then make TYPE="$TYPE" DISTRO="$DISTRO" DIRECT_INITRC="$DIRECT_INITRC" MONOLITHIC=n base ; fi
-# - if [ "$MONOLITHIC" = n ]; then make TYPE="$TYPE" DISTRO="$DISTRO" DIRECT_INITRC="$DIRECT_INITRC" MONOLITHIC=n modules ; fi
-# - if [ "$MONOLITHIC" = n ]; then
-# ( for A in $(seq 8) ; do sleep 300 ; echo "Heartbeat $((A*5)) minutes" ; done ) &
-# make TYPE="$TYPE" DISTRO="$DISTRO" DIRECT_INITRC="$DIRECT_INITRC" MONOLITHIC=n validate ;
-# fi
-
- - make TYPE="$TYPE" DISTRO="$DISTRO" DIRECT_INITRC="$DIRECT_INITRC" MONOLITHIC=n base
- - make TYPE="$TYPE" DISTRO="$DISTRO" DIRECT_INITRC="$DIRECT_INITRC" MONOLITHIC=n modules
- - ( for A in $(seq 8) ; do sleep 300 ; echo "Heartbeat $((A*5)) minutes" ; done ) &
- make TYPE="$TYPE" DISTRO="$DISTRO" DIRECT_INITRC="$DIRECT_INITRC" MONOLITHIC=n validate
+ - make conf
+ - make
+ - make validate
-# Only build travis branches
branches:
only:
- /^travis-.*/
+ - master
notifications:
email: false
^ permalink raw reply related [flat|nested] 101+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: /
2015-10-26 5:36 [gentoo-commits] proj/hardened-refpolicy:next " Jason Zaman
@ 2015-10-26 5:48 ` Jason Zaman
0 siblings, 0 replies; 101+ messages in thread
From: Jason Zaman @ 2015-10-26 5:48 UTC (permalink / raw
To: gentoo-commits
commit: 7df299c23e81022962f221aca35cc00f76015dbd
Author: Jason Zaman <jason <AT> perfinion <DOT> com>
AuthorDate: Mon Oct 26 04:12:02 2015 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Mon Oct 26 04:12:02 2015 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=7df299c2
Add SystemD build option to travis.yml
.travis.yml | 39 +++++++++++++++++++++++++++++----------
1 file changed, 29 insertions(+), 10 deletions(-)
diff --git a/.travis.yml b/.travis.yml
index 41c4a1f..b3dd454 100644
--- a/.travis.yml
+++ b/.travis.yml
@@ -4,15 +4,33 @@ language: python
python:
- "2.7"
-# for T in standard mls mcs ; do for D in arch debian gentoo ; do for I in n y ; do for M in y n ; do
-# echo " - TYPE=$T DISTRO=$D DIRECT_INITRC=$I MONOLITHIC=$M" ; done ; done ; done ; done
+# for T in standard mls mcs ; do for D in arch debian gentoo ; do for I in n y ; do for M in y n ; do for S in n y ; do
+# echo " - TYPE=$T DISTRO=$D DIRECT_INITRC=$I MONOLITHIC=$M SYSTEMD=$S" ; done ; done ; done ; done ; done
env:
- - TYPE=standard DISTRO=gentoo DIRECT_INITRC=n MONOLITHIC=n
- - TYPE=mcs DISTRO=gentoo DIRECT_INITRC=n MONOLITHIC=n
- - TYPE=mls DISTRO=gentoo DIRECT_INITRC=n MONOLITHIC=n
- - TYPE=standard DISTRO=gentoo DIRECT_INITRC=y MONOLITHIC=n
- - TYPE=mcs DISTRO=gentoo DIRECT_INITRC=y MONOLITHIC=n
- - TYPE=mls DISTRO=gentoo DIRECT_INITRC=y MONOLITHIC=n
+ - TYPE=standard DISTRO=gentoo DIRECT_INITRC=n MONOLITHIC=y SYSTEMD=n
+ - TYPE=standard DISTRO=gentoo DIRECT_INITRC=n MONOLITHIC=y SYSTEMD=y
+ - TYPE=standard DISTRO=gentoo DIRECT_INITRC=n MONOLITHIC=n SYSTEMD=n
+ - TYPE=standard DISTRO=gentoo DIRECT_INITRC=n MONOLITHIC=n SYSTEMD=y
+ - TYPE=standard DISTRO=gentoo DIRECT_INITRC=y MONOLITHIC=y SYSTEMD=n
+ - TYPE=standard DISTRO=gentoo DIRECT_INITRC=y MONOLITHIC=y SYSTEMD=y
+ - TYPE=standard DISTRO=gentoo DIRECT_INITRC=y MONOLITHIC=n SYSTEMD=n
+ - TYPE=standard DISTRO=gentoo DIRECT_INITRC=y MONOLITHIC=n SYSTEMD=y
+ - TYPE=mcs DISTRO=gentoo DIRECT_INITRC=n MONOLITHIC=y SYSTEMD=n
+ - TYPE=mcs DISTRO=gentoo DIRECT_INITRC=n MONOLITHIC=y SYSTEMD=y
+ - TYPE=mcs DISTRO=gentoo DIRECT_INITRC=n MONOLITHIC=n SYSTEMD=n
+ - TYPE=mcs DISTRO=gentoo DIRECT_INITRC=n MONOLITHIC=n SYSTEMD=y
+ - TYPE=mcs DISTRO=gentoo DIRECT_INITRC=y MONOLITHIC=y SYSTEMD=n
+ - TYPE=mcs DISTRO=gentoo DIRECT_INITRC=y MONOLITHIC=y SYSTEMD=y
+ - TYPE=mcs DISTRO=gentoo DIRECT_INITRC=y MONOLITHIC=n SYSTEMD=n
+ - TYPE=mcs DISTRO=gentoo DIRECT_INITRC=y MONOLITHIC=n SYSTEMD=y
+ - TYPE=mls DISTRO=gentoo DIRECT_INITRC=n MONOLITHIC=y SYSTEMD=n
+ - TYPE=mls DISTRO=gentoo DIRECT_INITRC=n MONOLITHIC=y SYSTEMD=y
+ - TYPE=mls DISTRO=gentoo DIRECT_INITRC=n MONOLITHIC=n SYSTEMD=n
+ - TYPE=mls DISTRO=gentoo DIRECT_INITRC=n MONOLITHIC=n SYSTEMD=y
+ - TYPE=mls DISTRO=gentoo DIRECT_INITRC=y MONOLITHIC=y SYSTEMD=n
+ - TYPE=mls DISTRO=gentoo DIRECT_INITRC=y MONOLITHIC=y SYSTEMD=y
+ - TYPE=mls DISTRO=gentoo DIRECT_INITRC=y MONOLITHIC=n SYSTEMD=n
+ - TYPE=mls DISTRO=gentoo DIRECT_INITRC=y MONOLITHIC=n SYSTEMD=y
before_install:
- lsb_release -a
@@ -41,10 +59,10 @@ install:
- sudo make CFLAGS="-O2 -pipe -fPIC -Wall" -C selinux-src install
# Drop build.conf settings to listen to env vars
- - sed -r -i -e '/(DIRECT_INITRC|MONOLITHIC|TYPE|DISTRO)/d' build.conf
+ - sed -r -i -e '/(DIRECT_INITRC|MONOLITHIC|TYPE|DISTRO|SYSTEMD)/d' build.conf
script:
- - echo $TYPE $DISTRO $DIRECT_INITRC $MONOLITHIC
+ - echo $TYPE $DISTRO $DIRECT_INITRC $MONOLITHIC $SYSTEMD
- make bare
- make conf
- make
@@ -53,6 +71,7 @@ script:
branches:
only:
- /^travis-.*/
+ - next
- master
notifications:
^ permalink raw reply related [flat|nested] 101+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: /
@ 2015-12-17 16:10 Jason Zaman
0 siblings, 0 replies; 101+ messages in thread
From: Jason Zaman @ 2015-12-17 16:10 UTC (permalink / raw
To: gentoo-commits
commit: 8ba3d32077cb80df69133ea44ab31a39992427c8
Author: Chris PeBenito <cpebenito <AT> tresys <DOT> com>
AuthorDate: Tue Dec 8 14:53:02 2015 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Thu Dec 17 15:25:22 2015 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=8ba3d320
Update Changelog and VERSION for release.
Changelog | 87 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
VERSION | 2 +-
2 files changed, 88 insertions(+), 1 deletion(-)
diff --git a/Changelog b/Changelog
index 1f53185..617f49e 100644
--- a/Changelog
+++ b/Changelog
@@ -1,3 +1,90 @@
+* Tue Dec 08 2015 Chris PeBenito <selinux@tresys.com> - 2.20151208
+Alexander Wetzel (1):
+ adds vfio device support to base policy
+
+Chris PeBenito (48):
+ Module version bump for optional else block removal from Steve Lawrence.
+ Add always_check_network policy capability.
+ Update contrib.
+ Fix domain_mmap_low() to be a proper tunable.
+ Add initial Travis CI configuration.
+ Travis CI already exports variables.
+ Add validate target for monolithic policy.
+ Update contrib.
+ Use matrix keyword to simplify travis-ci build definitions.
+ Undo last commit.
+ Simplify travis-ci build handling of SELinux toolchain.
+ Update contrib.
+ Module version bump for fstools blkid fix from Jason Zaman
+ Update contrib.
+ Module version bump for debufs mount point fc entry from Laurent
+ Bigonville.
+ Module version bump for updated netlink sockets from Stephen Smalley
+ Update contrib.
+ Module version bump for init_startstop_service from Jason Zaman.
+ Update contrib.
+ Change CI tests to drop DIRECT_INITRC.
+ Module version bumps for further init_startstop_service() changes from
+ Jason Zaman.
+ Module version bump for admin interface changes from Jason Zaman.
+ Update contrib.
+ Module version bumps for admin interfaces from Jason Zaman.
+ Module version bump for cron_admin for sysadm from Jason Zaman.
+ Module version bump for ssh-agent -k fix from Luis Ressel.
+ Module version bump for APR build script labeling from Luis Ressel.
+ Module version bump for vfio device from Alexander Wetzel.
+ Update contrib.
+ Rearrange lines in ipsec.te.
+ Module version bump for patches from Jason Zaman/Matthias Dahl.
+ Add systemd build option.
+ Add systemd access vectors.
+ Implement core systemd policy.
+ Add supporting rules for domains tightly-coupled with systemd.
+ Add rules for sysadm_r to manage the services.
+ Add systemd units for core refpolicy services.
+ Add sysfs_types attribute.
+ Add refpolicy core socket-activated services.
+ Change policy_config_t to a security file type.
+ Merge branch 'pebenito-master'
+ Module version bump for systemd additions.
+ Update contrib for dbus systemd fix.
+ Revise selinux module interfaces for perms protected by neverallows.
+ Remove bad interface in systemd.if.
+ Module version bump for utempter Debian helper from Laurent Bigonville.
+ Update contrib.
+ Bump module versions for release.
+
+Jason Zaman (13):
+ fstools: add in filetrans for /run dir
+ Introduce init_startstop_service interface
+ logging: use init_startstop_service in _admin interface
+ postgresql: use init_startstop_service in _admin interface
+ Add openrc support to init_startstop_service
+ Introduce iptables_admin
+ Add all the missing _admin interfaces to sysadm
+ Introduce lvm_admin interface
+ Introduce ipsec_admin interface
+ Introduce setrans_admin interface
+ add new cron_admin interface to sysadm
+ Add overlayfs as an XATTR capable fs
+ system/ipsec: Add policy for StrongSwan
+
+Laurent Bigonville (4):
+ Add fc for /sys/kernel/debug as debugfs_t
+ Add "binder" security class and access vectors
+ Properly label utempter helper on debian
+ Allow the user cronjobs to run in their userdomain
+
+Luis Ressel (2):
+ Allow ssh-agent to send signals to itself
+ Mark APR build scripts as bin_t
+
+Stephen Smalley (1):
+ Update netlink socket classes.
+
+Steve Lawrence (1):
+ Remove optional else block for dhcp ping
+
* Wed Dec 03 2014 Chris PeBenito <selinux@tresys.com> - 2.20141203
Artyom Smirnov (3):
New database object classes
diff --git a/VERSION b/VERSION
index a9e4840..382483e 100644
--- a/VERSION
+++ b/VERSION
@@ -1 +1 @@
-2.20141203
+2.20151208
^ permalink raw reply related [flat|nested] 101+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: /
@ 2016-05-13 5:37 Jason Zaman
0 siblings, 0 replies; 101+ messages in thread
From: Jason Zaman @ 2016-05-13 5:37 UTC (permalink / raw
To: gentoo-commits
commit: d0ab68af0aad3a2d161d132dfe73b0e978b60b83
Author: Nicolas Iooss <nicolas.iooss <AT> m4x <DOT> org>
AuthorDate: Tue Apr 26 21:17:58 2016 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Fri May 13 05:07:33 2016 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=d0ab68af
Fix typo in module compilation message
Rules.modular | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/Rules.modular b/Rules.modular
index c3c914a..b1469f0 100644
--- a/Rules.modular
+++ b/Rules.modular
@@ -71,7 +71,7 @@ $(modpkgdir)/%.pp: $(builddir)%.pp
# Build module packages
#
$(tmpdir)/%.mod: $(m4support) $(tmpdir)/generated_definitions.conf $(tmpdir)/all_interfaces.conf %.te
- @echo "Compliling $(NAME) $(@F) module"
+ @echo "Compiling $(NAME) $(@F) module"
@test -d $(tmpdir) || mkdir -p $(tmpdir)
$(verbose) $(M4) $(M4PARAM) -s $^ > $(@:.mod=.tmp)
$(verbose) $(CHECKMODULE) -m $(@:.mod=.tmp) -o $@
^ permalink raw reply related [flat|nested] 101+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: /
@ 2016-05-13 5:37 Jason Zaman
0 siblings, 0 replies; 101+ messages in thread
From: Jason Zaman @ 2016-05-13 5:37 UTC (permalink / raw
To: gentoo-commits
commit: f9a53a313df7187e8b6fbb8ea36ad2bf3beb782f
Author: Chris PeBenito <cpebenito <AT> tresys <DOT> com>
AuthorDate: Fri Mar 25 14:07:37 2016 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Fri May 13 05:07:33 2016 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=f9a53a31
Update Travis-CI build to newest SELinux userspace release.
.travis.yml | 7 +++++--
1 file changed, 5 insertions(+), 2 deletions(-)
diff --git a/.travis.yml b/.travis.yml
index b3dd454..7c6301d 100644
--- a/.travis.yml
+++ b/.travis.yml
@@ -43,13 +43,16 @@ before_install:
install:
# Download current SELinux userspace tools and libraries
- - curl -sS -L https://github.com/SELinuxProject/selinux/archive/20150202.tar.gz | tar xz
- - mv selinux-20150202 selinux-src
+ - curl -sS -L https://github.com/SELinuxProject/selinux/archive/20160223.tar.gz | tar xz
+ - mv selinux-20160223 selinux-src
# Ubuntu 12.04 coreutils is too old to provide "ln --relative" :(
- sed 's/ln -sf --relative /ln -sf /' -i selinux-src/libsepol/src/Makefile
- sed 's/ln -sf --relative /ln -sf /' -i selinux-src/libselinux/src/Makefile
+ # Drop secilc to break xmlto dependence (secilc isn't used here anyway)
+ - sed -i -e 's/secilc//' selinux-src/Makefile
+
# Drop sepolicy to break setools dependence (sepolicy isn't used anyway)
- sed -i -e 's/sepolicy//' selinux-src/policycoreutils/Makefile
^ permalink raw reply related [flat|nested] 101+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: /
@ 2016-08-31 16:38 Jason Zaman
0 siblings, 0 replies; 101+ messages in thread
From: Jason Zaman @ 2016-08-31 16:38 UTC (permalink / raw
To: gentoo-commits
commit: f51d21f62c9f44d637796ab5d5fab793f871cb2e
Author: Nicolas Iooss <nicolas.iooss <AT> m4x <DOT> org>
AuthorDate: Sat Aug 27 15:08:57 2016 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Wed Aug 31 15:38:26 2016 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=f51d21f6
Make Travis-CI build without using sudo
This makes migrating to container-based infrastructure much easier (all
that is needed is adding "sudo: false" in the file).
Moreover installing the toolchain in a user directory fixes issues when
using the Trusty Beta environment: this toolchain broke the
already-installed Ubuntu packages (with for example policy version
issues between setfiles and checkpolicy). As the packaged tools (version
2.2) are much slower than the latest toolchain release on Trusty, it is
better to keep using the latest release.
As libcap-ng-dev package is not (yet? [1]) whitelisted in Travis-CI
container infrastructure, drop this package and do not build
policycoreutils/sandbox. Do not build policycoreutils/restorecond too as
it requires glib to be installed.
While at it, set the language as "generic" instead of "python".
[1] https://github.com/travis-ci/apt-package-whitelist/issues/1096
Signed-off-by: Nicolas Iooss <nicolas.iooss <AT> m4x.org>
.travis.yml | 44 +++++++++++++++++++++++++++++++++-----------
1 file changed, 33 insertions(+), 11 deletions(-)
diff --git a/.travis.yml b/.travis.yml
index 7c6301d..3f9d678 100644
--- a/.travis.yml
+++ b/.travis.yml
@@ -1,8 +1,6 @@
# Derived from Nicolas Iooss: https://github.com/fishilico/selinux-refpolicy-patched/blob/travis-upstream/.travis.yml
-language: python
-python:
- - "2.7"
+language: generic
# for T in standard mls mcs ; do for D in arch debian gentoo ; do for I in n y ; do for M in y n ; do for S in n y ; do
# echo " - TYPE=$T DISTRO=$D DIRECT_INITRC=$I MONOLITHIC=$M SYSTEMD=$S" ; done ; done ; done ; done ; done
@@ -32,16 +30,31 @@ env:
- TYPE=mls DISTRO=gentoo DIRECT_INITRC=y MONOLITHIC=n SYSTEMD=n
- TYPE=mls DISTRO=gentoo DIRECT_INITRC=y MONOLITHIC=n SYSTEMD=y
-before_install:
+# Uncomment to use Travis-CI container infrastructure (https://docs.travis-ci.com/user/ci-environment/)
+#sudo: false
+
+# Uncomment these two lines to use Travis-CI Trusty Beta environment
+#sudo: required
+#dist: trusty
+
+addons:
+ apt:
+ packages:
+ # Install SELinux userspace utilities dependencies
+ - bison
+ - flex
+ - gettext
+ - libaudit-dev
+ - libbz2-dev
+ - libustr-dev
+ - libpcre3-dev
+ - swig
+
+install:
- lsb_release -a
- bison -V
- flex -V
- - sudo apt-get update -qq
-
- # Install SELinux userspace utilities dependencies
- - sudo apt-get install -qq libaudit-dev libcap-ng-dev libustr-dev libpcre3-dev swig
-install:
# Download current SELinux userspace tools and libraries
- curl -sS -L https://github.com/SELinuxProject/selinux/archive/20160223.tar.gz | tar xz
- mv selinux-20160223 selinux-src
@@ -56,10 +69,19 @@ install:
# Drop sepolicy to break setools dependence (sepolicy isn't used anyway)
- sed -i -e 's/sepolicy//' selinux-src/policycoreutils/Makefile
- # Compile and install SELinux toolchain
+ # Drop restorecond to break glib dependence
+ - sed -i -e 's/ restorecond//' selinux-src/policycoreutils/Makefile
+
+ # Drop sandbox to break libcap-ng dependence
+ - sed -i -e 's/ sandbox//' selinux-src/policycoreutils/Makefile
+
+ # Compile and install SELinux toolchain into ~/selinux
# On Ubuntu 12.04, default CFLAGS make the build fail in libsepol/cil with:
# error: declaration of 'index' shadows a global declarationo
- - sudo make CFLAGS="-O2 -pipe -fPIC -Wall" -C selinux-src install
+ - make "DESTDIR=$HOME/selinux" CFLAGS="-O2 -pipe -fPIC -Wall -I$HOME/selinux/usr/include" -C selinux-src install
+
+ # Use TEST_TOOLCHAIN variable to tell refpolicy Makefile about the installed location
+ - export TEST_TOOLCHAIN="$HOME/selinux"
# Drop build.conf settings to listen to env vars
- sed -r -i -e '/(DIRECT_INITRC|MONOLITHIC|TYPE|DISTRO|SYSTEMD)/d' build.conf
^ permalink raw reply related [flat|nested] 101+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: /
@ 2016-08-31 16:38 Jason Zaman
0 siblings, 0 replies; 101+ messages in thread
From: Jason Zaman @ 2016-08-31 16:38 UTC (permalink / raw
To: gentoo-commits
commit: 1ed2f6c6a9096a0ae8ecadc1270cf527ab141e78
Author: Naftuli Tzvi Kay <rfkrocktk <AT> gmail <DOT> com>
AuthorDate: Tue Aug 30 19:14:48 2016 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Wed Aug 31 15:38:26 2016 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=1ed2f6c6
Add Vagrant box for development.
.gitignore | 2 ++
Vagrantfile | 47 +++++++++++++++++++++++++++++++++++++++++++++++
2 files changed, 49 insertions(+)
diff --git a/.gitignore b/.gitignore
index 7eaab24..200bfeb 100644
--- a/.gitignore
+++ b/.gitignore
@@ -18,3 +18,5 @@
/policy/modules/kernel/corenetwork.if
/policy/modules/kernel/corenetwork.te
/tmp/
+
+.vagrant/
diff --git a/Vagrantfile b/Vagrantfile
new file mode 100644
index 0000000..129de68
--- /dev/null
+++ b/Vagrantfile
@@ -0,0 +1,47 @@
+# -*- mode: ruby -*-
+# vi: set ft=ruby :
+
+# All Vagrant configuration is done below. The "2" in Vagrant.configure
+# configures the configuration version (we support older styles for
+# backwards compatibility). Please don't change it unless you know what
+# you're doing.
+Vagrant.configure("2") do |config|
+ # build a Fedora 24 VM
+ config.vm.box = "bento/fedora-24"
+ # assign a nice hostname
+ config.vm.hostname = "selinux-devel"
+ # give it a private internal IP address
+ config.vm.network "private_network", type: "dhcp"
+
+ config.vm.provider "virtualbox" do |vb|
+ # Customize the amount of memory on the VM:
+ vb.memory = "1024"
+ end
+
+ # Enable provisioning with a shell script. Additional provisioners such as
+ # Puppet, Chef, Ansible, Salt, and Docker are also available. Please see the
+ # documentation for more information about their specific syntax and use.
+ config.vm.provision "shell", run: "once", inline: <<-SHELL
+ # get the man pages
+ echo "Upgrading DNF and installing man pages..."
+ dnf install -q -y man-pages >/dev/null
+ dnf upgrade -q -y dnf >/dev/null
+
+ # install a few packages to make this machine ready to go out of the box
+ echo "Installing SELinux dev dependencies..."
+ dnf install -q -y \
+ bash-completion \
+ man-pages \
+ vim \
+ make \
+ kernel-devel \
+ selinux-policy-devel \
+ libselinux-python \
+ libselinux-python3 \
+ >/dev/null
+
+ # we set to permissive to allow loading and working with reference policy as opposed to fedora's fork
+ echo "Setting SELinux to Permissive Mode..."
+ setenforce 0
+ SHELL
+end
^ permalink raw reply related [flat|nested] 101+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: /
2016-10-24 16:02 [gentoo-commits] proj/hardened-refpolicy:swift " Sven Vermeulen
@ 2016-10-24 16:02 ` Sven Vermeulen
0 siblings, 0 replies; 101+ messages in thread
From: Sven Vermeulen @ 2016-10-24 16:02 UTC (permalink / raw
To: gentoo-commits
commit: 7601edab81d7dd32ebe8270c7cd3ac17b0f28431
Author: Chris PeBenito <pebenito <AT> ieee <DOT> org>
AuthorDate: Sun Oct 9 11:47:09 2016 +0000
Commit: Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Mon Oct 24 15:57:32 2016 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=7601edab
Rearrange lines in syncthing.
Signed-off-by: Sven Vermeulen <sven.vermeulen <AT> siphos.be>
syncthing.if | 19 +++++++++----------
syncthing.te | 20 +++++++-------------
2 files changed, 16 insertions(+), 23 deletions(-)
diff --git a/syncthing.if b/syncthing.if
index d71fdaa..065800a 100644
--- a/syncthing.if
+++ b/syncthing.if
@@ -16,17 +16,16 @@
## </param>
#
interface(`syncthing_role', `
+ gen_require(`
+ attribute_role syncthing_roles;
+ type syncthing_t, syncthing_exec_t, syncthing_config_home_t;
+ ')
- gen_require(`
- attribute_role syncthing_roles;
- type syncthing_t, syncthing_exec_t, syncthing_config_home_t;
- ')
+ roleattribute $1 syncthing_roles;
- roleattribute $1 syncthing_roles;
+ domtrans_pattern($2, syncthing_exec_t, syncthing_t)
- domtrans_pattern($2, syncthing_exec_t, syncthing_t)
-
- allow $2 syncthing_config_home_t:file { manage_file_perms relabel_file_perms };
- allow $2 syncthing_config_home_t:dir { manage_dir_perms relabel_dir_perms };
- allow $2 syncthing_config_home_t:lnk_file { manage_lnk_file_perms relabel_lnk_file_perms };
+ allow $2 syncthing_config_home_t:file { manage_file_perms relabel_file_perms };
+ allow $2 syncthing_config_home_t:dir { manage_dir_perms relabel_dir_perms };
+ allow $2 syncthing_config_home_t:lnk_file { manage_lnk_file_perms relabel_lnk_file_perms };
')
diff --git a/syncthing.te b/syncthing.te
index 8144389..92d0bf5 100644
--- a/syncthing.te
+++ b/syncthing.te
@@ -27,23 +27,23 @@ allow syncthing_t self:tcp_socket { listen accept };
can_exec(syncthing_t, syncthing_exec_t)
+manage_dirs_pattern(syncthing_t, syncthing_config_home_t, syncthing_config_home_t)
+manage_files_pattern(syncthing_t, syncthing_config_home_t, syncthing_config_home_t)
+manage_lnk_files_pattern(syncthing_t, syncthing_config_home_t, syncthing_config_home_t)
+
kernel_read_kernel_sysctls(syncthing_t)
kernel_read_net_sysctls(syncthing_t)
kernel_read_system_state(syncthing_t)
corenet_tcp_sendrecv_generic_if(syncthing_t)
corenet_udp_sendrecv_generic_if(syncthing_t)
-
corenet_tcp_bind_generic_node(syncthing_t)
corenet_tcp_sendrecv_generic_node(syncthing_t)
corenet_tcp_sendrecv_all_ports(syncthing_t)
-
corenet_udp_bind_generic_node(syncthing_t)
corenet_udp_sendrecv_generic_node(syncthing_t)
corenet_udp_sendrecv_all_ports(syncthing_t)
-
corenet_tcp_connect_all_ports(syncthing_t)
-
corenet_tcp_bind_syncthing_port(syncthing_t)
corenet_udp_bind_syncthing_discovery_port(syncthing_t)
corenet_tcp_bind_syncthing_admin_port(syncthing_t)
@@ -55,10 +55,6 @@ fs_getattr_xattr_fs(syncthing_t)
auth_use_nsswitch(syncthing_t)
-manage_dirs_pattern(syncthing_t, syncthing_config_home_t, syncthing_config_home_t)
-manage_files_pattern(syncthing_t, syncthing_config_home_t, syncthing_config_home_t)
-manage_lnk_files_pattern(syncthing_t, syncthing_config_home_t, syncthing_config_home_t)
-
miscfiles_read_generic_certs(syncthing_t)
miscfiles_read_localization(syncthing_t)
@@ -66,13 +62,11 @@ userdom_manage_user_home_content_files(syncthing_t)
userdom_manage_user_home_content_dirs(syncthing_t)
userdom_manage_user_home_content_symlinks(syncthing_t)
userdom_user_home_dir_filetrans_user_home_content(syncthing_t, dir)
-
+userdom_use_user_terminals(syncthing_t)
# newly created files in ~/.config/syncthing/ will transition to syncthing_config_home_t
userdom_user_home_content_filetrans(syncthing_t, syncthing_config_home_t, dir, "syncthing")
-userdom_use_user_terminals(syncthing_t)
-
optional_policy(`
- # temporary hack for /run/NetworkManager/resolv.conf until we make this part of sysnet_dns_name_resolve()
- networkmanager_read_pid_files(syncthing_t)
+ # temporary hack for /run/NetworkManager/resolv.conf until we make this part of sysnet_dns_name_resolve()
+ networkmanager_read_pid_files(syncthing_t)
')
^ permalink raw reply related [flat|nested] 101+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: /
2016-10-24 16:02 [gentoo-commits] proj/hardened-refpolicy:swift " Sven Vermeulen
@ 2016-10-24 16:02 ` Sven Vermeulen
0 siblings, 0 replies; 101+ messages in thread
From: Sven Vermeulen @ 2016-10-24 16:02 UTC (permalink / raw
To: gentoo-commits
commit: a172282d756622acde353c6bd9387431b0b3ff9e
Author: Naftuli Tzvi Kay <rfkrocktk <AT> gmail <DOT> com>
AuthorDate: Sun Aug 21 07:08:42 2016 +0000
Commit: Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Mon Oct 24 15:57:25 2016 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=a172282d
Syncthing Policy
Policy governing Syncthing - a file synchronization utility
written in Go.
Signed-off-by: Sven Vermeulen <sven.vermeulen <AT> siphos.be>
syncthing.fc | 3 +++
syncthing.if | 32 +++++++++++++++++++++++++
syncthing.te | 78 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
3 files changed, 113 insertions(+)
diff --git a/syncthing.fc b/syncthing.fc
new file mode 100644
index 0000000..4f7f53e
--- /dev/null
+++ b/syncthing.fc
@@ -0,0 +1,3 @@
+/usr/bin/syncthing -- gen_context(system_u:object_r:syncthing_exec_t,s0)
+
+HOME_DIR/\.config/syncthing(/.*)? gen_context(system_u:object_r:syncthing_config_home_t,s0)
diff --git a/syncthing.if b/syncthing.if
new file mode 100644
index 0000000..d71fdaa
--- /dev/null
+++ b/syncthing.if
@@ -0,0 +1,32 @@
+## <summary>Application that lets you synchronize your files across multiple devices.</summary>
+
+########################################
+## <summary>
+## Role access for Syncthing
+## </summary>
+## <param name="role">
+## <summary>
+## Role allowed access
+## </summary>
+## </param>
+## <param name="domain">
+## <summary>
+## User domain for the role
+## </summary>
+## </param>
+#
+interface(`syncthing_role', `
+
+ gen_require(`
+ attribute_role syncthing_roles;
+ type syncthing_t, syncthing_exec_t, syncthing_config_home_t;
+ ')
+
+ roleattribute $1 syncthing_roles;
+
+ domtrans_pattern($2, syncthing_exec_t, syncthing_t)
+
+ allow $2 syncthing_config_home_t:file { manage_file_perms relabel_file_perms };
+ allow $2 syncthing_config_home_t:dir { manage_dir_perms relabel_dir_perms };
+ allow $2 syncthing_config_home_t:lnk_file { manage_lnk_file_perms relabel_lnk_file_perms };
+')
diff --git a/syncthing.te b/syncthing.te
new file mode 100644
index 0000000..8144389
--- /dev/null
+++ b/syncthing.te
@@ -0,0 +1,78 @@
+policy_module(syncthing, 1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+attribute_role syncthing_roles;
+role syncthing_roles types syncthing_t;
+
+type syncthing_t;
+type syncthing_exec_t;
+init_daemon_domain(syncthing_t, syncthing_exec_t)
+userdom_user_application_domain(syncthing_t, syncthing_exec_t)
+
+type syncthing_config_home_t;
+userdom_user_home_content(syncthing_config_home_t)
+
+########################################
+#
+# Declarations
+#
+
+allow syncthing_t self:process getsched;
+allow syncthing_t self:fifo_file rw_fifo_file_perms;
+allow syncthing_t self:tcp_socket { listen accept };
+
+can_exec(syncthing_t, syncthing_exec_t)
+
+kernel_read_kernel_sysctls(syncthing_t)
+kernel_read_net_sysctls(syncthing_t)
+kernel_read_system_state(syncthing_t)
+
+corenet_tcp_sendrecv_generic_if(syncthing_t)
+corenet_udp_sendrecv_generic_if(syncthing_t)
+
+corenet_tcp_bind_generic_node(syncthing_t)
+corenet_tcp_sendrecv_generic_node(syncthing_t)
+corenet_tcp_sendrecv_all_ports(syncthing_t)
+
+corenet_udp_bind_generic_node(syncthing_t)
+corenet_udp_sendrecv_generic_node(syncthing_t)
+corenet_udp_sendrecv_all_ports(syncthing_t)
+
+corenet_tcp_connect_all_ports(syncthing_t)
+
+corenet_tcp_bind_syncthing_port(syncthing_t)
+corenet_udp_bind_syncthing_discovery_port(syncthing_t)
+corenet_tcp_bind_syncthing_admin_port(syncthing_t)
+
+dev_read_rand(syncthing_t)
+dev_read_urand(syncthing_t)
+
+fs_getattr_xattr_fs(syncthing_t)
+
+auth_use_nsswitch(syncthing_t)
+
+manage_dirs_pattern(syncthing_t, syncthing_config_home_t, syncthing_config_home_t)
+manage_files_pattern(syncthing_t, syncthing_config_home_t, syncthing_config_home_t)
+manage_lnk_files_pattern(syncthing_t, syncthing_config_home_t, syncthing_config_home_t)
+
+miscfiles_read_generic_certs(syncthing_t)
+miscfiles_read_localization(syncthing_t)
+
+userdom_manage_user_home_content_files(syncthing_t)
+userdom_manage_user_home_content_dirs(syncthing_t)
+userdom_manage_user_home_content_symlinks(syncthing_t)
+userdom_user_home_dir_filetrans_user_home_content(syncthing_t, dir)
+
+# newly created files in ~/.config/syncthing/ will transition to syncthing_config_home_t
+userdom_user_home_content_filetrans(syncthing_t, syncthing_config_home_t, dir, "syncthing")
+
+userdom_use_user_terminals(syncthing_t)
+
+optional_policy(`
+ # temporary hack for /run/NetworkManager/resolv.conf until we make this part of sysnet_dns_name_resolve()
+ networkmanager_read_pid_files(syncthing_t)
+')
^ permalink raw reply related [flat|nested] 101+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: /
@ 2016-10-24 16:02 Sven Vermeulen
0 siblings, 0 replies; 101+ messages in thread
From: Sven Vermeulen @ 2016-10-24 16:02 UTC (permalink / raw
To: gentoo-commits
commit: 4a0e65d9a24d32297caee427433746e59468df3e
Author: Chris PeBenito <pebenito <AT> ieee <DOT> org>
AuthorDate: Sun Oct 23 20:58:59 2016 +0000
Commit: Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Mon Oct 24 16:00:58 2016 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=4a0e65d9
Update Changelog and VERSION for release.
Changelog | 234 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
VERSION | 2 +-
2 files changed, 235 insertions(+), 1 deletion(-)
diff --git a/Changelog b/Changelog
index 617f49e..d00f2cf 100644
--- a/Changelog
+++ b/Changelog
@@ -1,3 +1,237 @@
+* Sun Oct 23 2016 Chris PeBenito <pebenito@ieee.org> - 2.20161023
+Chris PeBenito (94):
+ Module version bump for systemd-user-sessions fc entry from Dominick Grift
+ Module version bumps for 2 patches from Dominick Grift.
+ Module version bump for vm overcommit sysctl interfaces from Laurent
+ Bigonville.
+ Update contrib.
+ Module version bump for Xorg and SSH patches from Nicolas Iooss.
+ Add neverallow for mac_override capability. It is not used by SELinux.
+ Merge branch 'overcommit-1' of git://github.com/bigon/refpolicy into
+ bigon-overcommit-1
+ Merge branch 'bigon-overcommit-1'
+ Merge branch 'systemd-1' of git://github.com/bigon/refpolicy into
+ bigon-systemd-1
+ Merge branch 'bigon-systemd-1'
+ Module version bump for syslog and systemd changes from Laurent Bigonville
+ Merge pull request #19 from shootingatshadow/fc_sort
+ Merge branch 'xorg-1' of git://github.com/bigon/refpolicy into
+ bigon-xorg-1
+ Merge branch 'bigon-xorg-1'
+ Module version bump for Debian Xorg fc fixes from Laurent Bigonville
+ Add a type and genfscon for nsfs.
+ Module version bump for systemd PrivateNetwork patch from Nicolas Iooss
+ Module version bump for systemd audit_read capability from Laurent
+ Bigonville
+ Merge pull request #21 from fishilico/typos
+ Module version bump for patches from Nicolas Iooss and Grant Ridder.
+ Update contrib.
+ Module version bump for efivarfs patches from Dan Walsh, Vit Mojzis, and
+ Laurent Bigonville
+ Module version bump for ipset fc entry from Laurent Bigonville.
+ Update contrib.
+ Whitespace fix in iptables.fc.
+ Module version bump for iptables fc entries from Laurent Bigonville and
+ Lukas Vrabec.
+ Update contrib.
+ Module version bump for iptables/firewalld patch from Laurent Bigonville.
+ Merge pull request #29 from bigon/appconfig-lxc
+ Module version bump for getty patch from Luis Ressel.
+ Module version bump for tboot utils from Luis Ressel and systemd fix from
+ Jason Zaman.
+ Merge branch 'corecommands-archlinux' of
+ https://github.com/fishilico/selinux-refpolicy-patched
+ Merge branch 'dev_setattr_dlm_control-typo' of
+ https://github.com/fishilico/selinux-refpolicy-patched
+ Merge branch 'kdevtmpfs-unlink' of
+ https://github.com/fishilico/selinux-refpolicy-patched
+ Module version bump for several Arch fixes from Nicolas Iooss.
+ Update contrib.
+ Reduce broad entrypoints for unconfined domains.
+ Update Travis-CI build to newest SELinux userspace release.
+ Update su for libselinux-2.5 changes.
+ Merge branch 'selinux-1' of https://github.com/bigon/refpolicy
+ Module version bump for Debian fc entries from Laurent Bigonville.
+ Module version bump for patches from Dominick Grift and Lukas Vrabec.
+ Add user namespace capability object classes.
+ Module version bump for hwloc-dump-hwdata from Dominick Grift and Grzegorz
+ Andrejczuk.
+ Module version bump for nftables fc entry from Jason Zaman.
+ Update contrib.
+ Module version bump for LMNR port from Laurent Bigonville.
+ Module version bump for systemd-resolved patch from Laurent BIgonville.
+ Merge branch 'master' of https://github.com/qqo/refpolicy into qqo-master
+ Merge branch 'qqo-master'
+ Module version bump for mlstrustedsocket from qqo.
+ Module version bumps + contrib update for user_runtime from Jason Zaman.
+ Update contrib.
+ Module version bump for corecommands update from Garrett Holmstrom.
+ Module version bump for MLS relabeling patch from Lukas Vrabec.
+ Get attributes of generic ptys, from Russell Coker.
+ Module version bump for user_udp_server tunable from Russell Coker.
+ libraries: Move libsystemd fc entry.
+ libraries: Module version bump for libsystemd fc entry from Lukas Vrabec.
+ Update contrib.
+ Systemd units from Russell Coker.
+ corenetwork: Add port labeling for Global Catalog over LDAPS.
+ corenetwork: Missed version bump for previous commit.
+ Update contrib.
+ Allow the system user domains to chat over dbus with a few other domains
+ (e.g. gnome session).
+ Update alsa module use from Guido Trentalancia.
+ Update the sysnetwork module to add some permissions needed by the dhcp
+ client (another separate patch makes changes to the ifconfig part).
+ Ifconfig should be able to read firmware files in /lib (i.e. some network
+ cards need to load their firmware) and it should not audit attempts to
+ load kernel modules directly.
+ Remove redundant libs_read_lib_files() for ifconfig_t.
+ Module version bump for various patches from Guido Trentalancia.
+ Update contrib.
+ Update for the xserver module:
+ userdomain: Fix compile errors.
+ Update contrib.
+ Merge pull request #38 from fishilico/travis-nosudo
+ Module version bump for module_load perm use from Guido Trentalancia.
+ Update contrib.
+ Merge pull request #39 from rfkrocktk/feature/vagrant
+ Merge pull request #40 from jer-gentoo/patch-1
+ userdomain: Move enable_mls block in userdom_common_user_template().
+ Module version bumps for LVM and useromain patches from Guido
+ Trentalancia.
+ Update contrib.
+ Additional change from Guido Trentalancia related to evolution.
+ Module version bump for selinuxutil fix from Jason Zaman.
+ Update contrib.
+ Update contrib.
+ Merge branch 'feature/syncthing' of https://github.com/rfkrocktk/refpolicy
+ into rfkrocktk-feature/syncthing
+ Merge branch 'rfkrocktk-feature/syncthing'
+ Module version bumps for syncthing from Naftuli Tzvi Kay.
+ Merge pull request #41 from SeanPlacchetti/patch-1
+ Merge pull request #42 from SeanPlacchetti/patch-1
+ Merge pull request #43 from williamcroberts/google-patch
+ Update contrib.
+ Bump module versions for release.
+
+Dan Walsh (1):
+ Add label for efivarfs
+
+Dominick Grift (5):
+ systemd: add missing file context spec for systemd-user-sessions
+ executable file
+ authlogin: remove duplicate files_list_var_lib(nsswitch_domain)
+ kernel: implement sysctl_vm_overcommit_t for
+ /proc/sys/vm/overcommit_memory
+ systemd: Add support for --log-target
+ Update refpolicy to handle hwloc
+
+Garrett Holmstrom (1):
+ corecmd: Remove fcontext for /etc/sysconfig/libvirtd
+
+Grant Ridder (1):
+ Add redis-sentinel port to redis network_port def
+
+Guido Trentalancia (6):
+ Add module_load permission to class system
+ Add module_load permission to can_load_kernmodule
+ Remove deprecated semodule options from Makefile
+ Update the lvm module
+ Improve tunable support for rw operations on noxattr fs / removable media
+ userdomain: introduce the user certificate file context (was miscfiles:
+ introduce the user certificate file context)
+
+Jason Zaman (6):
+ system/init: move systemd_ interfaces into optional_policy
+ iptables: add fcontext for nftables
+ authlogin: remove fcontext for /var/run/user
+ userdomain: Introduce types for /run/user
+ userdomain: user_tmp requires searching /run/user
+ userdomain: introduce interfaces for user runtime
+
+Jason Zaman via refpolicy (1):
+ selinuxutil: allow setfiles to read semanage store
+
+Jeroen Roovers (1):
+ Use $(AWK) not plain awk
+
+Laurent Bigonville (15):
+ Add interfaces to read/write /proc/sys/vm/overcommit_memory
+ Give some systemd domain access to /proc/sys/kernel/random/boot_id
+ On Debian, systemd binaries are installed in / not /usr
+ Allow syslogd_t to read sysctl_vm_overcommit_t
+ Label Xorg server binary correctly on Debian
+ Allow systemd the audit_read capability
+ Allow logind to read efivarfs files
+ Add label for /sbin/ipset
+ Label /var/run/ebtables.lock as iptables_var_run_t.
+ Allow {eb,ip,ip6}tables-restore to read files in /run/firewalld
+ Add lxc_contexts config file
+ Add some labels for SELinux tools path in Debian
+ Add the validate_trans access vector to the security class
+ Add llmnr/5355 (Link-local Multicast Name Resolution)
+ Add policy for systemd-resolved
+
+Luis Ressel (2):
+ Allow getty the sys_admin capability
+ Allow sysadm to run txt-stat.
+
+Lukas Vrabec (4):
+ Label /var/run/xtables.lock as iptables_var_run_t.
+ SELinux support for cgroup2 filesystem.
+ Add new MLS attribute to allow relabeling objects higher than system low.
+ This exception is needed for package managers when processing sensitive
+ data.
+ Systemd by version 231 starts using shared library and systemd daemons
+ execute it. For this reason lib_t type is needed.
+
+Mike Palmiotto (1):
+ Add mls support for some db classes
+
+Naftuli Tzvi Kay (2):
+ Add Syncthing Support to Policy
+ Add Vagrant box for development.
+
+Nicolas Iooss (18):
+ Label Xorg server binary correctly on Arch Linux
+ Label OpenSSH files correctly on Arch Linux
+ Label OpenSSH systemd unit files
+ Allow systemd services to use PrivateNetwork feature
+ Fix typo in init_dbus_chat requirements
+ Fix typos in comments from corenetwork module
+ man: Spelling fixes
+ Fix interface descriptions when duplicate ones are found
+ Label /sys/kernel/debug/tracing filesystem
+ Label TexLive scripts bin_t
+ Label system-config-printer applet properly on Arch Linux
+ Label gedit plugins properly on Arch Linux
+ Label some user session DBus services as bin_t
+ Do not label /usr/lib/gvfs/libgvfscommon.so as bin_t
+ Fix typo in dev_setattr_dlm_control interface requirements
+ Allow kdevtmpfs to unlink fixed disk devices
+ Fix typo in module compilation message
+ Make Travis-CI build without using sudo
+
+Rahul Chaudhry (1):
+ fc_sort: cleanup warnings caught by clang tidy / static analyzer.
+
+Russell Coker (2):
+ user_udp_server tunable
+ getattr on unlabeled blk devs
+
+Sean Placchetti (2):
+ Update to refpolicy spec file
+ Update specfile
+
+Vit Mojzis (1):
+ Add interface to allow reading files in efivarfs - contains Linux Kernel
+ configuration options for UEFI systems (UEFI Runtime Variables)
+
+William Roberts (1):
+ fc_sort: strip whitespace errors
+
+qqo (1):
+ Adds attribute mlstrustedsocket, along with the interface.
+
* Tue Dec 08 2015 Chris PeBenito <selinux@tresys.com> - 2.20151208
Alexander Wetzel (1):
adds vfio device support to base policy
diff --git a/VERSION b/VERSION
index 382483e..f011019 100644
--- a/VERSION
+++ b/VERSION
@@ -1 +1 @@
-2.20151208
+2.20161023
^ permalink raw reply related [flat|nested] 101+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: /
@ 2016-12-06 13:39 Jason Zaman
0 siblings, 0 replies; 101+ messages in thread
From: Jason Zaman @ 2016-12-06 13:39 UTC (permalink / raw
To: gentoo-commits
commit: b8bf820c6d3245e858988c2d7db487252aba5248
Author: cgzones <cgzones <AT> googlemail <DOT> com>
AuthorDate: Sun Dec 4 13:18:21 2016 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Tue Dec 6 12:39:33 2016 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=b8bf820c
using intermediate target instead of splitting up conf files generation
Makefile | 17 ++++++++---------
1 file changed, 8 insertions(+), 9 deletions(-)
diff --git a/Makefile b/Makefile
index 9295b18..56cc0b6 100644
--- a/Makefile
+++ b/Makefile
@@ -2,7 +2,7 @@
# Makefile for the security policy.
#
# Targets:
-#
+#
# install - compile and install the policy configuration, and context files.
# load - compile, install, and load the policy configuration.
# reload - compile, install, and load/reload the policy configuration.
@@ -236,7 +236,7 @@ ifeq ($(DISTRO),debian)
endif
ifeq ($(DISTRO),gentoo)
- CTAGS := exuberant-ctags
+ CTAGS := exuberant-ctags
endif
CTAGS ?= ctags
@@ -393,13 +393,12 @@ $(net_contexts): $(moddir)/kernel/corenetwork.te.in
#
conf: $(mod_conf) $(booleans) generate
-$(booleans): $(polxml)
- @echo "Updating $(booleans)"
- $(verbose) $(gendoc) -b $(booleans) -x $(polxml)
+$(booleans) $(mod_conf): conf.intermediate
-$(mod_conf): $(polxml)
- @echo "Updating $(mod_conf)"
- $(verbose) $(gendoc) -m $(mod_conf) -x $(polxml)
+.INTERMEDIATE: conf.intermediate
+conf.intermediate: $(polxml)
+ @echo "Updating $(booleans) and $(mod_conf)"
+ $(verbose) $(gendoc) -b $(booleans) -m $(mod_conf) -x $(polxml)
########################################
#
@@ -418,7 +417,7 @@ $(layerxml): %.xml: $(all_metaxml) $(filter $(addprefix $(moddir)/, $(notdir $*)
$(verbose) for i in $(basename $(filter $(addprefix $(moddir)/, $(notdir $*))%, $(detected_mods))); do $(genxml) -w -m $$i >> $@; done
ifdef LOCAL_ROOT
$(verbose) for i in $(basename $(filter $(addprefix $(local_moddir)/, $(notdir $*))%, $(detected_mods))); do $(genxml) -w -m $$i >> $@; done
-endif
+endif
$(tunxml): $(globaltun)
$(verbose) $(genxml) -w -t $< > $@
^ permalink raw reply related [flat|nested] 101+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: /
@ 2017-01-13 18:43 Sven Vermeulen
0 siblings, 0 replies; 101+ messages in thread
From: Sven Vermeulen @ 2017-01-13 18:43 UTC (permalink / raw
To: gentoo-commits
commit: 1cb4d0c1c8cd982c27c18beb3cffcd8c262efd70
Author: cgzones <cgzones <AT> googlemail <DOT> com>
AuthorDate: Sun Jan 1 21:48:37 2017 +0000
Commit: Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Fri Jan 13 18:38:58 2017 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=1cb4d0c1
fix permission of installed segenxml.py by install-headers
Makefile | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/Makefile b/Makefile
index 56cc0b6..b4c2bae 100644
--- a/Makefile
+++ b/Makefile
@@ -518,7 +518,8 @@ install-headers: $(layerxml) $(tunxml) $(boolxml) $(gentooxml)
@echo "Installing $(NAME) policy headers."
$(verbose) $(INSTALL) -m 644 $^ $(headerdir)
$(verbose) mkdir -p $(headerdir)/support
- $(verbose) $(INSTALL) -m 644 $(m4support) $(word $(words $(genxml)),$(genxml)) $(xmldtd) $(headerdir)/support
+ $(verbose) $(INSTALL) -m 644 $(m4support) $(xmldtd) $(headerdir)/support
+ $(verbose) $(INSTALL) -m 755 $(word $(words $(genxml)),$(genxml)) $(headerdir)/support
$(verbose) $(genperm) $(avs) $(secclass) > $(headerdir)/support/all_perms.spt
$(verbose) for i in $(notdir $(all_layers)); do \
mkdir -p $(headerdir)/$$i ;\
^ permalink raw reply related [flat|nested] 101+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: /
@ 2017-01-13 18:43 Sven Vermeulen
0 siblings, 0 replies; 101+ messages in thread
From: Sven Vermeulen @ 2017-01-13 18:43 UTC (permalink / raw
To: gentoo-commits
commit: 714f365c85547fffafb54431ac41927d3b9c3710
Author: cgzones <cgzones <AT> googlemail <DOT> com>
AuthorDate: Thu Jan 5 19:24:04 2017 +0000
Commit: Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Fri Jan 13 18:40:54 2017 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=714f365c
add fakehwclock module
fakehwclock.fc | 5 +++++
fakehwclock.if | 46 ++++++++++++++++++++++++++++++++++++++++++++++
fakehwclock.te | 39 +++++++++++++++++++++++++++++++++++++++
3 files changed, 90 insertions(+)
diff --git a/fakehwclock.fc b/fakehwclock.fc
new file mode 100644
index 0000000..d83c628
--- /dev/null
+++ b/fakehwclock.fc
@@ -0,0 +1,5 @@
+/etc/fake-hwclock\.data -- gen_context(system_u:object_r:fakehwclock_backup_t,s0)
+
+/sbin/fake-hwclock -- gen_context(system_u:object_r:fakehwclock_exec_t,s0)
+
+/usr/lib/systemd/system/fake-hwclock\.service -- gen_context(system_u:object_r:fakehwclock_unit_t,s0)
diff --git a/fakehwclock.if b/fakehwclock.if
new file mode 100644
index 0000000..24cc7d1
--- /dev/null
+++ b/fakehwclock.if
@@ -0,0 +1,46 @@
+## <summary>fake-hwclock - Control fake hardware clock.</summary>
+
+########################################
+## <summary>
+## Execute a domain transition to run fake-hwclock.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`fakehwclock_domtrans',`
+ gen_require(`
+ type fakehwclock_t, fakehwclock_exec_t;
+ ')
+
+ corecmd_search_bin($1)
+ domtrans_pattern($1, fakehwclock_exec_t, fakehwclock_t)
+')
+
+########################################
+## <summary>
+## Execute fake-hwclock in the fake-hwclock domain,
+## and allow the specified role
+## the fake-hwclock domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+## <param name="role">
+## <summary>
+## Role allowed access.
+## </summary>
+## </param>
+#
+interface(`fakehwclock_run',`
+ gen_require(`
+ attribute_role fakehwclock_roles;
+ ')
+
+ fakehwclock_domtrans($1)
+ roleattribute $2 fakehwclock_roles;
+')
diff --git a/fakehwclock.te b/fakehwclock.te
new file mode 100644
index 0000000..6f2958f
--- /dev/null
+++ b/fakehwclock.te
@@ -0,0 +1,39 @@
+policy_module(fakehwclock, 0.0.1)
+
+########################################
+#
+# Declarations
+#
+
+attribute_role fakehwclock_roles;
+
+type fakehwclock_t;
+type fakehwclock_exec_t;
+init_system_domain(fakehwclock_t, fakehwclock_exec_t)
+role fakehwclock_roles types fakehwclock_t;
+
+type fakehwclock_backup_t;
+files_type(fakehwclock_backup_t)
+
+type fakehwclock_unit_t;
+init_unit_file(fakehwclock_unit_t)
+
+########################################
+#
+# policy
+#
+
+# sys_time : set system time
+allow fakehwclock_t self:capability sys_time;
+allow fakehwclock_t self:fifo_file rw_fifo_file_perms;
+
+allow fakehwclock_t fakehwclock_backup_t:file manage_file_perms;
+
+corecmd_exec_bin(fakehwclock_t)
+corecmd_exec_shell(fakehwclock_t)
+
+miscfiles_read_localization(fakehwclock_t)
+
+optional_policy(`
+ cron_system_entry(fakehwclock_t, fakehwclock_exec_t)
+')
^ permalink raw reply related [flat|nested] 101+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: /
@ 2017-01-13 18:43 Sven Vermeulen
0 siblings, 0 replies; 101+ messages in thread
From: Sven Vermeulen @ 2017-01-13 18:43 UTC (permalink / raw
To: gentoo-commits
commit: 1c5eb0bbef55a47a0867916104065beb3f5e26f0
Author: cgzones <cgzones <AT> googlemail <DOT> com>
AuthorDate: Thu Jan 5 20:02:36 2017 +0000
Commit: Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Fri Jan 13 18:41:38 2017 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=1c5eb0bb
add dphysswapfile module
dphysswapfile.fc | 5 +++++
dphysswapfile.if | 19 +++++++++++++++++++
dphysswapfile.te | 47 +++++++++++++++++++++++++++++++++++++++++++++++
3 files changed, 71 insertions(+)
diff --git a/dphysswapfile.fc b/dphysswapfile.fc
new file mode 100644
index 0000000..1b2bfcc
--- /dev/null
+++ b/dphysswapfile.fc
@@ -0,0 +1,5 @@
+/etc/dphys-swapfile -- gen_context(system_u:object_r:dphysswapfile_conf_t,s0)
+
+/sbin/dphys-swapfile -- gen_context(system_u:object_r:dphysswapfile_exec_t,s0)
+
+/var/swap -- gen_context(system_u:object_r:dphysswapfile_swap_t,s0)
diff --git a/dphysswapfile.if b/dphysswapfile.if
new file mode 100644
index 0000000..5372574
--- /dev/null
+++ b/dphysswapfile.if
@@ -0,0 +1,19 @@
+## <summary>Set up, mount/unmount, and delete an swap file.</summary>
+
+########################################
+## <summary>
+## Dontaudit acces to the swap file.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`dphysswapfile_dontaudit_read_swap',`
+ gen_require(`
+ type dphysswapfile_swap_t;
+ ')
+
+ dontaudit $1 dphysswapfile_swap_t:file read_file_perms;
+')
diff --git a/dphysswapfile.te b/dphysswapfile.te
new file mode 100644
index 0000000..1dabdb1
--- /dev/null
+++ b/dphysswapfile.te
@@ -0,0 +1,47 @@
+policy_module(dphysswapfile, 0.0.1)
+
+########################################
+#
+# Declarations
+#
+
+type dphysswapfile_t;
+type dphysswapfile_exec_t;
+init_system_domain(dphysswapfile_t, dphysswapfile_exec_t)
+
+type dphysswapfile_conf_t;
+files_config_file(dphysswapfile_conf_t)
+
+type dphysswapfile_swap_t;
+files_type(dphysswapfile_swap_t)
+
+########################################
+#
+# Policy
+#
+
+# sys_admin : for swapon
+allow dphysswapfile_t self:capability sys_admin;
+allow dphysswapfile_t self:fifo_file rw_fifo_file_perms;
+allow dphysswapfile_t self:unix_stream_socket { create connect };
+
+allow dphysswapfile_t dphysswapfile_conf_t:file read_file_perms;
+
+allow dphysswapfile_t dphysswapfile_exec_t:file execute_no_trans;
+
+allow dphysswapfile_t dphysswapfile_swap_t:file manage_file_perms;
+
+kernel_read_system_state(dphysswapfile_t)
+
+corecmd_exec_bin(dphysswapfile_t)
+corecmd_exec_shell(dphysswapfile_t)
+
+files_dontaudit_getattr_pid_dirs(dphysswapfile_t)
+files_read_etc_files(dphysswapfile_t)
+files_search_var(dphysswapfile_t)
+
+fstools_exec(dphysswapfile_t)
+
+miscfiles_read_localization(dphysswapfile_t)
+
+userdom_dontaudit_search_user_home_dirs(dphysswapfile_t)
^ permalink raw reply related [flat|nested] 101+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: /
@ 2017-01-23 15:44 Jason Zaman
0 siblings, 0 replies; 101+ messages in thread
From: Jason Zaman @ 2017-01-23 15:44 UTC (permalink / raw
To: gentoo-commits
commit: 365748492dd2a032c653f583cea55c9525d82e2d
Author: Chris PeBenito <pebenito <AT> ieee <DOT> org>
AuthorDate: Sun Jan 15 18:18:09 2017 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Mon Jan 23 12:55:22 2017 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=36574849
Update contrib.
^ permalink raw reply [flat|nested] 101+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: /
@ 2017-01-23 15:44 Jason Zaman
0 siblings, 0 replies; 101+ messages in thread
From: Jason Zaman @ 2017-01-23 15:44 UTC (permalink / raw
To: gentoo-commits
commit: a7ec91a7035f321d8c53faae64e6dc247f6b742d
Author: Chris PeBenito <pebenito <AT> ieee <DOT> org>
AuthorDate: Sun Jan 15 18:33:25 2017 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Mon Jan 23 12:55:22 2017 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=a7ec91a7
Fix contrib.
^ permalink raw reply [flat|nested] 101+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: /
@ 2017-01-23 15:44 Jason Zaman
0 siblings, 0 replies; 101+ messages in thread
From: Jason Zaman @ 2017-01-23 15:44 UTC (permalink / raw
To: gentoo-commits
commit: 2d45843fd36d1f3b6e0536f9de017a3f59ef2074
Author: cgzones <cgzones <AT> googlemail <DOT> com>
AuthorDate: Fri Jan 6 18:45:09 2017 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Mon Jan 23 13:08:43 2017 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=2d45843f
use travis cache
cache SELinux userspace build
.travis.yml | 48 +++++++++++++++++++++++++++++-------------------
1 file changed, 29 insertions(+), 19 deletions(-)
diff --git a/.travis.yml b/.travis.yml
index 58533e6..4848b29 100644
--- a/.travis.yml
+++ b/.travis.yml
@@ -41,6 +41,10 @@ sudo: false
#sudo: required
#dist: trusty
+cache:
+ directories:
+ - ${TRAVIS_BUILD_DIR}/selinux
+
addons:
apt:
packages:
@@ -62,33 +66,39 @@ before_install:
- python -V
install:
- # Download current SELinux userspace tools and libraries
- - curl -sS -L https://github.com/SELinuxProject/selinux/archive/20161014.tar.gz | tar xz
- - mv selinux-20161014 selinux-src
+ - SELINUX_USERSPACE_VERSION=20161014
+
+ - |
+ if [[ "${SELINUX_USERSPACE_VERSION}" != "$(cat ${TRAVIS_BUILD_DIR}/selinux/travis.version)" ]]; then
+ # Download current SELinux userspace tools and libraries
+ curl -sS -L "https://github.com/SELinuxProject/selinux/archive/${SELINUX_USERSPACE_VERSION}.tar.gz" | tar xz
+ mv "selinux-${SELINUX_USERSPACE_VERSION}" selinux-src
- # Ubuntu 12.04 coreutils is too old to provide "ln --relative" :(
- - sed 's/ln -sf --relative /ln -sf /' -i selinux-src/libsepol/src/Makefile
- - sed 's/ln -sf --relative /ln -sf /' -i selinux-src/libselinux/src/Makefile
+ # Ubuntu 12.04 coreutils is too old to provide "ln --relative" :(
+ sed 's/ln -sf --relative /ln -sf /' -i selinux-src/libsepol/src/Makefile
+ sed 's/ln -sf --relative /ln -sf /' -i selinux-src/libselinux/src/Makefile
- # Drop secilc to break xmlto dependence (secilc isn't used here anyway)
- - sed -i -e 's/secilc//' selinux-src/Makefile
+ # Drop secilc to break xmlto dependence (secilc isn't used here anyway)
+ sed -i -e 's/secilc//' selinux-src/Makefile
- # Drop sepolicy to break setools dependence (sepolicy isn't used anyway)
- - sed -i -e 's/sepolicy//' selinux-src/policycoreutils/Makefile
+ # Drop sepolicy to break setools dependence (sepolicy isn't used anyway)
+ sed -i -e 's/sepolicy//' selinux-src/policycoreutils/Makefile
- # Drop restorecond to break glib dependence
- - sed -i -e 's/ restorecond//' selinux-src/policycoreutils/Makefile
+ # Drop restorecond to break glib dependence
+ sed -i -e 's/ restorecond//' selinux-src/policycoreutils/Makefile
- # Drop sandbox to break libcap-ng dependence
- - sed -i -e 's/ sandbox//' selinux-src/policycoreutils/Makefile
+ # Drop sandbox to break libcap-ng dependence
+ sed -i -e 's/ sandbox//' selinux-src/policycoreutils/Makefile
- # Compile and install SELinux toolchain into ~/selinux
- # On Ubuntu 12.04, default CFLAGS make the build fail in libsepol/cil with:
- # error: declaration of 'index' shadows a global declarationo
- - make "DESTDIR=$TRAVIS_BUILD_DIR/selinux" CFLAGS="-O2 -Wall" -C selinux-src install
+ # Compile and install SELinux toolchain into ~/selinux
+ # On Ubuntu 12.04, default CFLAGS make the build fail in libsepol/cil with:
+ # error: declaration of 'index' shadows a global declarationo
+ make "DESTDIR=${TRAVIS_BUILD_DIR}/selinux" CFLAGS="-O2 -Wall" -C selinux-src install
+ echo "${SELINUX_USERSPACE_VERSION}" > "${TRAVIS_BUILD_DIR}/selinux/travis.version"
+ fi
# Use TEST_TOOLCHAIN variable to tell refpolicy Makefile about the installed location
- - export TEST_TOOLCHAIN="$TRAVIS_BUILD_DIR/selinux"
+ - export TEST_TOOLCHAIN="${TRAVIS_BUILD_DIR}/selinux"
# Drop build.conf settings to listen to env vars
- sed -r -i -e '/(DIRECT_INITRC|MONOLITHIC|TYPE|DISTRO|SYSTEMD)/d' build.conf
^ permalink raw reply related [flat|nested] 101+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: /
@ 2017-02-05 6:29 Jason Zaman
0 siblings, 0 replies; 101+ messages in thread
From: Jason Zaman @ 2017-02-05 6:29 UTC (permalink / raw
To: gentoo-commits
commit: 5954c31f0b864c0f09d9917bdb2652da04b043c4
Author: Chris PeBenito <pebenito <AT> ieee <DOT> org>
AuthorDate: Sat Feb 4 18:30:54 2017 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sun Feb 5 06:26:54 2017 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=5954c31f
Update Changelog and VERSION for release.
Changelog | 137 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
VERSION | 2 +-
2 files changed, 138 insertions(+), 1 deletion(-)
diff --git a/Changelog b/Changelog
index d00f2cf..ba14a4a 100644
--- a/Changelog
+++ b/Changelog
@@ -1,3 +1,140 @@
+* Sat Feb 04 2017 Chris PeBenito <pebenito@ieee.org> - 2.20170204
+Chris PeBenito (55):
+ Module version bumps for patches from Guido Trentalancia.
+ Update contrib.
+ Remove unneeded system_u seusers mapping.
+ Update contrib.
+ Merge pull request #45 from cgzones/travis2
+ Merge pull request #46 from cgzones/update_readme
+ Merge pull request #47 from cgzones/spelling
+ Module version bump for xserver patch from Guido Trentalancia
+ Update contrib.
+ Merge pull request #50 from cgzones/macros
+ Merge pull request #48 from cgzones/makefile
+ xserver: Rearrange lines
+ Module version bump for xserver changes from Guido Trentalancia.
+ Merge branch 'dhcp_avahi' of https://github.com/cgzones/refpolicy
+ Module version bumps for patches from cgzones.
+ Update contrib.
+ Merge branch 'syslogd' of git://github.com/cgzones/refpolicy
+ Module version bump for journald fixes from cgzones.
+ Merge pull request #57 from cgzones/trailing_whitespaces
+ modutils: Move lines.
+ Module version bumps for openoffice patches from Guido Trentalancia.
+ Module version bump for kernel sysctl patch from Luis Ressel
+ Update contrib.
+ Module version bump for netutils patch from Luis Ressel.
+ Module version bump for xserver patch from Guido Trentalancia.
+ Module version bumps for patches from Guido Trentalancia.
+ rtkit: enable dbus chat with xdm
+ xserver: Move interface definition.
+ Module version bump for patches from Guido Trentalancia.
+ Module version bump for xscreensaver patch from Guido Trentalancia.
+ Merge branch 'run_transition' of git://github.com/cgzones/refpolicy
+ Module version bumps for /run fc changes from cgzones.
+ Module version bump for patches from Guido Trentalancia.
+ Merge branch '2016-12-27_systemd' of
+ git://github.com/fishilico/selinux-refpolicy-patched
+ Module version bump for systemd patch from Nicolas Iooss.
+ Merge branch 'usr-fc' of
+ git://github.com/fishilico/selinux-refpolicy-patched
+ Module version bump for fc updates from Nicolas Iooss.
+ Module version bump for patches from Guido Trentalancia.
+ xserver: Update from Russell Coker for boinc.
+ Module version bump for patches from Guido Trentalancia.
+ Merge pull request #62 from cgzones/fix_permission_segenxml
+ Merge pull request #94 from cgzones/travis
+ Merge branch 'corenetork_module' of git://github.com/cgzones/refpolicy
+ Merge branch 'mount_module' of git://github.com/cgzones/refpolicy
+ Merge branch 'terminal_module' of git://github.com/cgzones/refpolicy
+ Merge branch 'files_search_src' of git://github.com/cgzones/refpolicy
+ Merge branch 'unconfined_module' of git://github.com/cgzones/refpolicy
+ Merge branch 'auditd_fixes' of git://github.com/cgzones/refpolicy
+ Module version bumps for patches from cgzones.
+ Module version bump for cpu_online genfscon from Laurent Bigonville.
+ Update contrib.
+ Fix contrib.
+ Module version bump for cups patch from Guido Trentalancia.
+ Module version bump for xkb fix from Jason Zaman.
+ Bump module versions for release.
+
+Guido Trentalancia (19):
+ xserver: remove unneeded user content permissions
+ xserver: remove unneeded user content permissions
+ Apache OpenOffice module (base policy part)
+ xserver: enable dbus messaging with devicekit power
+ authlogin: indentation/whitespace fix
+ wm: update the window manager (wm) module and enable its role template
+ (v7)
+ userdomain: separate optional conditionals for gnome and wm role templates
+ udev: manage tmpfs files and directories
+ udev: always enable kernel module loading
+ base: enable the xscreensaver role
+ bootloader: stricter permissions and more tailored file contexts
+ modutils: update to run in confined mode
+ base: use new genhomedircon template for username
+ kernel: missing permissions for confined execution
+ xserver: introduce new fc and interface to manage X session logs
+ kernel: add missing plymouth interface
+ xserver: restrict executable memory permissions
+ init: support sysvinit
+ udev: execute HPLIP applications in their own domain
+
+Guido Trentalancia via refpolicy (4):
+ Let users read/manage symlinks on fs that do not support xattr
+ Let unprivileged users list mounted filesystems
+ Let the user list noxattr fs directories
+ sysadm: add the shutdown role
+
+Jason Zaman (1):
+ xserver: allow X roles to read xkb libs to set keymaps
+
+Laurent Bigonville (1):
+ Use genfscon to label /sys/devices/system/cpu/online as cpu_online_t
+
+Luis Ressel (3):
+ system/modutils: Add kernel_search_key(kmod_t)
+ kernel.if: Allow listing /proc/sys/net/unix
+ netutils: Label iptstate as netutils_t
+
+Nicolas Iooss (4):
+ systemd: add systemd-backlight policy
+ systemd: add systemd-binfmt policy
+ Allow searching /proc/sys/fs when using /proc/sys/fs/binfmt_misc
+ Add file contexts in /usr for /bin, /usr/sbin and /usr/lib
+
+Russell Coker (1):
+ single binary modutils
+
+Stephen Smalley (2):
+ refpolicy: Define extended_socket_class policy capability and socket
+ classes
+ refpolicy: drop unused socket security classes
+
+cgzones (21):
+ update .travis.yml
+ update README
+ fix spelling
+ update Makefile
+ update policy/support macros
+ review
+ keep 2 empty lines in front of a new section
+ using intermediate target instead of splitting up conf files generation
+ define filecontext for /run/agetty.reload
+ allow dhcp_t to domtrans into avahi
+ fix syslogd audits
+ remove trailing whitespaces
+ transition file contexts to /run
+ fix permission of installed segenxml.py by install-headers
+ auditd / auditctl: fix audits
+ add files_search_src()
+ update unconfined module * grant capability2:wake_alarm * remove
+ deprecated interfaces
+ update terminal module
+ update corenetwork module
+ use travis cache
+ update mount module
+
* Sun Oct 23 2016 Chris PeBenito <pebenito@ieee.org> - 2.20161023
Chris PeBenito (94):
Module version bump for systemd-user-sessions fc entry from Dominick Grift
diff --git a/VERSION b/VERSION
index f011019..395af8d 100644
--- a/VERSION
+++ b/VERSION
@@ -1 +1 @@
-2.20161023
+2.20170204
^ permalink raw reply related [flat|nested] 101+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: /
@ 2017-02-21 7:11 Jason Zaman
0 siblings, 0 replies; 101+ messages in thread
From: Jason Zaman @ 2017-02-21 7:11 UTC (permalink / raw
To: gentoo-commits
commit: ef5c20e42e5b1204b70973baa1c350036cef64b5
Author: Chris PeBenito <pebenito <AT> ieee <DOT> org>
AuthorDate: Sat Feb 18 15:37:35 2017 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Tue Feb 21 06:58:16 2017 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=ef5c20e4
Travis-CI: Terminate build immediately on error.
See travis-ci/travis-ci#1066.
.travis.yml | 1 +
1 file changed, 1 insertion(+)
diff --git a/.travis.yml b/.travis.yml
index b6493b32..957e814d 100644
--- a/.travis.yml
+++ b/.travis.yml
@@ -105,6 +105,7 @@ install:
script:
- echo $TYPE $DISTRO $DIRECT_INITRC $MONOLITHIC $SYSTEMD $WERROR
+ - set -e
- make bare
- make conf
- make
^ permalink raw reply related [flat|nested] 101+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: /
@ 2017-02-21 7:11 Jason Zaman
0 siblings, 0 replies; 101+ messages in thread
From: Jason Zaman @ 2017-02-21 7:11 UTC (permalink / raw
To: gentoo-commits
commit: 4523a90c15843e786aaf666aebc984761cd0ae97
Author: Chris PeBenito <pebenito <AT> ieee <DOT> org>
AuthorDate: Sat Feb 18 15:25:48 2017 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Tue Feb 21 06:57:03 2017 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=4523a90c
Fix Travis-CI WERROR support.
.travis.yml | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/.travis.yml b/.travis.yml
index c0323421..b6493b32 100644
--- a/.travis.yml
+++ b/.travis.yml
@@ -101,10 +101,10 @@ install:
- export TEST_TOOLCHAIN="${TRAVIS_BUILD_DIR}/selinux"
# Drop build.conf settings to listen to env vars
- - sed -r -i -e '/(DIRECT_INITRC|MONOLITHIC|TYPE|DISTRO|SYSTEMD)/d' build.conf
+ - sed -r -i -e '/(DIRECT_INITRC|MONOLITHIC|TYPE|DISTRO|SYSTEMD|WERROR)/d' build.conf
script:
- - echo $TYPE $DISTRO $DIRECT_INITRC $MONOLITHIC $SYSTEMD
+ - echo $TYPE $DISTRO $DIRECT_INITRC $MONOLITHIC $SYSTEMD $WERROR
- make bare
- make conf
- make
^ permalink raw reply related [flat|nested] 101+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: /
@ 2017-02-25 16:58 Jason Zaman
0 siblings, 0 replies; 101+ messages in thread
From: Jason Zaman @ 2017-02-25 16:58 UTC (permalink / raw
To: gentoo-commits
commit: 26f8f91c4a8026fe395e8253432796a95cdab765
Author: Chris PeBenito <pebenito <AT> ieee <DOT> org>
AuthorDate: Sat Feb 25 14:38:26 2017 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sat Feb 25 16:43:11 2017 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=26f8f91c
Fix typo in README.
Closes #100
README | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/README b/README
index 10cca4c1..7ac92f25 100644
--- a/README
+++ b/README
@@ -122,7 +122,7 @@ UNK_PERMS String. Set the kernel behavior for handling of
UBAC Boolean. If set, the SELinux user will be used
additionally for approximate role separation.
-SYSTEMD Boolean. If set, systemd will be assumed the be the init
+SYSTEMD Boolean. If set, systemd will be assumed to be the init
process provider.
MLS_SENS Integer. Set the number of sensitivities in the MLS
^ permalink raw reply related [flat|nested] 101+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: /
@ 2017-02-27 10:50 Jason Zaman
0 siblings, 0 replies; 101+ messages in thread
From: Jason Zaman @ 2017-02-27 10:50 UTC (permalink / raw
To: gentoo-commits
commit: 1572117a9a4c1da6797c9753cf0b20e6cbf8e5b0
Author: Chris PeBenito <pebenito <AT> ieee <DOT> org>
AuthorDate: Sat Feb 25 16:50:11 2017 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Mon Feb 27 10:38:00 2017 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=1572117a
apache: Fix CI error.
^ permalink raw reply [flat|nested] 101+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: /
@ 2017-03-02 10:17 Sven Vermeulen
0 siblings, 0 replies; 101+ messages in thread
From: Sven Vermeulen @ 2017-03-02 10:17 UTC (permalink / raw
To: gentoo-commits
commit: f95f7ed0d8bdb0bcfd8571363e5bb11799cf4678
Author: Nicolas Iooss <nicolas.iooss <AT> m4x <DOT> org>
AuthorDate: Mon Feb 27 21:02:52 2017 +0000
Commit: Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Thu Mar 2 10:16:50 2017 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=f95f7ed0
Make "validate" target verify file contexts
When I synchronized my personal policy with the git master branch, "git
rebase" merged the file contexts I have defined for some systemd
components with the ones which have recently been merged. This resulted
in duplicated file contexts in systemd.fc, which made the policy unable
to be loaded.
This issue has not been detected by "make validate" because this command
only verifies policy linking, not the correctness of the file contexts.
Moreover this behavior of "make validate" only happens when building a
modular policy. Indeed Rules.monolithic calls setfiles in order to
validate the file contexts:
validate: $(fc) $(polver)
@echo "Validating $(NAME) file_contexts."
$(verbose) $(SETFILES) -q -c $(polver) $(fc)
@echo "Success."
Invoke setfiles in Rules.modular too in order to catch issues in file
contexts with "make validate". With the issue I experienced, I would
have got the following message:
Validating policy file contexts.
/sbin/setfiles -q -c tmp/policy.bin tmp/all_mods.fc
tmp/all_mods.fc: Multiple same specifications for /run/systemd/machines(/.*)?.
tmp/all_mods.fc: Invalid argument
make: *** [Rules.modular:210: validate] Error 1
While at it, simplify .SECONDARY definition with a newly-introduced
$(all_mod_fc) variable.
Rules.modular | 12 +++++++++---
1 file changed, 9 insertions(+), 3 deletions(-)
diff --git a/Rules.modular b/Rules.modular
index 60fe5549..49d3cca9 100644
--- a/Rules.modular
+++ b/Rules.modular
@@ -5,6 +5,7 @@
all_modules := $(base_mods) $(mod_mods) $(off_mods)
all_interfaces := $(all_modules:.te=.if)
+all_mod_fc := $(addprefix $(tmpdir)/,$(notdir $(all_modules:.te=.mod.fc)))
base_pkg := $(builddir)base.pp
base_fc := $(builddir)base.fc
@@ -30,7 +31,7 @@ vpath %.te $(all_layers)
vpath %.if $(all_layers)
vpath %.fc $(all_layers)
-.SECONDARY: $(addprefix $(tmpdir)/,$(mod_pkgs:.pp=.mod)) $(addprefix $(tmpdir)/,$(mod_pkgs:.pp=.mod.fc))
+.SECONDARY: $(all_mod_fc:.mod.fc=.mod) $(all_mod_fc)
########################################
#
@@ -85,6 +86,9 @@ $(builddir)%.pp: $(tmpdir)/%.mod $(tmpdir)/%.mod.fc
@test -d $(builddir) || mkdir -p $(builddir)
$(verbose) $(SEMOD_PKG) -o $@ -m $< -f $<.fc
+$(tmpdir)/all_mods.fc: $(all_mod_fc)
+ $(verbose) cat $^ > $@
+
########################################
#
# Create a base module package
@@ -198,10 +202,12 @@ $(appdir)/customizable_types: $(base_conf)
#
# Validate linking and expanding of modules
#
-validate: $(base_pkg) $(mod_pkgs)
+validate: $(base_pkg) $(mod_pkgs) $(tmpdir)/all_mods.fc
@echo "Validating policy linking."
- $(verbose) $(SEMOD_LNK) -o $(tmpdir)/test.lnk $^
+ $(verbose) $(SEMOD_LNK) -o $(tmpdir)/test.lnk $(base_pkg) $(mod_pkgs)
$(verbose) $(SEMOD_EXP) $(tmpdir)/test.lnk $(tmpdir)/policy.bin
+ @echo "Validating policy file contexts."
+ $(verbose) $(SETFILES) -q -c $(tmpdir)/policy.bin $(tmpdir)/all_mods.fc
@echo "Success."
########################################
^ permalink raw reply related [flat|nested] 101+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: /
@ 2017-03-30 17:06 Jason Zaman
0 siblings, 0 replies; 101+ messages in thread
From: Jason Zaman @ 2017-03-30 17:06 UTC (permalink / raw
To: gentoo-commits
commit: 6fff3980a215dde1f6ed9c547b3550e94f1c6975
Author: cgzones <cgzones <AT> googlemail <DOT> com>
AuthorDate: Sat Mar 25 22:51:38 2017 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Thu Mar 30 11:46:48 2017 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=6fff3980
travis: move after_success tests into script section
.travis.yml | 2 --
1 file changed, 2 deletions(-)
diff --git a/.travis.yml b/.travis.yml
index 7b83e5cf..d4330257 100644
--- a/.travis.yml
+++ b/.travis.yml
@@ -102,8 +102,6 @@ install:
# Drop build.conf settings to listen to env vars
- sed -r -i -e '/(DIRECT_INITRC|MONOLITHIC|TYPE|DISTRO|SYSTEMD|WERROR)/d' build.conf
-
-after_success:
- make xml
- make html
- make DESTDIR=${HOME}/tmp install
^ permalink raw reply related [flat|nested] 101+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: /
@ 2017-03-30 17:06 Jason Zaman
0 siblings, 0 replies; 101+ messages in thread
From: Jason Zaman @ 2017-03-30 17:06 UTC (permalink / raw
To: gentoo-commits
commit: 8cb5f0c4bc80f413594e10ca271343e44dc5888a
Author: Jason Zaman <jason <AT> perfinion <DOT> com>
AuthorDate: Thu Mar 30 15:00:46 2017 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Thu Mar 30 15:00:46 2017 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=8cb5f0c4
travis: move make install after building
.travis.yml | 16 +++++++++-------
1 file changed, 9 insertions(+), 7 deletions(-)
diff --git a/.travis.yml b/.travis.yml
index d4330257..a420597e 100644
--- a/.travis.yml
+++ b/.travis.yml
@@ -102,13 +102,6 @@ install:
# Drop build.conf settings to listen to env vars
- sed -r -i -e '/(DIRECT_INITRC|MONOLITHIC|TYPE|DISTRO|SYSTEMD|WERROR)/d' build.conf
- - make xml
- - make html
- - make DESTDIR=${HOME}/tmp install
- - make DESTDIR=${HOME}/tmp install-headers
- - make DESTDIR=${HOME}/tmp install-src
- - make DESTDIR=${HOME}/tmp install-docs
- - make DESTDIR=${HOME}/tmp install-appconfig
script:
- echo $TYPE $DISTRO $DIRECT_INITRC $MONOLITHIC $SYSTEMD $WERROR
@@ -118,6 +111,15 @@ script:
- make
- make validate
+ - make xml
+ - make html
+
+ - make DESTDIR=${HOME}/tmp install
+ - make DESTDIR=${HOME}/tmp install-headers
+ - make DESTDIR=${HOME}/tmp install-src
+ - make DESTDIR=${HOME}/tmp install-docs
+ - make DESTDIR=${HOME}/tmp install-appconfig
+
branches:
only:
- /^travis-.*/
^ permalink raw reply related [flat|nested] 101+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: /
@ 2017-04-10 16:59 Sven Vermeulen
0 siblings, 0 replies; 101+ messages in thread
From: Sven Vermeulen @ 2017-04-10 16:59 UTC (permalink / raw
To: gentoo-commits
commit: bfa6b4ee0f8dbcca3d53e4debfd9acf788aa1a7d
Author: cgzones <cgzones <AT> googlemail <DOT> com>
AuthorDate: Wed Mar 29 15:18:04 2017 +0000
Commit: Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Mon Apr 10 16:44:57 2017 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=bfa6b4ee
clean up python3 cache on make bare
Makefile | 1 +
1 file changed, 1 insertion(+)
diff --git a/Makefile b/Makefile
index 4c768b55..325bf5a2 100644
--- a/Makefile
+++ b/Makefile
@@ -636,6 +636,7 @@ bare: clean
ifndef LOCAL_ROOT
$(verbose) rm -f $(fcsort)
$(verbose) rm -f $(support)/*.pyc
+ $(verbose) rm -Rf $(support)/__pycache__/
ifneq ($(generated_te),)
$(verbose) rm -f $(generated_te)
endif
^ permalink raw reply related [flat|nested] 101+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: /
@ 2017-06-13 8:25 Jason Zaman
0 siblings, 0 replies; 101+ messages in thread
From: Jason Zaman @ 2017-06-13 8:25 UTC (permalink / raw
To: gentoo-commits
commit: 811e2eedbb1819813b2d854d155f3d3b49183fc7
Author: Chris PeBenito <pebenito <AT> ieee <DOT> org>
AuthorDate: Wed Jun 7 00:10:47 2017 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Tue Jun 13 07:59:58 2017 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=811e2eed
gpg: Module version bump for patch from Guido Trentalancia.
^ permalink raw reply [flat|nested] 101+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: /
@ 2018-01-18 16:37 Sven Vermeulen
0 siblings, 0 replies; 101+ messages in thread
From: Sven Vermeulen @ 2018-01-18 16:37 UTC (permalink / raw
To: gentoo-commits
commit: da5d83301f05b2410493a56eab1ad8f1753657eb
Author: Chris PeBenito <pebenito <AT> ieee <DOT> org>
AuthorDate: Sun Jan 14 19:08:09 2018 +0000
Commit: Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Thu Jan 18 16:31:46 2018 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=da5d8330
Update Changelog and VERSION for release.
Changelog | 210 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
VERSION | 2 +-
2 files changed, 211 insertions(+), 1 deletion(-)
diff --git a/Changelog b/Changelog
index ed68767c..b0310fbb 100644
--- a/Changelog
+++ b/Changelog
@@ -1,3 +1,213 @@
+* Sun Jan 14 2018 Chris PeBenito <pebenito@ieee.org> - 2.20180114
+Adam Duskett (1):
+ fix regex escape sequence error.
+
+Anthony PERARD (1):
+ Update for Xen 4.7
+
+Chad Hanson (1):
+ Fix implementation of MLS file relabel attributes
+
+Chris PeBenito (74):
+ Module version bump for patches from Guido Trentalancia and Anthony
+ PERARD.
+ Rules.modular: Fix file context verification.
+ Remove deprecated interfaces older than one year old.
+ .travis.yml: Use git tag instead of release tarball for selinux userspace.
+ kernel: Module version bump for patch from Nicolas Iooss.
+ Remove complement and wildcard in allow rules.
+ logging: Move line.
+ Module version bump for patches from Nicolas Iooss.
+ Module version bump for fixes from Nicolas Iooss.
+ Update contrib.
+ dbus: move comments out of the file context definitions
+ Update contrib.
+ systemd, udev: Module version bump.
+ systemd: Whitespace fix.
+ Module version bump for patches from Nicolas Iooss.
+ init: Move fc lines.
+ init: Module version bump for patch from Dave Sugar.
+ files: Move files_check_write_pid_dirs interface.
+ terminal: Rename term_create_devpts.
+ Several module version bumps.
+ init: Move init_spec_daemon_domain implementation.
+ Module version bumps.
+ init: Rename init_rlimit_inherit to init_inherit_rlimit.
+ init: Whitespace fix.
+ Module version bumps.
+ spamassassin: Fix build error.
+ init: Fix XML error.
+ spamassassin: Add missing requirement in spamassassin_admin().
+ sysadm,fstools: Module version bump.
+ authlogin, logging, udev: Module version bump.
+ init: Remove sm-notify.pid fc entry which collides with the rpc module.
+ corecommands, xserver, systemd, userdomain: Version bumps.
+ Update contrib.
+ Update contrib.
+ corecommands: Module version bump.
+ init: Module version bump.
+ Merge pull request #125 from lalozano/master
+ devices: Module version bump.
+ Module version bumps.
+ Merge branch 'master' of git://github.com/davidgraz/refpolicy
+ ipsec: Module version bump.
+ Merge branch 'master' of git://github.com/aduskett/refpolicy
+ init: Clean up line placement in init_systemd blocks.
+ files: Whitespace fix.
+ Merge branch 'systemd-networkd'
+ files, init, sysnetwork, systemd: Module version bumps.
+ Merge pull request #128 from williamcroberts/fc-sort-fixups
+ Update contrib.
+ files, netutils: Module version bump.
+ miscfiles: Module version bump.
+ Update contrib.
+ files, userdomain: Module version bump.
+ kernel, mls, sysadm, ssh, xserver, authlogin, locallogin, userdomain:
+ Module version bumps.
+ Several module version bumps.
+ Module version bumps.
+ dmesg, locallogin, modutils: Module version bump.
+ loadable_module.spt: Add debugging comments for tunable_policy blocks.
+ networkmanager: Grant access to unlabeled PKeys
+ filesystem: Rename fs_relabel_cgroup_lnk_files.
+ corcmd, fs, xserver, init, systemd, userdomain: Module version bump.
+ xserver, sysnetwork, systemd: Module version bump.
+ xserver: Module version bump.
+ init: Module version bump.
+ Update contrib.
+ mls, xserver, systemd, userdomain: Module version bump.
+ storage, userdomain: Module version bump.
+ Add new mmap permission set and pattern support macros.
+ Add missing mmap_*_files_pattern macros.
+ Revise mmap_file_perms deprecation warning message.
+ Update contrib.
+ hostname: Module version bump.
+ Update contrib.
+ init: Module version bump.
+ Bump module versions for release.
+
+Christian Göttsche (6):
+ update travis
+ rkhunter: add interfaces for var_run and lock dir access check
+ dphysswapfile: add interfaces and sysadm access
+ hostname: cmdline usage + signal perms sort
+ filesystem: add fs_rw_inherited_hugetlbfs_files for apache module
+ init: add init_rw_inherited_stream_socket
+
+David Graziano (1):
+ system/ipsec: Add signull access for strongSwan
+
+David Sugar (20):
+ Strip spaces from NAME
+ Separate read and write interface for tun_tap_device_t
+ Label RHEL specific systemd binaries
+ Label /etc/rsyslog.d as syslog_conf_t
+ Add init_spec_daemon_domain interface
+ Add status into init_startstop_service interface
+ Add int_rlimit_inherit interface
+ remove interface init_inherit_rlimit
+ Fix problem labeling /run/log/journal/*
+ Denial relabeling /run/systemd/private
+ policy for systemd-networkd
+ Label /var/lib/lightdm-data
+ Change label for ~/.xsession-errors
+ Work around systemd-logind patch not in RHEL 7.x yet
+ RHEL 7.4 has moved the location of /usr/libexec/sesh to
+ /usr/libexec/sudo/sesh
+ Create interfaces to write to inherited xserver log files.
+ label systemd-shutdown so shutdown works
+ Make an attribute for objects in /run/user/%{USERID}/*
+ Make xdm directories created in /run/user/%{USERID}/ xdm_runtime_t
+ (user_runtime_content_type)
+ Allow systemd_logind to delete user_runtime_content_type files
+
+David Sugar via refpolicy (2):
+ label /etc/mcelog/mcelog.setup correctly (for RHEL)
+ Allow xdm_t to read /proc/sys/crypto/fips_enabled
+
+Guido Trentalancia (4):
+ userdomain: allow netlink_kobject_uvent_socket creation
+ xserver: do not audit ioctl operations on log files
+ fc_sort: memory leakages
+ base: create a type for SSL private keys
+
+Jason Zaman (8):
+ Allow sysadm to map all non auth files
+ userdomain: allow admin to rw tape storage
+ files: fcontext for /etc/zfs/zpool.cache
+ mls mcs: Add constraints for key class
+ Add key interfaces and perms
+ gssproxy: Allow others to stream connect
+ userdomain: Allow public content access
+ storage: Add fcontexts for NVMe disks
+
+Jason Zaman via refpolicy (3):
+ udev: map module objects to load kernel modules
+ syslog: allow map persist file
+ sudo: add fcontext for /run/sudo/ts/USERNAME
+
+Konrad Rzeszutek Wilk (2):
+ kernel/xen: Update for Xen 4.6
+ kernel/xen: Add map permission to the dev_rw_xen
+
+Krzysztof Nowicki (2):
+ Add policy for systemd GPT generator
+ Allow systemd to relabel cgroupfs legacy symlinks
+
+Laurent Bigonville (2):
+ Allow domains using sysnet_dns_name_resolve() interface to access NSS
+ mymachines files
+ Add private type for systemd logind inhibit files and pipes
+
+Luis A. Lozano (1):
+ Avoid memory leak warning.
+
+Luis Ressel (15):
+ modutils: libkmod mmap()s modules.dep and *.ko's
+ libraries: ldconfig maps its "aux-cache" during cache updates
+ userdomain: Add various interfaces granting the map permission
+ files: Create files_map_usr_files interface
+ selinuxutil: Add map permissions neccessary for semanage
+ kernel: Add map permission to the dev_{read, write}_sound* interfaces
+ miscfiles: Allow libfontconfig consumers to map the fonts cache
+ userdomain: man-db needs to map its 'index.db' cache
+ logging: Various audit tools (auditctl, ausearch, etc) map their config
+ and logs
+ Grant all permissions neccessary for Xorg and basic X clients
+ libraries: Add fc entry for musl's ld.so config
+ xserver: Allow xdm_t to map usr_t files
+ locallogin: Grant local_login_t the dac_read_search capability
+ dmesg: Grant read access to /usr/share/terminfo
+ modutils: Dontaudit CAP_SYS_ADMIN checks for modprobe
+
+Luis Ressel via refpolicy (2):
+ kernel/files.if: files_list_kernel_modules should grant read perms for
+ symlinks
+ netutils: Grant netutils_t map perms for the packet_socket class
+
+Nicolas Iooss (9):
+ Add module_load permission to self when loading modules is allowed
+ audit: allow reading /etc/localtime
+ corecommands: label dhcpcd hook scripts bin_t
+ Add "/usr/(.*/)?bin(/.*)?" pattern back
+ Allow dhcpcd to use generic netlink and raw IP sockets
+ corecommands: label Arch Linux pacman's scripts as bin_t
+ init: allow systemd to create /dev/pts as devpts_t
+ init: allow systemd to relabel /dev and /run
+ corecommands: label systemd script directories bin_t
+
+Nicolas Iooss via refpolicy (1):
+ terminal: /dev/pts exists in /dev filesystem
+
+Russell Coker (4):
+ systemd nspawn and backlight
+ udev and dhcpd
+ minor nspawn, dnsmasq, and mon patches
+ refpolicy and certs
+
+William Roberts (1):
+ fc_sort: use calloc instead of malloc
+
* Sat Aug 05 2017 Chris PeBenito <pebenito@ieee.org> - 2.20170805
Chris PeBenito (134):
Create / to /usr equivalence for bin, sbin, and lib, from Russell Coker.
diff --git a/VERSION b/VERSION
index 70034956..838b5716 100644
--- a/VERSION
+++ b/VERSION
@@ -1 +1 @@
-2.20170805
+2.20180114
^ permalink raw reply related [flat|nested] 101+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: /
@ 2018-03-25 10:29 Sven Vermeulen
0 siblings, 0 replies; 101+ messages in thread
From: Sven Vermeulen @ 2018-03-25 10:29 UTC (permalink / raw
To: gentoo-commits
commit: 3dbc18fd4662c413ce54cae60aea83ec65108cea
Author: Chris PeBenito <pebenito <AT> ieee <DOT> org>
AuthorDate: Wed Mar 21 18:15:53 2018 +0000
Commit: Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Sun Mar 25 10:27:58 2018 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=3dbc18fd
.travis.yml: Change to master branch for sctp support.
.travis.yml | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/.travis.yml b/.travis.yml
index f6d8128f..5f2360bd 100644
--- a/.travis.yml
+++ b/.travis.yml
@@ -60,7 +60,7 @@ before_install:
- python -V
install:
- - SELINUX_USERSPACE_VERSION=libsepol-2.7
+ - SELINUX_USERSPACE_VERSION=master
- export DESTDIR="${TRAVIS_BUILD_DIR}/selinux"
- |
^ permalink raw reply related [flat|nested] 101+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: /
@ 2018-06-24 8:46 Jason Zaman
0 siblings, 0 replies; 101+ messages in thread
From: Jason Zaman @ 2018-06-24 8:46 UTC (permalink / raw
To: gentoo-commits
commit: 5ac8ce3a6a2d0993aafca0ca52c6c3edc30d1287
Author: Chris PeBenito <pebenito <AT> ieee <DOT> org>
AuthorDate: Sat Jun 23 14:49:50 2018 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sun Jun 24 08:35:17 2018 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=5ac8ce3a
Changelog.contrib: Add note about refpolicy-contrib removal.
Changelog.contrib | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/Changelog.contrib b/Changelog.contrib
index 1596ba77..a910f032 100644
--- a/Changelog.contrib
+++ b/Changelog.contrib
@@ -1,3 +1,8 @@
+This is the Changelog for the old refpolicy-contrib submodule. This
+submodule was removed and its contents moved back to the main Reference
+Policy repository on 2018-23-06.
+
+
* Sun Jan 14 2018 Chris PeBenito <pebenito@ieee.org> - 2.20180114
Chad Hanson (1):
Allow rpm to relabel files at all levels
^ permalink raw reply related [flat|nested] 101+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: /
@ 2018-07-08 11:47 Jason Zaman
0 siblings, 0 replies; 101+ messages in thread
From: Jason Zaman @ 2018-07-08 11:47 UTC (permalink / raw
To: gentoo-commits
commit: 6e8c92160e729f0f17027084c48b41ada0bedd17
Author: Chris PeBenito <pebenito <AT> ieee <DOT> org>
AuthorDate: Sun Jul 1 15:02:33 2018 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Mon Jul 2 11:47:17 2018 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=6e8c9216
Update Changelog and VERSION for release.
Changelog | 83 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
VERSION | 2 +-
2 files changed, 84 insertions(+), 1 deletion(-)
diff --git a/Changelog b/Changelog
index b0310fbb..116e228a 100644
--- a/Changelog
+++ b/Changelog
@@ -1,3 +1,86 @@
+* Sun Jul 01 2018 Chris PeBenito <pebenito@ieee.org> - 2.20180701
+Chris PeBenito (28):
+ Enable cgroup_seclabel and nnp_nosuid_transition.
+ Misc dbus fixes from Russell Coker.
+ Simple map patch from Russell Coker.
+ another trivial dbus patch from Russell Coker.
+ Merge branch 'xtable-proc' of https://github.com/bigon/refpolicy
+ iptables: Module version bump.
+ Update contrib.
+ .travis.yml: Change to master branch for sctp support.
+ corenetwork, init: Module version bump.
+ Module version bumps for patches from James Carter.
+ Update contrib.
+ init, logging, sysnetwork, systemd, udev: Module version bump.
+ sysnetwork: Move lines in sysnet_read_config().
+ sysnetwork: Module version bump.
+ init: Module version bump.
+ Remove deprecated flask.py script.
+ Switch all remaining Python references to the Python 3 interpreter.
+ systemd: Move lines.
+ corecommands: Module version bump.
+ Makefile: Tweak cli output.
+ XDG: Module version bump.
+ Remove refpolicy-contrib submodule.
+ Re-add policy modules from old refpolicy-contrib submodule.
+ Move all files out of the old contrib directory.
+ Changelog.contrib: Add note about refpolicy-contrib removal.
+ sysnetwork: Module version bump.
+ xdg, xserver, mplayer, games: Module version bump.
+ Bump module versions for release.
+
+Christian Göttsche (1):
+ add definition of bpf class and systemd perms
+
+Dave Sugar (8):
+ Fix problems booting with fips=1
+ Interface to read /run/systemd/resolve/resolv.conf
+ Allow systemd-resolved to read sysctl
+ Allow systemd_resolved to read systemd_networkd runtime files
+ Allow systemd-resolved to connect to system dbusd
+ systemd-resolved uses notify to indicate status
+ policy for systemd-update-done
+ policy for systemd-hwdb
+
+James Carter (8):
+ Removed unnecessary semicolons
+ Mark unused parameters as unused
+ Move the use of var_log_t from authlogin.fc to logging.fc
+ Move the use of initrc_var_run_t from files.fc to init.fc
+ Move use of systemd_unit_t from systemd.fc to init.fc
+ Move use of user_devpts_t from terminal.fc to userdomain.fc
+ Remove undeclared identifiers from interfaces
+ Remove undeclared identifiers from xserver interface
+
+Jason Zaman (9):
+ sysnetwork: put systemd_read_resolved_runtime in an ifdef
+ init: Add filetrans for /run/initctl
+ corecommands: adjust gcc fcontext to also work on musl
+ userdom: remove filetrans from userdom_user_content_access_template
+ xdg: Add map perms, also make lnk_file, dirs consistent
+ xdg: filetrans should not add filetrans from user_home_dir
+ xdg: Introduce xdg_search_cache_dirs
+ xserver: Add mesa_shader_cache for GLSL in ~/.cache/mesa_shader_cache/
+ apps: rw mesa_shader_cache
+
+Laurent Bigonville (1):
+ Label /etc/hosts.allow as net_conf_t
+
+Miroslav Grepl (1):
+ xtables-multi wants to getattr of the proc fs
+
+Richard Haines (1):
+ refpolicy: Update for kernel sctp support
+
+Sven Vermeulen (7):
+ Add gentemplates.sh to extract template content
+ Update segenxml to include support for templated booleans and tunables
+ Generate template code and update genxml call for documentation generation
+ freedesktop location support
+ Allow X server users to manage all xdg resources
+ helper interfaces to read/manage all user content
+ tunable-managed user content access template
+
* Sun Jan 14 2018 Chris PeBenito <pebenito@ieee.org> - 2.20180114
Adam Duskett (1):
fix regex escape sequence error.
diff --git a/VERSION b/VERSION
index 838b5716..b40612cc 100644
--- a/VERSION
+++ b/VERSION
@@ -1 +1 @@
-2.20180114
+2.20180701
^ permalink raw reply related [flat|nested] 101+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: /
@ 2019-02-10 4:14 Jason Zaman
0 siblings, 0 replies; 101+ messages in thread
From: Jason Zaman @ 2019-02-10 4:14 UTC (permalink / raw
To: gentoo-commits
commit: 744101042e9ae8eab4f942963b64dcaf5f2c738a
Author: Chris PeBenito <pebenito <AT> ieee <DOT> org>
AuthorDate: Fri Feb 1 20:03:42 2019 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sun Feb 10 04:11:25 2019 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=74410104
Update Changelog and VERSION for release.
Signed-off-by: Jason Zaman <jason <AT> perfinion.com>
Changelog | 234 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
VERSION | 2 +-
2 files changed, 235 insertions(+), 1 deletion(-)
diff --git a/Changelog b/Changelog
index 116e228a..75d5fae0 100644
--- a/Changelog
+++ b/Changelog
@@ -1,3 +1,237 @@
+* Fri Feb 01 2019 Chris PeBenito <pebenito@ieee.org> - 2.20190201
+Alexander Miroshnichenko (16):
+ Add signal_perms setpgid setsched permissions to syncthing_t.
+ Add corecmd_exec_bin permissions to syncthing_t.
+ Allow syncthing_t to read network state.
+ Allow syncthing_t to execute ifconfig/iproute2.
+ Add required permissions for nsd_t to be able running.
+ Add nsd_admin interface to sysadm.te.
+ Add map permission to lvm_t on lvm_metadata_t.
+ Add comment for map on lvm_metadata_t.
+ Remove syncthing tunable_policy.
+ Remove unneeded braces from nsd.te.
+ Add new interface fs_rmw_hugetlbfs_files.
+ Add map permission for postgresql_t to postgresql_tmp_t files.
+ Add dovecot_can_connect_db boolean.
+ fs_mmap_rw_hugetlbfs_files is a more appropriate name for the interface
+ Add hostapd service module
+ minor updates redis module to be able to start the app
+
+Chris PeBenito (85):
+ mozilla, devices, selinux, xserver, init, iptables: Module version bump.
+ devices: Module version bump.
+ misc_patterns.spt: Remove unnecessary brackets.
+ ipsec: Module version bump.
+ fstools: Module version bump.
+ corecommands: Module version bump.
+ xserver: Module version bump.
+ Merge pull request #1 from bigon/fix-sepolgen-ifgen
+ Remove unused translate permission in context userspace class.
+ logrotate: Module version bump.
+ miscfiles: Module version bump.
+ Merge pull request #3 from bigon/xdp-socket
+ obj_perm_sets.spt: Add xdp_socket to socket_class_set.
+ clamav, ssh, init: Module version bump.
+ amavis, apache, clamav, exim, mta, udev: Module version bump.
+ dnsmasq: Whitespace fix in file contexts.
+ dnsmasq: Reorder lines in file contexts.
+ Merge branch 'master' of https://github.com/bigon/refpolicy
+ Merge branch 'resolved' of https://github.com/bigon/refpolicy
+ Merge branch 'iscsi' of https://github.com/bigon/refpolicy
+ Various modules: Version bump.
+ dnsmasq: Module version bump.
+ Merge branch 'minissdpd' of https://github.com/bigon/refpolicy
+ cron, minissdpd, ntp, systemd: Module version bump.
+ dbus, xserver, init, logging, modutils: Module version bump.
+ Merge branch 'syncthing' of https://github.com/alexminder/refpolicy
+ syncthing: Whitespace change
+ Merge branch 'lvm' of https://github.com/alexminder/refpolicy
+ lvm, syncthing: Module version bump.
+ sigrok: Remove extra comments.
+ networkmanager: Add ICMPv6 comment
+ sysnetwork: Move optional block in sysnet_dns_name_resolve().
+ sysnetwork: Move lines.
+ dpkg: Rename dpkg_read_script_tmp_links().
+ apt, rpm: Remove and move lines to fix fc conflicts.
+ sudo: Whitespace fix.
+ many: Module version bumps for changes from Russell Coker.
+ systemd: Rename systemd_list_netif() to systemd_list_networkd_runtime().
+ init: Remove inadvertent merge.
+ Merge branch 'nsd' of https://github.com/alexminder/refpolicy
+ nsd: Merge two rules into one.
+ Merge branch 'ssh_dac_read_search' of
+ git://github.com/fishilico/selinux-refpolicy
+ Merge branch 'restorecond_getattr_cgroupfs' of
+ git://github.com/fishilico/selinux-refpolicy
+ Merge branch 'systemd-logind-getutxent' of
+ git://github.com/fishilico/selinux-refpolicy
+ various: Module version bump.
+ iptables: Module version bump.
+ Add CONTRIBUTING file.
+ kernel, systemd: Move lines.
+ kernel, jabber, ntp, init, logging, systemd: Module version bump.
+ Merge branch 'systemd-journald_units_symlinks' of
+ git://github.com/fishilico/selinux-refpolicy
+ init, logging: Module version bump.
+ Merge branch 'services_single_usr_bin' of
+ git://github.com/fishilico/selinux-refpolicy
+ Merge branch 'init_rename_pid_interfaces' of
+ git://github.com/fishilico/selinux-refpolicy
+ various: Module name bump.
+ Merge branch 'systemd-rfkill' of
+ git://github.com/fishilico/selinux-refpolicy
+ systemd: Whitespace change
+ systemd: Module version bump.
+ Merge branch 'restorecond-symlinks' of
+ git://github.com/fishilico/selinux-refpolicy
+ Merge branch 'add_comment' of git://github.com/DefenSec/refpolicy
+ usermanage, cron, selinuxutil: Module version bump.
+ logging, sysnetwork, systemd: Module version bump.
+ Merge branch 'restorecond-dontaudit-symlinks' of
+ git://github.com/fishilico/selinux-refpolicy
+ selinuxutil: Module version bump.
+ Merge branch 'dbus-dynamic-uid' of
+ git://github.com/fishilico/selinux-refpolicy
+ xserver: Move line
+ systemd: Move interface implementation.
+ various: Module version bump.
+ dpkg: Rename dpkg_nnp_transition() to dpkg_nnp_domtrans().
+ dpkg: Move interface implementations.
+ init: Rename init_read_generic_units_links() to
+ init_read_generic_units_symlinks().
+ init: Drop unnecessary userspace class dependence in
+ init_read_generic_units_symlinks().
+ chromium: Whitespace fixes.
+ chromium: Move line.
+ Merge branch 'dovecot' of git://github.com/alexminder/refpolicy
+ dovecot: Move lines.
+ various: Module version bump.
+ Merge branch 'postgres' of git://github.com/alexminder/refpolicy
+ filesystem, postgresql: Module version bump.
+ hostapd: Whitespace change.
+ hostapd: Move line.
+ various: Module version bump.
+ redis: Move line.
+ redis: Module version bump.
+ corecommands, staff, unprivuser, ssh, locallogin, systemd: Module version
+ bump.
+ Bump module versions for release.
+
+David Sugar (15):
+ Interface to allow reading of virus signature files.
+ Update CUSTOM_BUILDOPT
+ Add interface udev_run_domain
+ Allow clamd_t to read /proc/sys/crypt/fips_enabled
+ Interface to add domain allowed to be read by ClamAV for scanning.
+ Add interfaces to control clamav_unit_t systemd services
+ Allow clamd to use sent file descriptor
+ Add interfaces to control ntpd_unit_t systemd services
+ interface to enable/disable systemd_networkd service
+ Interface to read cron_system_spool_t
+ Allow X (xserver_t) to read /proc/sys/crypto/fips_enabled
+ Allow kmod to read /proc/sys/crypto/fips_enabled
+ Allow dbus to access /proc/sys/crypto/fips_enabled
+ Add missing require for 'daemon' attribute.
+ Allow auditctl_t to read bin_t symlinks.
+
+Dominick Grift (1):
+ unconfined: add a note about DBUS
+
+Guido Trentalancia (1):
+ Add sigrok contrib module
+
+Jagannathan Raman (1):
+ vhost: Add /dev/vhost-scsi device of type vhost_device_t.
+
+Jason Zaman (10):
+ selinux: compute_access_vector requires creating netlink_selinux_sockets
+ mozilla: xdg updates
+ xserver: label .cache/fontconfig as user_fonts_cache_t
+ Allow map xserver_misc_device_t for nvidia driver
+ iptables: fcontexts for 1.8.0
+ devices: introduce dev_dontaudit_read_sysfs
+ files: introduce files_dontaudit_read_etc_files
+ kernel: introduce kernel_dontaudit_read_kernel_sysctl
+ userdomain: introduce userdom_user_home_dir_filetrans_user_cert
+ Add chromium policy upstreamed from Gentoo
+
+Laurent Bigonville (10):
+ policy/support/obj_perm_sets.spt: modify indentation of mmap_file_perms to
+ make sepolgen-ifgen happy
+ Add xdp_socket security class and access vectors
+ irqbalance now creates an abstract socket
+ Allow semanage_t to connect to system D-Bus bus
+ Allow ntpd_t to read init state
+ Add systemd_dbus_chat_resolved() interface
+ Allow sysnet_dns_name_resolve() to use resolved to resolve DNS names
+ Allow systemd_resolved_t to bind to port 53 and use net_raw
+ Allow iscsid_t to create a netlink_iscsi_socket
+ Allow minissdpd_t to create a unix_stream_socket
+
+Luis Ressel (7):
+ corecommands: Fix /usr/share/apr* fc
+ xserver: Allow user fonts (and caches) to be mmap()ed.
+ Add fc for /var/lib/misc/logrotate.status
+ Realign logrotate.fc, remove an obvious comment
+ miscfiles: Label /usr/share/texmf*/fonts/ as fonts_t
+ services/ssh: Don't audit accesses from ssh_t to /dev/random
+ system/init: Give init_spec_daemon_domain()s the "daemon" attribute
+
+Lukas Vrabec (1):
+ Improve domain_transition_pattern to allow mmap entrypoint bin file.
+
+Nicolas Iooss (11):
+ fstools: label e2mmpstatus as fsadm_exec_t
+ ssh: use dac_read_search instead of dac_override
+ selinuxutil: allow restorecond to try counting the number of files in
+ cgroup fs
+ systemd: allow systemd-logind to use getutxent()
+ Allow systemd-journald to read systemd unit symlinks
+ Label service binaries in /usr/bin like /usr/sbin
+ init: rename *_pid_* interfaces to use "runtime"
+ systemd: add policy for systemd-rfkill
+ selinuxutil: allow restorecond to read symlinks
+ selinuxutil: restorecond is buggy when it dereferencies symlinks
+ dbus: allow using dynamic UID
+
+Petr Vorel (1):
+ dnsmasq: Require log files to have .log suffix
+
+Russell Coker (19):
+ misc services patches
+ misc interfaces
+ last misc stuff
+ systemd related interfaces
+ systemd misc
+ missing from previous
+ cron trivial
+ mls stuff
+ logging
+ some little stuff
+ trivial system cronjob
+ another trivial
+ more tiny stuff
+ map systemd private dirs
+ tiny stuff for today
+ yet more tiny stuff
+ yet another little patch
+ chromium
+ more misc stuff
+
+Sugar, David (9):
+ Allow greeter to start dbus
+ pam_faillock creates files in /run/faillock
+ Add interface to get status of iptables service
+ Add interface to start/stop iptables service
+ label journald configuraiton files syslog_conf_t
+ Interface with systemd_hostnamed over dbus to set hostname
+ Modify type for /etc/hostname
+ Add interface clamav_run
+ Add interface to read journal files
+
+Yuli Khodorkovskiy (1):
+ ipsec: add missing permissions for pluto
+
* Sun Jul 01 2018 Chris PeBenito <pebenito@ieee.org> - 2.20180701
Chris PeBenito (28):
Enable cgroup_seclabel and nnp_nosuid_transition.
diff --git a/VERSION b/VERSION
index b40612cc..b93d30a8 100644
--- a/VERSION
+++ b/VERSION
@@ -1 +1 @@
-2.20180701
+2.20190201
^ permalink raw reply related [flat|nested] 101+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: /
@ 2019-07-13 7:01 Jason Zaman
0 siblings, 0 replies; 101+ messages in thread
From: Jason Zaman @ 2019-07-13 7:01 UTC (permalink / raw
To: gentoo-commits
commit: 18ab255a88e32bf5a90ebee26ad957117645358d
Author: Jason Zaman <jason <AT> perfinion <DOT> com>
AuthorDate: Sun Apr 28 10:34:36 2019 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sun Apr 28 10:43:03 2019 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=18ab255a
.travis.yml: Remove DIRECT_INITRC from test matrix
commit 53db187a5aa702c59b8905509536c56c2867b3a8
init: Revise conditions in init_startstop_service().
broke DIRECT_INITRC=y, and it is not supported on Gentoo anyway,
so just drop it from the test matrix.
Signed-off-by: Jason Zaman <jason <AT> perfinion.com>
.travis.yml | 40 ++++++++++++++--------------------------
1 file changed, 14 insertions(+), 26 deletions(-)
diff --git a/.travis.yml b/.travis.yml
index 5f2360bd..a79aee8a 100644
--- a/.travis.yml
+++ b/.travis.yml
@@ -8,30 +8,18 @@ matrix:
# for T in standard mls mcs ; do for D in arch debian gentoo ; do for I in n y ; do for M in y n ; do for S in n y ; do
# echo " - TYPE=$T DISTRO=$D DIRECT_INITRC=$I MONOLITHIC=$M SYSTEMD=$S" ; done ; done ; done ; done ; done
env:
- - TYPE=standard DISTRO=gentoo DIRECT_INITRC=n MONOLITHIC=y SYSTEMD=n WERROR=y
- - TYPE=standard DISTRO=gentoo DIRECT_INITRC=n MONOLITHIC=y SYSTEMD=y WERROR=y
- - TYPE=standard DISTRO=gentoo DIRECT_INITRC=n MONOLITHIC=n SYSTEMD=n WERROR=y
- - TYPE=standard DISTRO=gentoo DIRECT_INITRC=n MONOLITHIC=n SYSTEMD=y WERROR=y
- - TYPE=standard DISTRO=gentoo DIRECT_INITRC=y MONOLITHIC=y SYSTEMD=n WERROR=y
- - TYPE=standard DISTRO=gentoo DIRECT_INITRC=y MONOLITHIC=y SYSTEMD=y WERROR=y
- - TYPE=standard DISTRO=gentoo DIRECT_INITRC=y MONOLITHIC=n SYSTEMD=n WERROR=y
- - TYPE=standard DISTRO=gentoo DIRECT_INITRC=y MONOLITHIC=n SYSTEMD=y WERROR=y
- - TYPE=mcs DISTRO=gentoo DIRECT_INITRC=n MONOLITHIC=y SYSTEMD=n WERROR=y
- - TYPE=mcs DISTRO=gentoo DIRECT_INITRC=n MONOLITHIC=y SYSTEMD=y WERROR=y
- - TYPE=mcs DISTRO=gentoo DIRECT_INITRC=n MONOLITHIC=n SYSTEMD=n WERROR=y
- - TYPE=mcs DISTRO=gentoo DIRECT_INITRC=n MONOLITHIC=n SYSTEMD=y WERROR=y
- - TYPE=mcs DISTRO=gentoo DIRECT_INITRC=y MONOLITHIC=y SYSTEMD=n WERROR=y
- - TYPE=mcs DISTRO=gentoo DIRECT_INITRC=y MONOLITHIC=y SYSTEMD=y WERROR=y
- - TYPE=mcs DISTRO=gentoo DIRECT_INITRC=y MONOLITHIC=n SYSTEMD=n WERROR=y
- - TYPE=mcs DISTRO=gentoo DIRECT_INITRC=y MONOLITHIC=n SYSTEMD=y WERROR=y
- - TYPE=mls DISTRO=gentoo DIRECT_INITRC=n MONOLITHIC=y SYSTEMD=n WERROR=y
- - TYPE=mls DISTRO=gentoo DIRECT_INITRC=n MONOLITHIC=y SYSTEMD=y WERROR=y
- - TYPE=mls DISTRO=gentoo DIRECT_INITRC=n MONOLITHIC=n SYSTEMD=n WERROR=y
- - TYPE=mls DISTRO=gentoo DIRECT_INITRC=n MONOLITHIC=n SYSTEMD=y WERROR=y
- - TYPE=mls DISTRO=gentoo DIRECT_INITRC=y MONOLITHIC=y SYSTEMD=n WERROR=y
- - TYPE=mls DISTRO=gentoo DIRECT_INITRC=y MONOLITHIC=y SYSTEMD=y WERROR=y
- - TYPE=mls DISTRO=gentoo DIRECT_INITRC=y MONOLITHIC=n SYSTEMD=n WERROR=y
- - TYPE=mls DISTRO=gentoo DIRECT_INITRC=y MONOLITHIC=n SYSTEMD=y WERROR=y
+ - TYPE=standard DISTRO=gentoo MONOLITHIC=n SYSTEMD=n WERROR=y
+ - TYPE=standard DISTRO=gentoo MONOLITHIC=n SYSTEMD=y WERROR=y
+ - TYPE=standard DISTRO=gentoo MONOLITHIC=y SYSTEMD=n WERROR=y
+ - TYPE=standard DISTRO=gentoo MONOLITHIC=y SYSTEMD=y WERROR=y
+ - TYPE=mcs DISTRO=gentoo MONOLITHIC=n SYSTEMD=n WERROR=y
+ - TYPE=mcs DISTRO=gentoo MONOLITHIC=n SYSTEMD=y WERROR=y
+ - TYPE=mcs DISTRO=gentoo MONOLITHIC=y SYSTEMD=n WERROR=y
+ - TYPE=mcs DISTRO=gentoo MONOLITHIC=y SYSTEMD=y WERROR=y
+ - TYPE=mls DISTRO=gentoo MONOLITHIC=n SYSTEMD=n WERROR=y
+ - TYPE=mls DISTRO=gentoo MONOLITHIC=n SYSTEMD=y WERROR=y
+ - TYPE=mls DISTRO=gentoo MONOLITHIC=y SYSTEMD=n WERROR=y
+ - TYPE=mls DISTRO=gentoo MONOLITHIC=y SYSTEMD=y WERROR=y
sudo: false
dist: trusty
@@ -92,10 +80,10 @@ install:
- export TEST_TOOLCHAIN="${TRAVIS_BUILD_DIR}/selinux"
# Drop build.conf settings to listen to env vars
- - sed -r -i -e '/(DIRECT_INITRC|MONOLITHIC|TYPE|DISTRO|SYSTEMD|WERROR)/d' build.conf
+ - sed -r -i -e '/(MONOLITHIC|TYPE|DISTRO|SYSTEMD|WERROR)/d' build.conf
script:
- - echo $TYPE $DISTRO $DIRECT_INITRC $MONOLITHIC $SYSTEMD $WERROR
+ - echo $TYPE $DISTRO $MONOLITHIC $SYSTEMD $WERROR
- set -e
- make bare
- make conf
^ permalink raw reply related [flat|nested] 101+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: /
@ 2019-07-13 7:01 Jason Zaman
0 siblings, 0 replies; 101+ messages in thread
From: Jason Zaman @ 2019-07-13 7:01 UTC (permalink / raw
To: gentoo-commits
commit: f5d11861eeca182157bc9928fc7ace8cce514f49
Author: Chris PeBenito <pebenito <AT> ieee <DOT> org>
AuthorDate: Sun Jun 9 18:05:20 2019 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sat Jul 13 06:43:14 2019 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=f5d11861
Update Changelog and VERSION for release.
Signed-off-by: Chris PeBenito <pebenito <AT> ieee.org>
Signed-off-by: Jason Zaman <jason <AT> perfinion.com>
Changelog | 133 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
VERSION | 2 +-
2 files changed, 134 insertions(+), 1 deletion(-)
diff --git a/Changelog b/Changelog
index 75d5fae0..9ecb9c1f 100644
--- a/Changelog
+++ b/Changelog
@@ -1,3 +1,136 @@
+* Sun Jun 09 2019 Chris PeBenito <pebenito@ieee.org> - 2.20190609
+Chris PeBenito (70):
+ systemd: Module version bump.
+ Merge branch 'sysadm-dynamic-users' of
+ git://github.com/fishilico/selinux-refpolicy
+ sysadm: Module version bump.
+ Merge branch 'stubby-daemon' of
+ git://github.com/fishilico/selinux-refpolicy
+ corenetwork: Module version bump.
+ systemd: Remove unnecessary brackets.
+ init, systemd, cdrecord: Module version bump.
+ logging, miscfiles, authlogin: Module version bump.
+ Merge branch 'systemd-journald-signull' of
+ git://github.com/fishilico/selinux-refpolicy
+ Merge branch 'restorecond-no-read-all' of
+ git://github.com/fishilico/selinux-refpolicy
+ logging, selinuxutil: Module version bump.
+ Merge branch 'systemd-update-done' of
+ git://github.com/fishilico/selinux-refpolicy
+ systemd: Module version bump.
+ aide, clamav: Module version bump.
+ filesystem, cron, authlogin: Module version bump.
+ Remove incorrect comment about capability2:mac_admin.
+ usermanage: Move kernel_dgram_send(passwd_t) to systemd block.
+ systemd, udev, usermanage: Module version bump.
+ genhomedircon.py: Fix top-level exception handling.
+ udev: Whitespace fix.
+ udev: Move one line and remove a redundant line.
+ sysadm, udev: Module version bump.
+ Merge pull request #35 from pebenito/master
+ systemd: Drop unconfined kernel access for systemd_nspawn.
+ udev: Drop write by udev to its executable.
+ init: Remove duplicate setenforce rule for init scripts.
+ authlogin, dbus, ntp: Module version bump.
+ ntp, init, lvm: Module version bump.
+ Merge pull request #37 from pebenito/master
+ kernel, init, systemd, udev: Module version bump.
+ init: Revise conditions in init_startstop_service().
+ Merge pull request #39 from pebenito/revise-init-stopstart
+ init: Module version bump.
+ kernel: Module version bump.
+ Merge pull request #40 from gtrentalancia/master
+ xserver: Module version bump.
+ various: Module version bump
+ apache: Make MTA optional.
+ systemd: Remove unnecessary names in systemd-update-done filetrans.
+ Merge pull request #42 from dsugar100/master
+ kernel, devices, plymouthd, xserver: Module version bump.
+ storage: Label /dev/mmcblk* character nodes.
+ devices: Label /dev/tpmrm[0-9].
+ devices: Add type for GPIO chips, /dev/gpiochip[0-9]
+ devices: Change netcontrol devices to pmqos.
+ systemd: Add initial policy for systemd --user.
+ Merge pull request #43 from pebenito/various-device-labels
+ Merge pull request #44 from pebenito/http-mta-optional
+ Merge pull request #45 from pebenito/systemd-update-done-tweak
+ Merge pull request #46 from pebenito/systemd-user
+ various: Module version bump.
+ Merge pull request #47 from dsugar100/master
+ Merge pull request #48 from bigon/dovecot_lmtp
+ Merge pull request #49 from bigon/fail2ban_logrotate
+ dovecot, logrotate: Module version bump.
+ logrotate: Make MTA optional.
+ Merge pull request #51 from pebenito/logrotate-optional-mta
+ Merge pull request #53 from WOnder93/makefile-fix
+ logrotate: Module version bump.
+ init: Add systemd block to init_script_domain().
+ systemd: modules-load updates.
+ apache: Web content rules simplification.
+ storage: Add fc entry for /dev/pmem*
+ devices: Add type for /dev/daxX.Y.
+ Merge pull request #54 from pebenito/init-script-systemd
+ Merge pull request #55 from pebenito/modules-load
+ Merge pull request #56 from pebenito/apache-simplify
+ Merge pull request #57 from pebenito/pmem-dax
+ various: Module version bump.
+ Bump module versions for release.
+
+Dave Sugar (3):
+ Allow xdm (lightdm) start plymouth
+ Changes to support plymouth working in enforcing
+ create interfaces for NetworkManager units
+
+Guido Trentalancia (1):
+ The Qt library version 5 requires to write xserver_tmp_t files upon
+ starting up applications (tested on version 5.12.1).
+
+Laurent Bigonville (2):
+ Add dovecot to listen to LMTP port
+ Allow logrotate to execute fail2ban-client
+
+Lukas Vrabec (1):
+ Label /sys/kernel/ns_last_pid as sysctl_kernel_ns_last_pid_t
+
+Nicolas Iooss (6):
+ sysadm: allow resolving dynamic users
+ Add policy for stubby DNS resolver
+ Allow systemd-journald to use kill(pid, 0) on its clients
+ Allow restorecond to read customizable_types
+ Remove a broad read-files rule for restorecond
+ Update systemd-update-done policy
+
+Ondrej Mosnacek (1):
+ Fix find commands in Makefiles
+
+Sugar, David (26):
+ Allow systemd-networkd to get IP address from dhcp server
+ Separate domain for systemd-modules-load
+ Allow init_t to read net_conf_t
+ Allow systemd-hostnamed to set the hostname
+ Add interface to run cdrecord in caller domain
+ Add interface to get status of rsyslog service
+ New interface to dontaudit access to cert_t
+ Fix incorrect type in clamav_enableddisable_clamd interface
+ Allow freshclam to read sysctl_crypto_t
+ Add interfaces to run freshclam
+ Allow AIDE to sendto kernel datagram socket
+ Allow AIDE to read kernel sysctl_crypto_t
+ Allow AIDE to mmap files
+ Add interface to allow relabeling of iso 9660 filesystems.
+ Update cron use to pam interface
+ Allow additional map permission when reading hwdb
+ Resolve denial while changing password
+ Separate out udevadm into a new domain
+ Add interface ntp_dbus_chat
+ Allow ntpd to update chronyd service
+ Allow ntpd to update timezone symlink
+ Resolve denial about logging to journal from chkpwd
+ Resolve denial about logging to journal from dbus
+ Allow ntpd to read unit files
+ Denial of cryptsetup reading cracklib database
+ Add kernel_dgram_send() into logging_send_syslog_msg()
+
* Fri Feb 01 2019 Chris PeBenito <pebenito@ieee.org> - 2.20190201
Alexander Miroshnichenko (16):
Add signal_perms setpgid setsched permissions to syncthing_t.
diff --git a/VERSION b/VERSION
index b93d30a8..11e2526a 100644
--- a/VERSION
+++ b/VERSION
@@ -1 +1 @@
-2.20190201
+2.20190609
^ permalink raw reply related [flat|nested] 101+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: /
@ 2019-12-16 17:48 Jason Zaman
0 siblings, 0 replies; 101+ messages in thread
From: Jason Zaman @ 2019-12-16 17:48 UTC (permalink / raw
To: gentoo-commits
commit: 466f490ecad2fff5bf088b0bcab4f35b1c6e4830
Author: Christian Göttsche <cgzones <AT> googlemail <DOT> com>
AuthorDate: Thu Oct 3 23:11:22 2019 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Mon Dec 16 13:09:20 2019 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=466f490e
travis: run check_fc_files linter with python 3.7
Signed-off-by: Jason Zaman <perfinion <AT> gentoo.org>
.travis.yml | 8 ++++++--
1 file changed, 6 insertions(+), 2 deletions(-)
diff --git a/.travis.yml b/.travis.yml
index 7a377148..8be908cc 100644
--- a/.travis.yml
+++ b/.travis.yml
@@ -9,7 +9,6 @@ matrix:
# for T in standard mls mcs ; do for D in arch debian gentoo ; do for I in n y ; do for M in y n ; do for S in n y ; do
# echo " - TYPE=$T DISTRO=$D DIRECT_INITRC=$I MONOLITHIC=$M SYSTEMD=$S" ; done ; done ; done ; done ; done
env:
- - LINT=true TYPE=standard
- TYPE=standard DISTRO=gentoo MONOLITHIC=n SYSTEMD=n WERROR=y
- TYPE=standard DISTRO=gentoo MONOLITHIC=n SYSTEMD=y WERROR=y
- TYPE=standard DISTRO=gentoo MONOLITHIC=y SYSTEMD=n WERROR=y
@@ -23,6 +22,11 @@ env:
- TYPE=mls DISTRO=gentoo MONOLITHIC=y SYSTEMD=n WERROR=y
- TYPE=mls DISTRO=gentoo MONOLITHIC=y SYSTEMD=y WERROR=y
+matrix:
+ include:
+ - python: 3.7
+ env: LINT=true TYPE=standard
+
sudo: false
dist: bionic
@@ -87,7 +91,7 @@ install:
script:
- echo $TYPE $DISTRO $MONOLITHIC $SYSTEMD $WERROR
- set -e
- - if [ -n "$LINT" ] ; then ./testing/check_fc_files.py ; fi
+ - if [ -n "$LINT" ] ; then python3 -t -t -E -W error testing/check_fc_files.py ; fi
- make bare
- make conf
- make
^ permalink raw reply related [flat|nested] 101+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: /
@ 2020-10-13 3:02 Jason Zaman
0 siblings, 0 replies; 101+ messages in thread
From: Jason Zaman @ 2020-10-13 3:02 UTC (permalink / raw
To: gentoo-commits
commit: 725c323ac43c51ab94f43f70a22a95af31bb11a8
Author: Chris PeBenito <pebenito <AT> ieee <DOT> org>
AuthorDate: Thu Sep 17 13:58:02 2020 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sun Oct 11 21:00:05 2020 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=725c323a
.travis.yml: Point selint at only the policy dir.
Signed-off-by: Chris PeBenito <pebenito <AT> ieee.org>
Signed-off-by: Jason Zaman <perfinion <AT> gentoo.org>
.travis.yml | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/.travis.yml b/.travis.yml
index b9e70564..40b612cd 100644
--- a/.travis.yml
+++ b/.travis.yml
@@ -114,7 +114,7 @@ script:
# Run SELint
# disable C-005 (Permissions in av rule or class declaration not ordered) for now: has 712 findings
# disable W-005 (Interface call from module not in optional_policy block): refpolicy does not follow this rule
- selint --source --recursive --summary --fail --disable C-005 --disable W-005 .
+ selint --source --recursive --summary --fail --disable C-005 --disable W-005 policy
exit 0
fi
^ permalink raw reply related [flat|nested] 101+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: /
@ 2021-01-11 1:27 Jason Zaman
0 siblings, 0 replies; 101+ messages in thread
From: Jason Zaman @ 2021-01-11 1:27 UTC (permalink / raw
To: gentoo-commits
commit: 9edc8b55661f15d3d365f848b55494939bc612a4
Author: Chris PeBenito <pebenito <AT> ieee <DOT> org>
AuthorDate: Wed Jan 6 18:51:03 2021 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sun Jan 10 21:52:17 2021 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=9edc8b55
Makefile: Add -E to setfiles labeling targets.
This will cause setfiles to error if there are conflicting labeling
specifications for files due to hardlinks.
closes #218
Signed-off-by: Chris PeBenito <pebenito <AT> ieee.org>
Signed-off-by: Jason Zaman <perfinion <AT> gentoo.org>
INSTALL | 4 ++--
Makefile | 8 ++++----
2 files changed, 6 insertions(+), 6 deletions(-)
diff --git a/INSTALL b/INSTALL
index ca7d7b19..3df5c167 100644
--- a/INSTALL
+++ b/INSTALL
@@ -2,8 +2,8 @@ Reference Policy has the following runtime requirements:
* Linux kernel >= 2.6.33
Reference Policy has the following build requirements:
- * SELinux userspace 2.8
- * Python >= 3.4
+ * SELinux userspace 3.0
+ * Python >= 3.5
When developing a policy, running scripts from directory testing/ requires:
* Python >= 3.6
diff --git a/Makefile b/Makefile
index a080759c..eae365e5 100644
--- a/Makefile
+++ b/Makefile
@@ -616,7 +616,7 @@ checklabels:
echo "No filesystems with extended attributes found!" ;\
false ;\
fi
- $(verbose) $(SETFILES) -v -n $(fcpath) $(filesystems)
+ $(verbose) $(SETFILES) -E -v -n $(fcpath) $(filesystems)
restorelabels:
@echo "Restoring labels on filesystem types: $(fs_names)"
@@ -624,7 +624,7 @@ restorelabels:
echo "No filesystems with extended attributes found!" ;\
false ;\
fi
- $(verbose) $(SETFILES) -v $(fcpath) $(filesystems)
+ $(verbose) $(SETFILES) -E -v $(fcpath) $(filesystems)
relabel:
@echo "Relabeling filesystem types: $(fs_names)"
@@ -632,7 +632,7 @@ relabel:
echo "No filesystems with extended attributes found!" ;\
false ;\
fi
- $(verbose) $(SETFILES) $(fcpath) $(filesystems)
+ $(verbose) $(SETFILES) -E $(fcpath) $(filesystems)
resetlabels:
@echo "Resetting labels on filesystem types: $(fs_names)"
@@ -640,7 +640,7 @@ resetlabels:
echo "No filesystems with extended attributes found!" ;\
false ;\
fi
- $(verbose) $(SETFILES) -F $(fcpath) $(filesystems)
+ $(verbose) $(SETFILES) -E -F $(fcpath) $(filesystems)
########################################
#
^ permalink raw reply related [flat|nested] 101+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: /
@ 2021-02-07 3:20 Jason Zaman
0 siblings, 0 replies; 101+ messages in thread
From: Jason Zaman @ 2021-02-07 3:20 UTC (permalink / raw
To: gentoo-commits
commit: 9640bce3661c84abb5bfd0aebccd60dc22a13c5e
Author: Christian Göttsche <cgzones <AT> googlemail <DOT> com>
AuthorDate: Sun Jan 31 20:50:29 2021 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sat Feb 6 20:54:11 2021 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=9640bce3
Rules.monolithic: ignore version mismatch
Ignore version mismatch when OUTPUT_POLICY is defined and the kernel
supports a higher policy version.
Currently Debian ships SELinux userland tools 3.1, which supports
version 32, and Linux 5.10, which supports version 33.
Signed-off-by: Christian Göttsche <cgzones <AT> googlemail.com>
Signed-off-by: Jason Zaman <perfinion <AT> gentoo.org>
Rules.monolithic | 9 +++++++--
1 file changed, 7 insertions(+), 2 deletions(-)
diff --git a/Rules.monolithic b/Rules.monolithic
index 7dbc2e1c..65529d38 100644
--- a/Rules.monolithic
+++ b/Rules.monolithic
@@ -13,6 +13,11 @@ ifeq "$(kv)" ""
kv := $(pv)
endif
+# dont print version warnings if we specified a lower version than the kernel supports
+ifneq "$(OUTPUT_POLICY)" ""
+ kv := $(shell if test $(kv) -gt $(pv); then echo $(pv); else echo $(kv); fi)
+endif
+
# load_policy(8) loads policy from /etc/selinux/<SELINUXTYPE>/policy/policy.$(pv)
# It does this by reading the /etc/selinux/config file SELINUXTYPE entry to
# form the full path. $(polbinpath) will contain this evaluated path for use as
@@ -73,7 +78,7 @@ $(polver): $(policy_conf)
@echo "Compiling $(NAME) $(polver)"
ifneq ($(pv),$(kv))
@echo
- @echo "WARNING: Policy version mismatch! Is your OUTPUT_POLICY set correctly?"
+ @echo "WARNING: Policy version mismatch (policy:$(pv) kernel:$(kv))! Is your OUTPUT_POLICY set correctly?"
@echo
endif
$(verbose) $(CHECKPOLICY) -U $(UNK_PERMS) $^ -o $@
@@ -86,7 +91,7 @@ $(loadpath): $(policy_conf)
@echo "Compiling and installing $(NAME) $(loadpath)"
ifneq ($(pv),$(kv))
@echo
- @echo "WARNING: Policy version mismatch! Is your OUTPUT_POLICY set correctly?"
+ @echo "WARNING: Policy version mismatch (policy:$(pv) kernel:$(kv))! Is your OUTPUT_POLICY set correctly?"
@echo
endif
@$(INSTALL) -d -m 0755 $(@D)
^ permalink raw reply related [flat|nested] 101+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: /
@ 2021-02-07 3:20 Jason Zaman
0 siblings, 0 replies; 101+ messages in thread
From: Jason Zaman @ 2021-02-07 3:20 UTC (permalink / raw
To: gentoo-commits
commit: fc8dab0ab22890514d6376a71fae781467053c82
Author: Christian Göttsche <cgzones <AT> googlemail <DOT> com>
AuthorDate: Mon Feb 1 19:05:19 2021 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sat Feb 6 20:54:11 2021 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=fc8dab0a
Rules.monolithic: do not suppress load_policy warning messages
Also do not supply the policy path, it is ignored since at least 2008
(https://github.com/SELinuxProject/selinux/commit/13cd4c8960688af11ad23b4c946149015c80d549).
/usr/sbin/load_policy: Warning! Policy file argument (/etc/selinux/debian/policy/policy.32) is no longer supported, installed policy is always loaded. Continuing...
Signed-off-by: Christian Göttsche <cgzones <AT> googlemail.com>
Signed-off-by: Jason Zaman <perfinion <AT> gentoo.org>
Rules.monolithic | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/Rules.monolithic b/Rules.monolithic
index 65529d38..92557529 100644
--- a/Rules.monolithic
+++ b/Rules.monolithic
@@ -111,7 +111,7 @@ ifneq ($(polbinpath).$(pv),$(loadpath))
Check $(topdir)/config file entry is: "SELINUXTYPE=$(NAME)")
endif
@echo "Loading $(NAME) $(loadpath)"
- $(verbose) $(LOADPOLICY) -q $(loadpath)
+ $(verbose) $(LOADPOLICY)
########################################
#
^ permalink raw reply related [flat|nested] 101+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: /
@ 2021-02-07 3:20 Jason Zaman
0 siblings, 0 replies; 101+ messages in thread
From: Jason Zaman @ 2021-02-07 3:20 UTC (permalink / raw
To: gentoo-commits
commit: 449bb6dbaadb3a5d862ee5b84a9185b2c4785310
Author: Christian Göttsche <cgzones <AT> googlemail <DOT> com>
AuthorDate: Sun Jan 31 20:50:33 2021 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sat Feb 6 20:54:11 2021 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=449bb6db
gitignore: ignore monolithic generated files
Signed-off-by: Christian Göttsche <cgzones <AT> googlemail.com>
Signed-off-by: Jason Zaman <perfinion <AT> gentoo.org>
.gitignore | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/.gitignore b/.gitignore
index 3f320d39..4e4f2e3f 100644
--- a/.gitignore
+++ b/.gitignore
@@ -22,3 +22,8 @@
/tmp/
.vagrant/
+
+# monolithic generated files
+/file_contexts
+/homedir_template
+/policy.conf
^ permalink raw reply related [flat|nested] 101+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: /
@ 2021-02-07 3:20 Jason Zaman
0 siblings, 0 replies; 101+ messages in thread
From: Jason Zaman @ 2021-02-07 3:20 UTC (permalink / raw
To: gentoo-commits
commit: b2fb7db240074e72ce1d052191db6990ce2a4571
Author: Christian Göttsche <cgzones <AT> googlemail <DOT> com>
AuthorDate: Sun Jan 31 20:57:01 2021 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sat Feb 6 20:54:11 2021 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=b2fb7db2
Preset OUTPUT_POLICY to 32
32 is the policy version of the latest SELinux userland release, 3.1 .
Signed-off-by: Christian Göttsche <cgzones <AT> googlemail.com>
Signed-off-by: Jason Zaman <perfinion <AT> gentoo.org>
build.conf | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/build.conf b/build.conf
index 2ab0b2f2..3f2a2fdb 100644
--- a/build.conf
+++ b/build.conf
@@ -8,7 +8,7 @@
# version policy it supports. Setting this will
# override the version. This only has an
# effect for monolithic policies.
-#OUTPUT_POLICY = 18
+#OUTPUT_POLICY = 32
# Policy Type
# standard, mls, mcs
^ permalink raw reply related [flat|nested] 101+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: /
@ 2021-02-07 3:20 Jason Zaman
0 siblings, 0 replies; 101+ messages in thread
From: Jason Zaman @ 2021-02-07 3:20 UTC (permalink / raw
To: gentoo-commits
commit: f4d0c88878d7899b27f3c2c09bbd1e34bd975abf
Author: Christian Göttsche <cgzones <AT> googlemail <DOT> com>
AuthorDate: Mon Feb 1 19:09:27 2021 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sat Feb 6 20:54:11 2021 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=f4d0c888
Rules.monolithic: add missing phony declarations
Signed-off-by: Christian Göttsche <cgzones <AT> googlemail.com>
Signed-off-by: Jason Zaman <perfinion <AT> gentoo.org>
Rules.monolithic | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/Rules.monolithic b/Rules.monolithic
index 5ccd7875..87edd2d3 100644
--- a/Rules.monolithic
+++ b/Rules.monolithic
@@ -267,4 +267,4 @@ clean:
$(verbose) rm -f *.res
$(verbose) rm -fR $(tmpdir)
-.PHONY: default policy install load reload enableaudit checklabels restorelabels relabel check longcheck clean
+.PHONY: default policy install load reload enableaudit checklabels restorelabels relabel resetlabels validate check longcheck clean
^ permalink raw reply related [flat|nested] 101+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: /
@ 2021-02-07 3:20 Jason Zaman
0 siblings, 0 replies; 101+ messages in thread
From: Jason Zaman @ 2021-02-07 3:20 UTC (permalink / raw
To: gentoo-commits
commit: a261f848d3d423e370ef93f259e7661fbb5fc1ff
Author: Christian Göttsche <cgzones <AT> googlemail <DOT> com>
AuthorDate: Mon Feb 1 19:08:54 2021 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sat Feb 6 20:54:11 2021 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=a261f848
Rules.monolithic: drop dead variable
USEPWD is nowhere declared or documented.
Signed-off-by: Christian Göttsche <cgzones <AT> googlemail.com>
Signed-off-by: Jason Zaman <perfinion <AT> gentoo.org>
Rules.monolithic | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/Rules.monolithic b/Rules.monolithic
index 1696021f..5ccd7875 100644
--- a/Rules.monolithic
+++ b/Rules.monolithic
@@ -217,7 +217,7 @@ $(fcpath): $(fc) $(loadpath) $(userpath)/system.users
@$(INSTALL) -d -m 0755 $(@D)
$(verbose) $(INSTALL) -m 0644 $(fc) $(fcpath)
$(verbose) $(INSTALL) -m 0644 $(homedir_template) $(homedirpath)
- $(verbose) $(UMASK) 022 ; $(genhomedircon) -d $(topdir) -t $(NAME) $(USEPWD)
+ $(verbose) $(UMASK) 022 ; $(genhomedircon) -d $(topdir) -t $(NAME)
########################################
#
^ permalink raw reply related [flat|nested] 101+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: /
@ 2021-02-07 3:20 Jason Zaman
0 siblings, 0 replies; 101+ messages in thread
From: Jason Zaman @ 2021-02-07 3:20 UTC (permalink / raw
To: gentoo-commits
commit: 451967e07ca8eb3b77e9c9cef67fa626d430e346
Author: Christian Göttsche <cgzones <AT> googlemail <DOT> com>
AuthorDate: Mon Feb 1 19:07:40 2021 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sat Feb 6 20:54:11 2021 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=451967e0
Rules.monolithic: tweak checkpolicy arguments
- enable optimizations (3.0 https://github.com/SELinuxProject/selinux/commit/071247e8f4e9584095474093537f1869379ca43f)
- fail on warnings (3.1 https://github.com/SELinuxProject/selinux/commit/62a91d7d71736c67dcecff3060dd2301b6313285)
- sort ocontexts (2.9 https://github.com/SELinuxProject/selinux/commit/9077c5c056f348ab4908bdf004ca82cb1f01bd38)
Signed-off-by: Christian Göttsche <cgzones <AT> googlemail.com>
Signed-off-by: Jason Zaman <perfinion <AT> gentoo.org>
Rules.monolithic | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/Rules.monolithic b/Rules.monolithic
index 92557529..1696021f 100644
--- a/Rules.monolithic
+++ b/Rules.monolithic
@@ -81,7 +81,7 @@ ifneq ($(pv),$(kv))
@echo "WARNING: Policy version mismatch (policy:$(pv) kernel:$(kv))! Is your OUTPUT_POLICY set correctly?"
@echo
endif
- $(verbose) $(CHECKPOLICY) -U $(UNK_PERMS) $^ -o $@
+ $(verbose) $(CHECKPOLICY) -U $(UNK_PERMS) -S -O -E $^ -o $@
########################################
#
@@ -95,7 +95,7 @@ ifneq ($(pv),$(kv))
@echo
endif
@$(INSTALL) -d -m 0755 $(@D)
- $(verbose) $(CHECKPOLICY) -U $(UNK_PERMS) $^ -o $@
+ $(verbose) $(CHECKPOLICY) -U $(UNK_PERMS) -S -O -E $^ -o $@
########################################
#
^ permalink raw reply related [flat|nested] 101+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: /
@ 2021-02-07 3:21 Jason Zaman
0 siblings, 0 replies; 101+ messages in thread
From: Jason Zaman @ 2021-02-07 3:21 UTC (permalink / raw
To: gentoo-commits
commit: 0d0b3f0b2c0d84a7529175dc505af157f48de2f6
Author: Chris PeBenito <pebenito <AT> ieee <DOT> org>
AuthorDate: Wed Feb 3 13:38:27 2021 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sat Feb 6 21:15:10 2021 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=0d0b3f0b
Update Changelog and VERSION for release 2.20210203.
Signed-off-by: Chris PeBenito <pebenito <AT> ieee.org>
Signed-off-by: Jason Zaman <perfinion <AT> gentoo.org>
Changelog | 193 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
VERSION | 2 +-
2 files changed, 194 insertions(+), 1 deletion(-)
diff --git a/Changelog b/Changelog
index 59037863..50cd31fc 100644
--- a/Changelog
+++ b/Changelog
@@ -1,3 +1,196 @@
+* Wed Feb 03 2021 Chris PeBenito <pebenito@ieee.org> - 2.20210203
+(GalaxyMaster) (1):
+ added policy for systemd-socket-proxyd
+
+0xC0ncord (1):
+ userdomain, xserver: move xdg rules to userdom_xdg_user_template
+
+Anthony PERARD (1):
+ xen: Allow xenstored to map /proc/xen/xsd_kva
+
+Antoine Tenart (15):
+ udev: allow udevadm to retrieve xattrs
+ locallogin: allow login to get attributes of procfs
+ logging: allow systemd-journal to write messages to the audit socket
+ sysnetwork: allow to read network configuration files
+ dbus: add two interfaces to allow reading from directories and named
+ sockets
+ dbus: allow clients to list runtime dirs and named sockets
+ systemd: add extra systemd_generator_t rules
+ systemd: allow systemd-hwdb to search init runtime directories
+ systemd: allow systemd-network to get attributes of fs
+ systemd: allow systemd-resolve to read in tmpfs
+ corecommands: add entry for Busybox shell
+ systemd: allow systemd-getty-generator to read and write unallocated ttys
+ systemd: allow systemd-network to list the runtime directory
+ ntp: allow systemd-timesyn to watch dbus objects
+ ntp: allow systemd-timesyn to setfscreate
+
+Chris PeBenito (117):
+ Merge branch 'acpid_shutdown' of https://github.com/jpds/refpolicy into
+ jpds-acpid_shutdown
+ .travis.yml: Point selint at only the policy dir.
+ corecommands, dbus, locallogin, logging, sysnetwork, systemd, udev: Module
+ version bump.
+ systemd: Move systemd-pstore block up in alphabetical order.
+ Switch to GitHub actions for CI actions.
+ systemd: Whitespace changes.
+ systemd: Rename systemd_connectto_socket_proxyd_unix_sockets() to
+ systemd_stream_connect_socket_proxyd().
+ Drop criteria on github actions.
+ userdomain: Fix error in calling userdom_xdg_user_template().
+ systemd: Add systemd-tty-ask watch for /run/systemd/ask-password.
+ Makefile: Add -E to setfiles labeling targets.
+ udev: Drop udev_tbl_t.
+ udev: Systemd 246 merged udev and udevadm executables.
+ devicekit: Udisks uses udevadm, it does not exec udev.
+ Remove modules for programs that are deprecated or no longer supported.
+ chromium: Whitespace changes.
+ chromium: Move naclhelper lines.
+ certbot: Whitespace changes.
+ certbot: Drop aliases since they have never had the old names in
+ refpolicy.
+ certbot: Reorder fc lines.
+ miscfiles: Rename miscfiles_manage_generic_tls_privkey_lnk_files.
+ userdomain: Move lines.
+ certbot: Fix lint issues.
+ memlockd: Move lines.
+ memlockd: Whitespace fixes.
+ memlockd: Fix lint issue.
+ file_patterns.spt: Add a mmap_manage_files_pattern().
+ apache, mysql, postgrey, samba, squid: Apply new
+ mmap_manage_files_pattern().
+ devicekit, jabber, samba: Move lines.
+ cron: Make backup call for system_cronjob_t optional.
+ samba: Fix samba_runtime_t alias use.
+ samba: Move service interface definitions.
+ sysnetwork: Merge dhcpc_manage_samba tunable block with existing samba
+ block.
+ samba: Add missing userspace class requirements in unit interfaces.
+ apache: Fix lint error.
+ apache: Really fix lint error.
+ aptcacher: Drop broken config interfaces.
+ samba: Fix lint error.
+ 0xC0ncord/feature/sudodomain_http_connect_boolean
+ 0xC0ncord/bugfix/systemd_system_custom_unit_fc
+ dpkg, aptcatcher, milter, mysql, systemd: Rename interfaces.
+ apt, bootloader: Move lines.
+ systemd: Move lines.
+ systemd: Fix lint errors.
+ systemd: Rename systemd_use_machined_devpts().
+ Bump module versions for release.
+
+Christian Göttsche (16):
+ postfixpolicyd: split multi-class rule
+ init/systemd: allow systemd to map the SELinux status page
+ selinux: add selinux_use_status_page and deprecate
+ selinux_map_security_files
+ genhomedircon: drop backwards compatibility section
+ genhomedircon: require match for home directory name
+ genhomedircon: drop unused functions
+ genhomedircon: generate file contexts for %{USERNAME} and %{USERID}
+ genhomedircon: misc pylint cleanup
+ genhomedircon: improve error messages for min uid search
+ Rules.monolithic: ignore version mismatch
+ gitignore: ignore monolithic generated files
+ Preset OUTPUT_POLICY to 32
+ Rules.monolithic: do not suppress load_policy warning messages
+ Rules.monolithic: tweak checkpolicy arguments
+ Rules.monolithic: drop dead variable
+ Rules.monolithic: add missing phony declarations
+
+Daniel Burgener (4):
+ Allow init to mount over the system bus
+ Allow systemd-ask-password to watch files
+ Use self keyword when an AV rule source type matches destination
+ Fix typo in comment
+
+Dannick Pomerleau (1):
+ access_vectors: Add new capabilities to cap2
+
+Dave Sugar (9):
+ Looks like this got dropped in pull request #294
+ Allow snmpd to read hwdata
+ Updates for corosync to work in enforcing
+ To get pacemaker working in enforcing
+ pacemaker systemd permissions
+ Allow pacemaker to map/read/write corosync shared memory files
+ Allow systemd-modules-load to search kernel keys
+ pcs_snmpd_agent_t fix denials to allow it to read needed queues
+ Work with xdg module disabled
+
+David Schadlich (1):
+ add policy for pcs_snmp_agent
+
+Deepak Rawat (1):
+ Add selinux-policy for systemd-pstore service
+
+Dominick Grift (1):
+ bind: add a few fc specs for unbound
+
+Guido Trentalancia (1):
+ Add LVM module permissions needed to open cryptsetup devices.
+
+Jason Zaman (5):
+ userdomain: Add watch on home dirs
+ getty: allow watching file /run/agetty.reload
+ Add transition on gentoo init_t to openrc
+ init: upstream fcontexts from gentoo policy
+ systemd: make remaining dbus_* optional
+
+Jonathan Davies (8):
+ acpi.te: Allow acpid_t to shutdown the system - this is required to handle
+ shutdown calls from libvirt. Fixes #298.
+ acpi.te: Removed unnecessary init_write_initctl().
+ userdomain.if: Marked usbguard user modify tunable as optional so usbguard
+ may be excluded.
+ portage: Added /var/cache/distfiles path.
+ init: Added fcontext for openrc-init.
+ init: Added fcontext for openrc-shutdown.
+ apps/screen.fc: Added fcontext for tmux xdg directory.
+ apps/screen.te: Allow screen to search xdg directories.
+
+Kenton Groombridge (11):
+ devices: add interface for IOCTL on input devices
+ virt: add boolean to allow evdev passthrough
+ stunnel: add log type and rules
+ fail2ban: allow reading systemd journal
+ spamassassin: add rspamd support and tunable
+ apache: add interface for list dir perms on httpd content
+ sudo: add tunable for HTTP connections
+ init: label systemd units in /etc
+ certbot: add support for acme.sh
+ lvm: add lvm_tmpfs_t type and rules
+ Various fixes
+
+Peter Morrow (1):
+ selinux: add selinux_get_all_booleans() interface
+
+Richard Haines (1):
+ Ensure correct monolithic binary policy is loaded
+
+Russell Coker (11):
+ base chrome/chromium patch fixed
+ latest iteration of certbot policy as patch
+ yet more strict patches fixed
+ remove deprecated from 20190201
+ more Chrome stuff
+ latest memlockd patch
+ misc services patches with changes Dominick and Chris wanted
+ misc network patches with Dominick's changes*2
+ new version of filetrans patch
+ misc apps and admin patches
+ machined
+
+Yi Zhao (1):
+ sysnet: allow dhcpcd to create socket file
+
+bauen1 (4):
+ systemd: private type for /run/systemd/userdb
+ authlogin: connect to userdb
+ systemd-logind: utilize nsswitch
+ selint: fix S-010
+
* Tue Aug 18 2020 Chris PeBenito <pebenito@ieee.org> - 2.20200818
Alexander Miroshnichenko (2):
openvpn: more versatile file context regex for ipp.txt
diff --git a/VERSION b/VERSION
index dff6b732..d20cfcef 100644
--- a/VERSION
+++ b/VERSION
@@ -1 +1 @@
-2.20200818
+2.20210203
^ permalink raw reply related [flat|nested] 101+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: /
@ 2021-04-03 3:10 Jason Zaman
0 siblings, 0 replies; 101+ messages in thread
From: Jason Zaman @ 2021-04-03 3:10 UTC (permalink / raw
To: gentoo-commits
commit: a91edcb2b0b94034466ccfe8e5bf110f5716ea94
Author: Chris PeBenito <pebenito <AT> ieee <DOT> org>
AuthorDate: Thu Mar 18 20:22:05 2021 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Fri Apr 2 18:54:58 2021 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=a91edcb2
Rules.modular/Rules.monolithic: Fix intdented labeling statement moves.
The secure_mode_policyload Boolean labeling statement was lost moving the
statement to the proper place in the policy.conf/base.conf.
Fix this for all other labeling statements too.
Signed-off-by: Chris PeBenito <pebenito <AT> ieee.org>
Signed-off-by: Jason Zaman <perfinion <AT> gentoo.org>
Rules.modular | 16 ++++++++--------
Rules.monolithic | 16 ++++++++--------
2 files changed, 16 insertions(+), 16 deletions(-)
diff --git a/Rules.modular b/Rules.modular
index ea234dae..63a10e7f 100644
--- a/Rules.modular
+++ b/Rules.modular
@@ -167,14 +167,14 @@ $(tmpdir)/all_attrs_types.conf: $(tmpdir)/all_te_files.conf
$(tmpdir)/all_post.conf: $(tmpdir)/all_te_files.conf $(tmpdir)/post_te_files.conf
$(verbose) cat $(tmpdir)/post_te_files.conf > $@
# these have to run individually because order matters:
- $(verbose) $(GREP) '^sid ' $(tmpdir)/all_te_files.conf >> $@ || true
- $(verbose) $(GREP) '^fs_use_(xattr|task|trans)' $(tmpdir)/all_te_files.conf >> $@ || true
- $(verbose) $(GREP) ^genfscon $(tmpdir)/all_te_files.conf >> $@ || true
- $(verbose) $(GREP) ^portcon $(tmpdir)/all_te_files.conf >> $@ || true
- $(verbose) $(GREP) ^netifcon $(tmpdir)/all_te_files.conf >> $@ || true
- $(verbose) $(GREP) ^nodecon $(tmpdir)/all_te_files.conf >> $@ || true
- $(verbose) $(GREP) ^ibpkeycon $(tmpdir)/all_te_files.conf >> $@ || true
- $(verbose) $(GREP) ^ibendportcon $(tmpdir)/all_te_files.conf >> $@ || true
+ $(verbose) $(GREP) '^[[:blank:]]*sid ' $(tmpdir)/all_te_files.conf >> $@ || true
+ $(verbose) $(GREP) '^[[:blank:]]*fs_use_(xattr|task|trans)' $(tmpdir)/all_te_files.conf >> $@ || true
+ $(verbose) $(GREP) '^[[:blank:]]*genfscon' $(tmpdir)/all_te_files.conf >> $@ || true
+ $(verbose) $(GREP) '^[[:blank:]]*portcon' $(tmpdir)/all_te_files.conf >> $@ || true
+ $(verbose) $(GREP) '^[[:blank:]]*netifcon' $(tmpdir)/all_te_files.conf >> $@ || true
+ $(verbose) $(GREP) '^[[:blank:]]*nodecon' $(tmpdir)/all_te_files.conf >> $@ || true
+ $(verbose) $(GREP) '^[[:blank:]]*ibpkeycon' $(tmpdir)/all_te_files.conf >> $@ || true
+ $(verbose) $(GREP) '^[[:blank:]]*ibendportcon' $(tmpdir)/all_te_files.conf >> $@ || true
$(tmpdir)/only_te_rules.conf: $(tmpdir)/all_te_files.conf
$(verbose) $(comment_move_decl) $^ > $@
diff --git a/Rules.monolithic b/Rules.monolithic
index 87edd2d3..e369f8f3 100644
--- a/Rules.monolithic
+++ b/Rules.monolithic
@@ -165,14 +165,14 @@ $(tmpdir)/all_attrs_types.conf: $(tmpdir)/all_te_files.conf
$(tmpdir)/all_post.conf: $(tmpdir)/all_te_files.conf $(tmpdir)/post_te_files.conf
$(verbose) cat $(tmpdir)/post_te_files.conf > $@
# these have to run individually because order matters:
- $(verbose) $(GREP) '^sid ' $(tmpdir)/all_te_files.conf >> $@ || true
- $(verbose) $(GREP) '^fs_use_(xattr|task|trans)' $(tmpdir)/all_te_files.conf >> $@ || true
- $(verbose) $(GREP) ^genfscon $(tmpdir)/all_te_files.conf >> $@ || true
- $(verbose) $(GREP) ^portcon $(tmpdir)/all_te_files.conf >> $@ || true
- $(verbose) $(GREP) ^netifcon $(tmpdir)/all_te_files.conf >> $@ || true
- $(verbose) $(GREP) ^nodecon $(tmpdir)/all_te_files.conf >> $@ || true
- $(verbose) $(GREP) ^ibpkeycon $(tmpdir)/all_te_files.conf >> $@ || true
- $(verbose) $(GREP) ^ibendportcon $(tmpdir)/all_te_files.conf >> $@ || true
+ $(verbose) $(GREP) '^[[:blank:]]*sid ' $(tmpdir)/all_te_files.conf >> $@ || true
+ $(verbose) $(GREP) '^[[:blank:]]*fs_use_(xattr|task|trans)' $(tmpdir)/all_te_files.conf >> $@ || true
+ $(verbose) $(GREP) '^[[:blank:]]*genfscon' $(tmpdir)/all_te_files.conf >> $@ || true
+ $(verbose) $(GREP) '^[[:blank:]]*portcon' $(tmpdir)/all_te_files.conf >> $@ || true
+ $(verbose) $(GREP) '^[[:blank:]]*netifcon' $(tmpdir)/all_te_files.conf >> $@ || true
+ $(verbose) $(GREP) '^[[:blank:]]*nodecon' $(tmpdir)/all_te_files.conf >> $@ || true
+ $(verbose) $(GREP) '^[[:blank:]]*ibpkeycon' $(tmpdir)/all_te_files.conf >> $@ || true
+ $(verbose) $(GREP) '^[[:blank:]]*ibendportcon' $(tmpdir)/all_te_files.conf >> $@ || true
$(tmpdir)/only_te_rules.conf: $(tmpdir)/all_te_files.conf
$(verbose) $(comment_move_decl) $^ > $@
^ permalink raw reply related [flat|nested] 101+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: /
@ 2021-11-11 21:27 Jason Zaman
0 siblings, 0 replies; 101+ messages in thread
From: Jason Zaman @ 2021-11-11 21:27 UTC (permalink / raw
To: gentoo-commits
commit: bf6fdfd10493e1d4b51195cc9daa4a7093402c4f
Author: Christian Göttsche <cgzones <AT> googlemail <DOT> com>
AuthorDate: Fri Nov 5 13:32:30 2021 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Thu Nov 11 21:26:50 2021 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=bf6fdfd1
Ignore umask on when installing headers
Use install(1) with explicit permission to create directories and
files. In case umask(2) is set too strict the installed files will
otherwise not be readable by unprivileged users.
Signed-off-by: Christian Göttsche <cgzones <AT> googlemail.com>
Signed-off-by: Jason Zaman <perfinion <AT> gentoo.org>
Makefile | 8 +++++---
1 file changed, 5 insertions(+), 3 deletions(-)
diff --git a/Makefile b/Makefile
index ba346a27..53af1468 100644
--- a/Makefile
+++ b/Makefile
@@ -534,17 +534,19 @@ $(appdir)/%: $(appconf)/%
# Install policy headers
#
install-headers: $(layerxml) $(tunxml) $(boolxml) $(gentooxml)
- @mkdir -p $(headerdir)
+ $(verbose) $(INSTALL) -d -m 755 $(headerdir)
@echo "Installing $(NAME) policy headers."
$(verbose) $(INSTALL) -m 644 $^ $(headerdir)
- $(verbose) mkdir -p $(headerdir)/support
+ $(verbose) $(INSTALL) -d -m 755 $(headerdir)/support
$(verbose) $(INSTALL) -m 644 $(m4support) $(xmldtd) $(headerdir)/support
$(verbose) $(INSTALL) -m 755 $(word $(words $(genxml)),$(genxml)) $(headerdir)/support
+ $(verbose) $(INSTALL) -m 644 /dev/null $(headerdir)/support/all_perms.spt
$(verbose) $(genperm) $(avs) $(secclass) > $(headerdir)/support/all_perms.spt
$(verbose) for i in $(notdir $(all_layers)); do \
- mkdir -p $(headerdir)/$$i ;\
+ $(INSTALL) -d -m 755 $(headerdir)/$$i ;\
$(INSTALL) -m 644 $(moddir)/$$i/*.if $(headerdir)/$$i ;\
done
+ $(verbose) $(INSTALL) -m 644 /dev/null $(headerdir)/build.conf
$(verbose) echo "TYPE ?= $(TYPE)" > $(headerdir)/build.conf
$(verbose) echo "NAME ?= $(NAME)" >> $(headerdir)/build.conf
ifneq "$(DISTRO)" ""
^ permalink raw reply related [flat|nested] 101+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: /
@ 2022-03-31 3:31 Jason Zaman
0 siblings, 0 replies; 101+ messages in thread
From: Jason Zaman @ 2022-03-31 3:31 UTC (permalink / raw
To: gentoo-commits
commit: 901d5bbe56a07b57a4bd4368bb82275c628f6a09
Author: Christian Göttsche <cgzones <AT> googlemail <DOT> com>
AuthorDate: Tue Mar 22 17:11:36 2022 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Thu Mar 31 02:40:53 2022 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=901d5bbe
Makefile: use override for adding options
When adding program options to checkpolicy and checkmodule use
override to add them even when CHECKPOLICY or CHECKMODULE have been
set by the caller.
Signed-off-by: Christian Göttsche <cgzones <AT> googlemail.com>
Signed-off-by: Jason Zaman <perfinion <AT> gentoo.org>
Makefile | 10 +++++-----
1 file changed, 5 insertions(+), 5 deletions(-)
diff --git a/Makefile b/Makefile
index 9b5069b9..84c019f9 100644
--- a/Makefile
+++ b/Makefile
@@ -173,16 +173,16 @@ docsdir := $(prefix)/share/doc/$(PKGNAME)
# enable MLS if requested.
ifeq "$(TYPE)" "mls"
M4PARAM += -D enable_mls=true
- CHECKPOLICY += -M
- CHECKMODULE += -M
+ override CHECKPOLICY += -M
+ override CHECKMODULE += -M
gennetfilter += -m
endif
# enable MLS if MCS requested.
ifeq "$(TYPE)" "mcs"
M4PARAM += -D enable_mcs=true
- CHECKPOLICY += -M
- CHECKMODULE += -M
+ override CHECKPOLICY += -M
+ override CHECKMODULE += -M
gennetfilter += -c
endif
@@ -200,7 +200,7 @@ ifeq "$(SYSTEMD)" "y"
endif
ifneq ($(OUTPUT_POLICY),)
- CHECKPOLICY += -c $(OUTPUT_POLICY)
+ override CHECKPOLICY += -c $(OUTPUT_POLICY)
endif
ifneq "$(CUSTOM_BUILDOPT)" ""
^ permalink raw reply related [flat|nested] 101+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: /
@ 2022-03-31 3:31 Jason Zaman
0 siblings, 0 replies; 101+ messages in thread
From: Jason Zaman @ 2022-03-31 3:31 UTC (permalink / raw
To: gentoo-commits
commit: f920d4616e262d68762efb6f842afed0448beda0
Author: Christian Göttsche <cgzones <AT> googlemail <DOT> com>
AuthorDate: Tue Mar 22 17:21:23 2022 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Thu Mar 31 02:40:53 2022 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=f920d461
Rules.modular: add pure-load target
Add a target for modular polices to load all built modules while
simultaneously removing all non Reference Policy ones. This will remove
dropped Reference Policy modules and user installed ones.
Signed-off-by: Christian Göttsche <cgzones <AT> googlemail.com>
Signed-off-by: Jason Zaman <perfinion <AT> gentoo.org>
Rules.modular | 13 ++++++++++++-
1 file changed, 12 insertions(+), 1 deletion(-)
diff --git a/Rules.modular b/Rules.modular
index 63a10e7f..f7ee2c11 100644
--- a/Rules.modular
+++ b/Rules.modular
@@ -58,6 +58,17 @@ load: $(instpkg) $(appfiles)
@$(INSTALL) -d -m 0755 $(policypath) $(dir $(fcpath))
$(verbose) $(SEMODULE) -s $(NAME) -i $(modpkgdir)/$(notdir $(base_pkg)) $(foreach mod,$(mod_pkgs),-i $(modpkgdir)/$(mod))
+########################################
+#
+# Load all configured modules and remove foreign ones
+#
+pure-load: $(instpkg) $(appfiles)
+# make sure two directories exist since they are not
+# created by semanage
+ @echo "Loading configured modules."
+ @$(INSTALL) -d -m 0755 $(policypath) $(dir $(fcpath))
+ $(verbose) $(SEMODULE) -s $(NAME) -i $(modpkgdir)/$(notdir $(base_pkg)) $(foreach mod,$(mod_pkgs),-i $(modpkgdir)/$(mod)) $(foreach omod,$(filter-out base $(notdir $(mod_mods:.te=)),$(shell $(SEMODULE) -l)),-r $(omod))
+
########################################
#
# Install policy packages
@@ -226,4 +237,4 @@ clean:
$(verbose) rm -f $(net_contexts) $(net_contexts_nft)
$(verbose) rm -fR $(tmpdir)
-.PHONY: default all policy base modules install load clean validate
+.PHONY: default all policy base modules install load pure-load clean validate
^ permalink raw reply related [flat|nested] 101+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: /
@ 2022-03-31 3:31 Jason Zaman
0 siblings, 0 replies; 101+ messages in thread
From: Jason Zaman @ 2022-03-31 3:31 UTC (permalink / raw
To: gentoo-commits
commit: 2df18d7dce0be89c767a178fe3cad5dadb3b0d27
Author: Christian Göttsche <cgzones <AT> googlemail <DOT> com>
AuthorDate: Tue Mar 22 17:06:40 2022 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Thu Mar 31 02:40:53 2022 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=2df18d7d
Makefile: invoke python with -bb
Fail on python code calling str(bytes_instance) or
str(bytearray_instance), or comparing bytes/bytearray with str.
Signed-off-by: Christian Göttsche <cgzones <AT> googlemail.com>
Signed-off-by: Jason Zaman <perfinion <AT> gentoo.org>
Makefile | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/Makefile b/Makefile
index ed4a4c40..9b5069b9 100644
--- a/Makefile
+++ b/Makefile
@@ -72,7 +72,7 @@ AWK ?= gawk
GREP ?= egrep
INSTALL ?= install
M4 ?= m4 -E -E
-PYTHON ?= python3 -t -t -E -W error
+PYTHON ?= python3 -bb -t -t -E -W error
SED ?= sed
SORT ?= LC_ALL=C sort
UMASK ?= umask
^ permalink raw reply related [flat|nested] 101+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: /
@ 2022-03-31 3:31 Jason Zaman
0 siblings, 0 replies; 101+ messages in thread
From: Jason Zaman @ 2022-03-31 3:31 UTC (permalink / raw
To: gentoo-commits
commit: 3f7c372e6212f0ab402c6bbd833dd80d1fb50e22
Author: Christian Göttsche <cgzones <AT> googlemail <DOT> com>
AuthorDate: Tue Mar 22 17:10:11 2022 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Thu Mar 31 02:40:53 2022 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=3f7c372e
Rules.monolithic: add target to generate CIL policy
Add a Makefile target to generate a CIL policy, useful for debugging,
introspection or testing.
Signed-off-by: Christian Göttsche <cgzones <AT> googlemail.com>
Signed-off-by: Jason Zaman <perfinion <AT> gentoo.org>
Rules.monolithic | 15 +++++++++++++++
1 file changed, 15 insertions(+)
diff --git a/Rules.monolithic b/Rules.monolithic
index e369f8f3..d6d0e6f2 100644
--- a/Rules.monolithic
+++ b/Rules.monolithic
@@ -25,6 +25,7 @@ endif
polbinpath := $(shell $(binary_policy_path))
policy_conf = $(builddir)policy.conf
+policy_cil = $(builddir)policy.cil
fc = $(builddir)file_contexts
polver = $(builddir)policy.$(pv)
homedir_template = $(builddir)homedir_template
@@ -83,6 +84,19 @@ ifneq ($(pv),$(kv))
endif
$(verbose) $(CHECKPOLICY) -U $(UNK_PERMS) -S -O -E $^ -o $@
+########################################
+#
+# Build a CIL policy locally
+#
+$(policy_cil): $(policy_conf)
+ @echo "Compiling $(NAME) $(policy_cil)"
+ifneq ($(pv),$(kv))
+ @echo
+ @echo "WARNING: Policy version mismatch (policy:$(pv) kernel:$(kv))! Is your OUTPUT_POLICY set correctly?"
+ @echo
+endif
+ $(verbose) $(CHECKPOLICY) -C -U $(UNK_PERMS) -S -O -E $^ -o $@
+
########################################
#
# Install a binary policy
@@ -261,6 +275,7 @@ $(installdir)/seusers: $(seusers)
clean:
$(verbose) rm -f $(policy_conf)
$(verbose) rm -f $(polver)
+ $(verbose) rm -f $(policy_cil)
$(verbose) rm -f $(fc)
$(verbose) rm -f $(homedir_template)
$(verbose) rm -f $(net_contexts) $(net_contexts_nft)
^ permalink raw reply related [flat|nested] 101+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: /
@ 2023-02-10 20:30 Kenton Groombridge
0 siblings, 0 replies; 101+ messages in thread
From: Kenton Groombridge @ 2023-02-10 20:30 UTC (permalink / raw
To: gentoo-commits
commit: fe613d98e1478861c0e4130433ae930230a1b6b5
Author: Kenton Groombridge <concord <AT> gentoo <DOT> org>
AuthorDate: Fri Feb 10 20:30:21 2023 +0000
Commit: Kenton Groombridge <concord <AT> gentoo <DOT> org>
CommitDate: Fri Feb 10 20:30:21 2023 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=fe613d98
Test of github mirror
Signed-off-by: Kenton Groombridge <concord <AT> gentoo.org>
^ permalink raw reply [flat|nested] 101+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: /
@ 2024-03-01 19:56 Kenton Groombridge
0 siblings, 0 replies; 101+ messages in thread
From: Kenton Groombridge @ 2024-03-01 19:56 UTC (permalink / raw
To: gentoo-commits
commit: 2dce7975e36e015abbe53d9749d5db5344d79d34
Author: Christian Göttsche <cgzones <AT> googlemail <DOT> com>
AuthorDate: Thu Feb 22 16:38:21 2024 +0000
Commit: Kenton Groombridge <concord <AT> gentoo <DOT> org>
CommitDate: Fri Mar 1 17:05:39 2024 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=2dce7975
Rules.modular: use temporary file to not ignore error
Save the result of the m4 command into a temporary file and split the
commands, to avoid ignoring failures of the first command.
Signed-off-by: Christian Göttsche <cgzones <AT> googlemail.com>
Signed-off-by: Kenton Groombridge <concord <AT> gentoo.org>
Rules.modular | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/Rules.modular b/Rules.modular
index f7ee2c11f..c731ea01d 100644
--- a/Rules.modular
+++ b/Rules.modular
@@ -119,8 +119,8 @@ $(tmpdir)/seusers: $(seusers)
$(users_extra): $(m4support) $(user_files)
@test -d $(tmpdir) || mkdir -p $(tmpdir)
- $(verbose) $(M4) $(M4PARAM) -D users_extra $^ | \
- $(SED) -r -n -e 's/^[[:blank:]]*//g' -e '/^user/p' > $@
+ $(verbose) $(M4) $(M4PARAM) -D users_extra $^ > $(tmpdir)/$(@F).tmp
+ $(verbose) $(SED) -r -n -e 's/^[[:blank:]]*//g' -e '/^user/p' $(tmpdir)/$(@F).tmp > $@
########################################
#
^ permalink raw reply related [flat|nested] 101+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: /
@ 2024-03-01 19:56 Kenton Groombridge
0 siblings, 0 replies; 101+ messages in thread
From: Kenton Groombridge @ 2024-03-01 19:56 UTC (permalink / raw
To: gentoo-commits
commit: cf1d8825dd74db410aca630202e62d0e0ad5169e
Author: Christian Göttsche <cgzones <AT> googlemail <DOT> com>
AuthorDate: Thu Feb 22 19:21:35 2024 +0000
Commit: Kenton Groombridge <concord <AT> gentoo <DOT> org>
CommitDate: Fri Mar 1 17:05:42 2024 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=cf1d8825
Makefile: set PYTHONPATH for test toolchain
In case of a non-default toolchain also set the environment variable
PTYHONPATH to run sepolgen related python code from that toolchain.
See scripts/env_use_destdir in the SELinux userland repository.
Signed-off-by: Christian Göttsche <cgzones <AT> googlemail.com>
Signed-off-by: Kenton Groombridge <concord <AT> gentoo.org>
Makefile | 13 ++++++++++---
1 file changed, 10 insertions(+), 3 deletions(-)
diff --git a/Makefile b/Makefile
index 82df20454..42d6484bc 100644
--- a/Makefile
+++ b/Makefile
@@ -47,9 +47,16 @@ endif
BINDIR ?= /usr/bin
SBINDIR ?= /usr/sbin
ifdef TEST_TOOLCHAIN
-tc_usrbindir := env LD_LIBRARY_PATH="$(TEST_TOOLCHAIN)/lib:$(TEST_TOOLCHAIN)/usr/lib" $(TEST_TOOLCHAIN)$(BINDIR)
-tc_usrsbindir := env LD_LIBRARY_PATH="$(TEST_TOOLCHAIN)/lib:$(TEST_TOOLCHAIN)/usr/lib" $(TEST_TOOLCHAIN)$(SBINDIR)
-tc_sbindir := env LD_LIBRARY_PATH="$(TEST_TOOLCHAIN)/lib:$(TEST_TOOLCHAIN)/usr/lib" $(TEST_TOOLCHAIN)/sbin
+python_path_plat := $(shell python3 -c "import sysconfig; print(sysconfig.get_path('platlib', vars={'platbase': '/usr', 'base': '/usr'}))")
+python_path_pure := $(shell python3 -c "import sysconfig; print(sysconfig.get_path('purelib', vars={'platbase': '/usr', 'base': '/usr'}))")
+ifdef PYTHONPATH
+python_path := "$(TEST_TOOLCHAIN)$(python_path_plat):$(TEST_TOOLCHAIN)$(python_path_pure):$(PYTHONPATH)"
+else
+python_path := "$(TEST_TOOLCHAIN)$(python_path_plat):$(TEST_TOOLCHAIN)$(python_path_pure)"
+endif
+tc_usrbindir := env LD_LIBRARY_PATH="$(TEST_TOOLCHAIN)/lib:$(TEST_TOOLCHAIN)/usr/lib" PYTHONPATH="$(python_path)" $(TEST_TOOLCHAIN)$(BINDIR)
+tc_usrsbindir := env LD_LIBRARY_PATH="$(TEST_TOOLCHAIN)/lib:$(TEST_TOOLCHAIN)/usr/lib" PYTHONPATH="$(python_path)" $(TEST_TOOLCHAIN)$(SBINDIR)
+tc_sbindir := env LD_LIBRARY_PATH="$(TEST_TOOLCHAIN)/lib:$(TEST_TOOLCHAIN)/usr/lib" PYTHONPATH="$(python_path)" $(TEST_TOOLCHAIN)/sbin
else
tc_usrbindir := $(BINDIR)
tc_usrsbindir := $(SBINDIR)
^ permalink raw reply related [flat|nested] 101+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: /
@ 2024-03-01 19:56 Kenton Groombridge
0 siblings, 0 replies; 101+ messages in thread
From: Kenton Groombridge @ 2024-03-01 19:56 UTC (permalink / raw
To: gentoo-commits
commit: d4a01ab0b955623422eade1f35368a2ee3983db9
Author: Christian Göttsche <cgzones <AT> googlemail <DOT> com>
AuthorDate: Thu Feb 22 16:41:28 2024 +0000
Commit: Kenton Groombridge <concord <AT> gentoo <DOT> org>
CommitDate: Fri Mar 1 17:05:41 2024 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=d4a01ab0
Makefile: use sepolgen-ifgen-attr-helper from test toolchain
When building with a non default toolchain by setting the environment
variable TEST_TOOLCHAIN also use the sepolgen-ifgen helper binary
sepolgen-ifgen-attr-helper from this toolchain.
Signed-off-by: Christian Göttsche <cgzones <AT> googlemail.com>
Signed-off-by: Kenton Groombridge <concord <AT> gentoo.org>
Makefile | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/Makefile b/Makefile
index 3f1d30605..82df20454 100644
--- a/Makefile
+++ b/Makefile
@@ -62,7 +62,11 @@ SEMOD_PKG ?= $(tc_usrbindir)/semodule_package
SEMOD_LNK ?= $(tc_usrbindir)/semodule_link
SEMOD_EXP ?= $(tc_usrbindir)/semodule_expand
LOADPOLICY ?= $(tc_usrsbindir)/load_policy
+ifdef TEST_TOOLCHAIN
+SEPOLGEN_IFGEN ?= $(tc_usrbindir)/sepolgen-ifgen --attr-helper $(TEST_TOOLCHAIN)$(BINDIR)/sepolgen-ifgen-attr-helper
+else
SEPOLGEN_IFGEN ?= $(tc_usrbindir)/sepolgen-ifgen
+endif
SETFILES ?= $(tc_sbindir)/setfiles
SEFCONTEXT_COMPILE ?= $(tc_usrsbindir)/sefcontext_compile
XMLLINT ?= $(BINDIR)/xmllint
^ permalink raw reply related [flat|nested] 101+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: /
@ 2024-03-01 19:56 Kenton Groombridge
0 siblings, 0 replies; 101+ messages in thread
From: Kenton Groombridge @ 2024-03-01 19:56 UTC (permalink / raw
To: gentoo-commits
commit: 70c06276d352e4513bd68ca085b07e5e2d8e6205
Author: Christian Göttsche <cgzones <AT> googlemail <DOT> com>
AuthorDate: Thu Feb 22 16:32:50 2024 +0000
Commit: Kenton Groombridge <concord <AT> gentoo <DOT> org>
CommitDate: Fri Mar 1 17:05:38 2024 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=70c06276
Rules.monolithic: pre-compile fcontexts on install
On install pre-compile the file contexts.
Signed-off-by: Christian Göttsche <cgzones <AT> googlemail.com>
Signed-off-by: Kenton Groombridge <concord <AT> gentoo.org>
Makefile | 1 +
Rules.monolithic | 6 ++++++
2 files changed, 7 insertions(+)
diff --git a/Makefile b/Makefile
index b93e133be..3f1d30605 100644
--- a/Makefile
+++ b/Makefile
@@ -64,6 +64,7 @@ SEMOD_EXP ?= $(tc_usrbindir)/semodule_expand
LOADPOLICY ?= $(tc_usrsbindir)/load_policy
SEPOLGEN_IFGEN ?= $(tc_usrbindir)/sepolgen-ifgen
SETFILES ?= $(tc_sbindir)/setfiles
+SEFCONTEXT_COMPILE ?= $(tc_usrsbindir)/sefcontext_compile
XMLLINT ?= $(BINDIR)/xmllint
SECHECK ?= $(BINDIR)/sechecker
diff --git a/Rules.monolithic b/Rules.monolithic
index d6d0e6f28..d6e20a371 100644
--- a/Rules.monolithic
+++ b/Rules.monolithic
@@ -232,6 +232,12 @@ $(fcpath): $(fc) $(loadpath) $(userpath)/system.users
$(verbose) $(INSTALL) -m 0644 $(fc) $(fcpath)
$(verbose) $(INSTALL) -m 0644 $(homedir_template) $(homedirpath)
$(verbose) $(UMASK) 022 ; $(genhomedircon) -d $(topdir) -t $(NAME)
+ $(verbose) if $(SEFCONTEXT_COMPILE) -i > /dev/null 2>&1 ; then \
+ $(SEFCONTEXT_COMPILE) $(fcpath) ;\
+ $(SEFCONTEXT_COMPILE) $(fcpath).homedirs ;\
+ else \
+ echo "$@ Pre-compiled file context not generated! Please install the sefcontext_compile tool (commonly part of libselinux-utils)." ;\
+ fi
########################################
#
^ permalink raw reply related [flat|nested] 101+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: /
@ 2024-03-01 19:56 Kenton Groombridge
0 siblings, 0 replies; 101+ messages in thread
From: Kenton Groombridge @ 2024-03-01 19:56 UTC (permalink / raw
To: gentoo-commits
commit: 1949397458a649cf876a4a758a28d65626ad2709
Author: Chris PeBenito <pebenito <AT> ieee <DOT> org>
AuthorDate: Mon Feb 26 18:38:45 2024 +0000
Commit: Kenton Groombridge <concord <AT> gentoo <DOT> org>
CommitDate: Fri Mar 1 17:06:00 2024 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=19493974
Update Changelog and VERSION for release 2.20240226.
Signed-off-by: Chris PeBenito <pebenito <AT> ieee.org>
Signed-off-by: Kenton Groombridge <concord <AT> gentoo.org>
Changelog | 487 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
VERSION | 2 +-
2 files changed, 488 insertions(+), 1 deletion(-)
diff --git a/Changelog b/Changelog
index 76cd60fdc..a1938b4f0 100644
--- a/Changelog
+++ b/Changelog
@@ -1,3 +1,490 @@
+* Mon Feb 26 2024 Chris PeBenito <pebenito@ieee.org> - 2.20240226
+Chris PeBenito (174):
+ tests.yml: Pin ubuntu 20.04.
+ tests.yml: Pin ubuntu 20.04.
+ fstools: Move lines.
+ munin: Move munin_rw_tcp_sockets() implementation.
+ munin: Whitespace change.
+ systemd: Tmpfilesd can correct seusers on files.
+ iscsi: Read initiatorname.iscsi.
+ lvm: Add fc entry for /etc/multipath/*
+ sysnetwork: Rename sysnet_dontaudit_rw_dhcpc_unix_dgram_sockets()
+ Define user_namespace object class.
+ chromium: Allow user namespace creation.
+ mozilla: Allow user namespace creation.
+ systemd: Allow user namespace creation.
+ container: Allow user namespace creation for all container engines.
+ Update eg25manager.te
+ switcheroo: Whitespace fix.
+ unconfined: Keys are linkable by systemd.
+ postgresql: Move lines
+ Add append to rw and manage lnk_file permission sets for consistency.
+ domain: Manage own fds.
+ systemd: systemd-cgroups reads kernel.cap_last_cap sysctl.
+ kernel: hv_utils shutdown on systemd systems.
+ Container: Minor fixes from interactive container use.
+ systemd: Minor coredump fixes.
+ rpm: Minor fixes
+ init: Allow nnp/nosuid transitions from systemd initrc_t.
+ selinuxutil: Semanage reads policy for export.
+ sysnetwork: ifconfig searches debugfs.
+ usermanage: Add sysctl access for groupadd to get number of groups.
+ files: Handle symlinks for /media and /srv.
+ cloudinit: Add support for installing RPMs and setting passwords.
+ kdump: Fixes from testing kdumpctl.
+ usermanage: Handle symlinks in /usr/share/cracklib.
+ unconfined: Add remaining watch_* permissions.
+ chronyd: Read /dev/urandom.
+ cloud-init: Allow use of sudo in runcmd.
+ cloud-init: Add systemd permissions.
+ cloud-init: Change udev rules
+ systemd: Updates for systemd-locale.
+ cloudinit: Add permissions derived from sysadm.
+
+Christian Göttsche (28):
+ git: add fcontext for default binary
+ init: only grant getattr in init_getattr_generic_units_files()
+ ci: bump SELint version to 1.5.0
+ SELint userspace class tweaks
+ systemd: reorder optional block
+ devicedisk: reorder optional block
+ access_vectors: define io_uring { cmd }
+ support/genhomedircon: support usr prefixed paths
+ fix misc typos
+ Support multi-line interface calls
+ policy_capabilities: remove estimated from released versions
+ Rules.monolithic: pre-compile fcontexts on install
+ Rules.modular: use temporary file to not ignore error
+ Makefile: use sepolgen-ifgen-attr-helper from test toolchain
+ Makefile: set PYTHONPATH for test toolchain
+ virt: label qemu configuration directory
+ selinuxutil: setfiles updates
+ selinuxutil: ignore getattr proc in newrole
+ userdom: permit reading PSI as admin
+ fs: mark memory pressure type as file
+ systemd: binfmt updates
+ vnstatd: update
+ fs: add support for virtiofs
+ systemd: generator updates
+ udev: update
+ systemd: logind update
+ consolesetup: update
+ libraries: drop space in empty line
+
+Christian Schneider (1):
+ systemd-generator: systemd_generator_t load kernel modules used for e.g.
+ zram-generator
+
+Corentin LABBE (20):
+ udev: permit to read hwdb
+ fstools: handle gentoo place for drivedb.h
+ mount: dbus interface must be optional
+ mcelog: add missing file context for triggers
+ munin: add file context for common functions file
+ rsyslog: add label for /var/empty/dev/log
+ munin: disk-plugin: transition to fsadm
+ munin: add fc for munin-node plugin state
+ usermanage: permit groupadd to read kernel sysctl
+ portage: Remove old binary location
+ portage: add go/hg source control files
+ portage: add new location for portage commands
+ portage: add missing go/hg context in new distfiles location
+ mandb: permit to read inherited cron files
+ selinuxutil: do not audit load_policy trying to use portage ptys
+ selinuxutil: permit run_init to read kernel sysctl
+ portage: add misc mising rules
+ smartmon: allow smartd to read fsadm_db_t files
+ smartmon: add domain for update-smart-drivedb
+ dovecot: add missing permissions
+
+Dave Sugar (46):
+ rng-tools updated to 6.15 (on RHEL9) seeing the following denials:
+ Allow local login to read /run/motd
+ Label pwhistory_helper
+ If domain can read system_dbusd_var_lib_t files, also allow symlinks
+ systemd-rfkill.socket reads /dev/rfkill (with ListenSocket=) option.
+ To allow setting for net.netfilter.nf_* in /etc/sysctl.d/*.conf
+ Allow iceauth write to xsession log
+ Allow system_dbusd_t to start/stop all units
+ Updates for utempter
+ Allow display manager to read hwdata
+ Allow search xdm_var_run_t directories along with reading files.
+ Solve issue with no keyboard/mouse on X login screen
+ separate label for /etc/security/opasswd
+ Fix some ssh agent denials
+ For systemd-hostnamed service to run
+ Allow rsyslog to drop capabilities
+ /var/lib/sddm should be xdm_var_lib_t
+ resolve lvm_t issues at shutdown with LUKS encrypted devices
+ Allow all users to (optionally) send syslog messages
+ Resolve some denials with colord
+ separate domain for journalctl during init
+ Use interface that already exists.
+ Separate label for /run/systemd/notify (#710)
+ Changes needed for dbus-broker-launch
+ Allow dbus-broker-launch to execute in same domain
+ dbus changes
+ Firewalld need to relabel direct.xml file
+ xguest ues systemd --user
+ Needed to allow environment variable to process started (for cockpit)
+ SELinux policy for cockpit
+ Fix denial while cleaning up pidfile symlink
+ allow system --user to execute systemd-tmpfiles in
+ <user>_systemd_tmpfiles_t domain
+ cockpit ssh as user
+ Allow sudo dbus chat w/sysemd-logind
+ The L+ tmpfiles option needs to read the symlink
+ Signal during logout
+ This seems important for administrative access
+ This works instead of allow exec on user_tmpfs_t!
+ admin can read/write web socket
+ Allow key manipulation
+ Add dontaudit to quiet down a bit
+ Add watches
+ Additional access for systemctl
+ Denial during cockpit use
+ Fix password changing from cockpit login screen
+ Resolve error when cockpit initiate shutdown
+
+David Sommerseth (1):
+ openvpn: Allow netlink genl
+
+Fabrice Fontaine (1):
+ policy/modules/services/smartmon.te: make fstools optional
+
+Florian Schmidt (1):
+ Add label and interfaces for kernel PSI files
+
+George Zenner (1):
+ Signed-off-by: George Zenner <zen@pyl.onl>
+
+Grzegorz Filo (3):
+ Shell functions used during boot by initrc_t shall be bin_t and defined in
+ corecommands.fc
+ Dir transition goes with dir create perms.
+ Keep context of blkid file/dir when created by zpool.
+
+Guido Trentalancia (53):
+ The pulseaudio daemon and client do not normally need to use the network
+ for most computer systems that need to play and record audio.
+ The kernel domain should be able to mounton runtime directories during
+ switch_root, otherwise parts of the boot process might fail on some
+ systems (for example, the udev daemon).
+ The kernel domain should be able to mounton default directories during
+ switch_root.
+ The pulseaudio module should be able to read alsa library directories.
+ Fix the pulseaudio module file transition for named sockets in tmp
+ directories.
+ Fix the dbus module so that automatic file type transitions are used not
+ only for files and directories, but also for named sockets.
+ Fix the dbus module so that temporary session named sockets can be read
+ and written in the role template and by system and session bus clients.
+ Update the dbus role template so that permissions to get the attributes of
+ the proc filesystem are included.
+ Let pulseaudio search debugfs directories, as currently done with other
+ modules.
+ Separate the tunable permissions to write xserver tmpfs files from the
+ tunable permissions to write X server shared memory.
+ Fix a security bug in the xserver module (interfaces) which was wrongly
+ allowing an interface to bypass existing tunable policy logic related
+ to X shared memory and xserver tmpfs files write permissions.
+ Add missing permissions to execute binary files for the evolution_alarm_t
+ domain.
+ Add the permissions to manage the fonts cache (fontconfig) to the window
+ manager role template.
+ Add permissions to watch libraries directories to the userdomain login
+ user template interface.
+ Update the xscreensaver module in order to work with the latest version
+ (tested with version 6.06).
+ Include the X server tmpfs rw permissions in the X shared memory write
+ access tunable policy under request from Christoper PeBenito.
+ Revert the following commit (ability to read /usr files), as it is no
+ longer needed, after the database file got its own label:
+ Update the kernel module to remove misplaced or at least really obsolete
+ permissions during kernel module loading.
+ Introduce a new "logging_syslog_can_network" boolean and make the
+ net_admin capability as well as all corenetwork permissions previously
+ granted to the syslog daemon conditional upon such boolean being true.
+ Let the openoffice domain manage fonts cache (fontconfig).
+ Update the openoffice module so that it can create Unix stream sockets
+ with its own label and use them both as a client and a server.
+ Let mplayer to act as a dbus session bus client (needed by the vlc media
+ player).
+ Add permissions to read device sysctls to mplayer.
+ Remove misplaced permission from mount interface mount_exec.
+ Remove a vulnerability introduced by a logging interface which allows to
+ execute log files.
+ Improved wording for the new xserver tunable policy booleans introduced
+ with the previous three commits.
+ Fix another security bug companion of the one fixed in the following
+ previous commit:
+ Fix another security bug similar to the ones that have been recently fixed
+ in the following two commits:
+ Remove duplicate permissions in the xserver module
+ xserver_restricted_role() interface.
+ Dbus creates Unix domain sockets (in addition to listening on and
+ connecting to them), so its policy module is modified accordingly.
+ Remove a logging interface from the userdomain module since it has now
+ been moved to the xscreensaver domain.
+ Create a new specific file label for the random seed file saved before
+ shutting down or rebooting the system and rework the interface needed
+ to manage such file.
+ Fix the shutdown policy in order to make use of the newly created file
+ label and interface needed to manage the random seed file.
+ Update the gpg module so that the application is able to fetch new keys
+ from the network.
+ Dbus creates Unix domain sockets not only for the system bus, but also for
+ the session bus (in addition to connecting to them), so its policy
+ module is modified accordingly.
+ Update the gnome module so that the gconf daemon is able to create Unix
+ domain sockets and accept or listen connections on them.
+ Fix the recently introduced "logging_syslog_can_network" tunable policy,
+ by including TCP/IP socket creation permissions.
+ Introduce a new interface in the mta module to manage the mail transport
+ agent configuration directories and files.
+ Add new gpg interfaces for gpg_agent execution and to avoid auditing
+ search operations on files and directories that are not strictly needed
+ and might pose a security risk.
+ Extend the scope of the "spamassassin_can_network" tunable policy boolean
+ to all network access (except the relative dontaudit rules).
+ Update the spamassassin module in order to better support the rules
+ updating script; this achieved by employing two distinct domains for
+ increased security and network isolation: a first domain is used for
+ fetching the updated rules from the network and second domain is used
+ for verifying the GPG signatures of the received rules.
+ Under request from Christopher PeBenito, merge the two spamassassin rules
+ updating SELinux domains introduced in the previous change in order to
+ reduce the non-swappable kernel memory used by the policy.
+ Introduce a new "dbus_can_network" boolean which controls whether or not
+ the dbus daemon can act as a server over TCP/IP networks and defaults
+ to false, as this is generally insecure, except when using the local
+ loopback interface.
+ Introduce two new booleans for the X server and X display manager domains
+ which control whether or not the respective domains allow the TCP/IP
+ server networking functionality.
+ The X display manager uses an authentication mechanism based on an
+ authorization file which is critical for X security.
+ Merge branch 'main' into x_fixes_pr2
+ Let openoffice perform temporary file transitions and manage link files.
+ Modify the gpg module so that gpg and the gpg_agent can manage
+ gpg_runtime_t socket files.
+ The LDAP server only needs to read generic certificate files, not manage
+ them.
+ Create new TLS Private Keys file contexts for the Apache HTTP server
+ according to the default locations:
+ Let the webadm role manage Private Keys and CSR for SSL Certificates used
+ by the HTTP daemon.
+ Let the certmonger module manage SSL Private Keys and CSR used for example
+ by the HTTP and/or Mail Transport daemons.
+ Additional file context fix for:
+
+Kai Meng (1):
+ devices:Add genfscon context for functionfs to mount
+
+Kenton Groombridge (106):
+ corenet: add portcon for kubernetes
+ kubernetes: initial policy module
+ sysadm: allow running kubernetes
+ crio: new policy module
+ crio, kubernetes: allow k8s admins to run CRI-O
+ container: add type for container plugins
+ various: fixes for kubernetes
+ kubernetes: add policy for kubectl
+ various: fixes for kubernetes
+ container, kernel: add tunable to allow spc to create NFS servers
+ container: add tunable to allow containers to use huge pages
+ container, kubernetes: add private type for generic container devices
+ container: add tunable to use dri devices
+ container, kubernetes: add rules for device plugins running as spc
+ various: allow using glusterfs as backing storage for k8s
+ container, miscfiles: transition to s0 for public content created by
+ containers
+ container: add tunable to allow spc to use tun-tap devices
+ container: correct admin_pattern() usage
+ systemd: add policy for systemd-pcrphase
+ hddtemp: add missing rules for interactive usage
+ netutils: minor fixes for nmap and traceroute
+ container: add rules required for metallb BGP speakers
+ filesystem, init: allow systemd to setattr on ramfs dirs
+ logging: allow domains sending syslog messages to connect to kernel unix
+ stream sockets
+ init, sysadm: allow sysadm to manage systemd runtime units
+ podman: allow podman to stop systemd transient units
+ userdom: allow admin users to use tcpdiag netlink sockets
+ container: allow container admins the sysadm capability in user namespaces
+ postfix: allow postfix master to map data files
+ sasl: add filecon for /etc/sasl2 keytab
+ obj_perm_sets: add mmap_manage_file_perms
+ various: use mmap_manage_file_perms
+ postfix, sasl: allow postfix smtp daemon to read SASL keytab
+ various: fixes for libvirtd and systemd-machined
+ portage: label eix cache as portage_cache_t
+ container: add missing filetrans and filecon for containerd/docker
+ container, init, systemd: add policy for quadlet
+ container: fixes for podman 4.4.0
+ container: fixes for podman run --log-driver=passthrough
+ node_exporter: various fixes
+ redis: add missing rules for runtime filetrans
+ podman, selinux: move lines, add missing rules for --network=host
+ netutils: fixes for iftop
+ kernel, zfs: add filetrans for kernel creating zpool cache file
+ zfs: allow sending signals to itself
+ zfs: add runtime filetrans for dirs
+ init: make init_runtime_t useable for systemd units
+ various: make /etc/machine-id etc_runtime_t
+ init, systemd: allow init to create userdb runtime symlinks
+ init: allow initrc_t to getcap
+ systemd: allow systemd-userdbd to getcap
+ logging: allow systemd-journald to list cgroups
+ fs, udev: allow systemd-udevd various cgroup perms
+ logging, systemd: allow relabelfrom,relabelto on systemd journal files by
+ systemd-journald
+ files, systemd: allow systemd-tmpfiles to relabel config file symlinks
+ systemd: add rules for systemd-zram-generator
+ systemd: allow systemd-pcrphase to read generic certs
+ fs, init: allow systemd-init to set the attributes of efivarfs files
+ init: allow systemd-init to set the attributes of unallocated terminals
+ systemd: allow systemd-resolved to bind to UDP port 5353
+ init: allow initrc_t to create netlink_kobject_uevent_sockets
+ raid: allow mdadm to read udev runtime files
+ raid: allow mdadm to create generic links in /dev/md
+ fstools: allow fsadm to read utab
+ glusterfs: allow glusterd to bind to all TCP unreserved ports
+ kubernetes: allow kubelet to read etc runtime files
+ chromium: allow chromium-naclhelper to create user namespaces
+ container: rework capabilities
+ container: allow watching FUSEFS dirs and files
+ glusterfs: add tunable to allow managing unlabeled files
+ sysadm: allow using networkctl
+ container: various fixes
+ container, kubernetes: add support for cilium
+ kubernetes: allow container engines to mount on DRI devices if enabled
+ init, systemd: label systemd-executor as init_exec_t
+ udev: allow reading kernel fs sysctls
+ init: allow all daemons to write to init runtime sockets
+ systemd: fixes for systemd-pcrphase
+ systemd: allow networkd to use netlink netfilter sockets
+ rpc: add filecon for /etc/exports.d
+ zed: allow managing /etc/exports.d/zfs.exports
+ zfs: dontaudit net_admin capability by zed
+ su: various fixes
+ kernel: allow delete and setattr on generic SCSI and USB devices
+ mount: make mount_runtime_t a kubernetes mountpoint
+ fstools: allow fsadm to ioctl cgroup dirs
+ fstools: allow reading container device blk files
+ container, kubernetes: add support for rook-ceph
+ kernel: dontaudit read fixed disk devices
+ container: add filecons for rook-ceph
+ init, systemd: allow systemd-pcrphase to write TPM measurements
+ systemd: add policy for systemd-machine-id-setup
+ container, kubernetes: allow kubernetes to use fuse-overlayfs
+ kubernetes: fix kubelet accounting
+ systemd: label systemd-pcrlock as systemd-pcrphase
+ zfs: allow zfs to write to exports
+ kernel: allow managing mouse devices
+ init: allow using system bus anon pidfs
+ systemd: label systemd-tpm2-setup as systemd-pcrphase
+ bootloader, init, udev: misc minor fixes
+ rpc: fix not labeling exports.d directory
+ dbus: allow the system bus to get the status of generic units
+ systemd: allow systemd generator to list exports
+ crio: allow reading container home content
+ container: allow spc to map kubernetes runtime files
+ kubernetes: allow kubelet to apply fsGroup to persistent volumes
+
+Luca Boccassi (4):
+ Set label systemd-oomd
+ Add separate label for cgroup's memory.pressure files
+ systemd: also allow to mounton memory.pressure
+ systemd: allow daemons to access memory.pressure
+
+Mathieu Tortuyaux (1):
+ container: fix cilium denial
+
+Oleksii Miroshko (1):
+ Fix templates parsing in gentemplates.sh
+
+Pat Riehecky (1):
+ container: set default context for local-path-provisioner
+
+Renato Caldas (1):
+ kubernetes: allow kubelet to read /proc/sys/vm files.
+
+Russell Coker (28):
+ This patch removes deprecated interfaces that were deprecated in the
+ 20210203 release. I think that 2 years of support for a deprecated
+ interface is enough and by the time we have the next release out it
+ will probably be more than 2 years since 20210203.
+ This patch removes deprecated interfaces that were deprecated in the
+ 20210203 release. I think that 2 years of support for a deprecated
+ interface is enough and by the time we have the next release out it
+ will probably be more than 2 years since 20210203.
+ eg25-manager (Debian package eg25-manager) is a daemon aimed at
+ configuring and monitoring the Quectel EG25 modem on a running system.
+ It is used on the PinePhone (Pro) and performs the following functions:
+ * power on/off * startup configuration using AT commands * AGPS
+ data upload * status monitoring (and restart if it becomes
+ unavailable) Homepage: https://gitlab.com/mobian1/eg25-manager
+ iio-sensor-proxy (Debian package iio-sensor-proxy) IIO sensors to D-Bus
+ proxy Industrial I/O subsystem is intended to provide support for
+ devices that in some sense are analog to digital or digital to analog
+ convertors . Devices that fall into this category are: * ADCs *
+ Accelerometers * Gyros * IMUs * Capacitance to Digital Converters
+ (CDCs) * Pressure Sensors * Color, Light and Proximity Sensors *
+ Temperature Sensors * Magnetometers * DACs * DDS (Direct Digital
+ Synthesis) * PLLs (Phase Locked Loops) * Variable/Programmable Gain
+ Amplifiers (VGA, PGA)
+ Fixed dependency on unconfined_t
+ Comment sysfs better
+ Daemon to control authentication for Thunderbolt.
+ Daemon to monitor memory pressure and notify applications and change …
+ (#670)
+ switcheroo is a daemon to manage discrete vs integrated GPU use for apps
+ policy for power profiles daemon, used to change power settings
+ some misc userdomain fixes
+ debian motd.d directory (#689)
+ policy for the Reliability Availability servicability daemon (#690)
+ policy patches for anti-spam daemons (#698)
+ Added tmpfs file type for postgresql Small mysql stuff including
+ anon_inode
+ small ntp and dns changes (#703)
+ small network patches (#707)
+ small storage changes (#706)
+ allow jabbers to create sock file and allow matrixd to read sysfs (#705)
+ small systemd patches (#708)
+ misc small patches for cron policy (#701)
+ mon.te patches as well as some fstools patches related to it (#697)
+ misc small email changes (#704)
+ https://blog.trailofbits.com/2019/07/19/understanding-docker-container-escapes/
+ Label checkarray as mdadm_exec_t, allow it to read/write temp files
+ inherited from cron, and dontaudit ps type operations from it
+ Changes to eg25manager and modemmanager needed for firmware upload on
+ pinephonepro
+ patches for nspawn policy (#721)
+ Simple patch for Brother printer drivers as described in:
+ https://etbe.coker.com.au/2023/10/22/brother-mfc-j4440dw-printer/
+
+Yi Zhao (15):
+ systemd: add capability sys_resource to systemd_userdbd_t
+ systemd: allow systemd-sysctl to search directories on ramfs
+ systemd: allow systemd-resolved to search directories on tmpfs and ramfs
+ mount: allow mount_t to get attributes for all directories
+ loadkeys: do not audit attempts to get attributes for all directories
+ systemd: allow systemd-networkd to create file in /run/systemd directory
+ systemd: allow journalctl to create /var/lib/systemd/catalog
+ bind: fix for named service
+ systemd: use init_daemon_domain instead of init_system_domain for
+ systemd-networkd and systemd-resolved
+ rpm: fixes for dnf
+ lvm: set context for /run/cryptsetup
+ container: set context for /run/crun
+ systemd: allow systemd-hostnamed to read machine-id and localization files
+ systemd: allow systemd-rfkill to getopt from uevent sockets
+ udev: fix for systemd-udevd
+
+freedom1b2830 (1):
+ mplayer:vlc paths
+
* Tue Nov 01 2022 Chris PeBenito <pebenito@ieee.org> - 2.20221101
Chris PeBenito (46):
systemd: Drop systemd_detect_virt_t.
diff --git a/VERSION b/VERSION
index f14c5b175..238b92fda 100644
--- a/VERSION
+++ b/VERSION
@@ -1 +1 @@
-2.20221101
+2.20240226
^ permalink raw reply related [flat|nested] 101+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: /
@ 2024-09-22 0:03 Jason Zaman
0 siblings, 0 replies; 101+ messages in thread
From: Jason Zaman @ 2024-09-22 0:03 UTC (permalink / raw
To: gentoo-commits
commit: 79a4ef791fa59b11ee1d620d8ee40147df5f6767
Author: Christian Göttsche <cgzones <AT> googlemail <DOT> com>
AuthorDate: Sat Aug 10 20:39:17 2024 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sat Sep 21 22:28:29 2024 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=79a4ef79
Makefile: drop duplicate quotes
The variable is used quoted.
Signed-off-by: Christian Göttsche <cgzones <AT> googlemail.com>
Signed-off-by: Jason Zaman <perfinion <AT> gentoo.org>
Makefile | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/Makefile b/Makefile
index 42d6484bc..ddd00a3b7 100644
--- a/Makefile
+++ b/Makefile
@@ -50,9 +50,9 @@ ifdef TEST_TOOLCHAIN
python_path_plat := $(shell python3 -c "import sysconfig; print(sysconfig.get_path('platlib', vars={'platbase': '/usr', 'base': '/usr'}))")
python_path_pure := $(shell python3 -c "import sysconfig; print(sysconfig.get_path('purelib', vars={'platbase': '/usr', 'base': '/usr'}))")
ifdef PYTHONPATH
-python_path := "$(TEST_TOOLCHAIN)$(python_path_plat):$(TEST_TOOLCHAIN)$(python_path_pure):$(PYTHONPATH)"
+python_path := $(TEST_TOOLCHAIN)$(python_path_plat):$(TEST_TOOLCHAIN)$(python_path_pure):$(PYTHONPATH)
else
-python_path := "$(TEST_TOOLCHAIN)$(python_path_plat):$(TEST_TOOLCHAIN)$(python_path_pure)"
+python_path := $(TEST_TOOLCHAIN)$(python_path_plat):$(TEST_TOOLCHAIN)$(python_path_pure)
endif
tc_usrbindir := env LD_LIBRARY_PATH="$(TEST_TOOLCHAIN)/lib:$(TEST_TOOLCHAIN)/usr/lib" PYTHONPATH="$(python_path)" $(TEST_TOOLCHAIN)$(BINDIR)
tc_usrsbindir := env LD_LIBRARY_PATH="$(TEST_TOOLCHAIN)/lib:$(TEST_TOOLCHAIN)/usr/lib" PYTHONPATH="$(python_path)" $(TEST_TOOLCHAIN)$(SBINDIR)
^ permalink raw reply related [flat|nested] 101+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: /
@ 2024-09-22 0:03 Jason Zaman
0 siblings, 0 replies; 101+ messages in thread
From: Jason Zaman @ 2024-09-22 0:03 UTC (permalink / raw
To: gentoo-commits
commit: eda98a3afa77322916144fbf27e290932d4495e8
Author: Chris PeBenito <pebenito <AT> ieee <DOT> org>
AuthorDate: Mon Sep 16 17:52:00 2024 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sat Sep 21 22:28:30 2024 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=eda98a3a
Update Changelog and VERSION for release 2.20240916.
Signed-off-by: Chris PeBenito <pebenito <AT> ieee.org>
Signed-off-by: Jason Zaman <perfinion <AT> gentoo.org>
Changelog | 136 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
VERSION | 2 +-
2 files changed, 137 insertions(+), 1 deletion(-)
diff --git a/Changelog b/Changelog
index a1938b4f0..1e9edc872 100644
--- a/Changelog
+++ b/Changelog
@@ -1,3 +1,139 @@
+* Mon Sep 16 2024 Chris PeBenito <pebenito@ieee.org> - 2.20240916
+Amisha Jain (1):
+ Sepolicy changes for bluez to access uhid
+
+Chris PeBenito (54):
+ uml: Remove excessive access from user domains on uml_exec_t.
+ cron: Use raw entrypoint rule for system_cronjob_t.
+ docker: Fix dockerc typo in container_engine_executable_file
+ minissdpd: Revoke kernel module loading permissions.
+ xen: Revoke kernel module loading permissions.
+ cups: Remove PTAL.
+ xen: Drop xend/xm stack.
+ certbot: Drop execmem.
+ cockpit: Change $1_cockpit_tmpfs_t to a tmpfs file type.
+ tests.yml: Add sechecker testing.
+ systemd: Add basic systemd-analyze rules.
+ cloudinit: Add support for cloud-init-growpart.
+ filesystem/systemd: memory.pressure fixes.
+ init: Add homectl dbus access.
+ device: Move dev_rw_uhid definition.
+ devices: Change dev_rw_uhid() to use a policy pattern.
+ tests.yml: Divide into reusable workflows.
+ tests.yml: Add policy diff on PRs.
+ bluetooth: Move line.
+
+Christian Göttsche (4):
+ getty: grant checkpoint_restore
+ quote: read localization
+ systemd: allow notify client to stat socket
+ Makefile: drop duplicate quotes
+
+Dave Sugar (4):
+ Setup domain for dbus selinux interface
+ Update SOS report to work on RHEL9
+ Need map perm for cockpit 300.4
+ Additional permissions when fapolicyd.conf more strict
+
+Dmitry Sharshakov (1):
+ filesystem, devices: move gadgetfs to usbfs_t
+
+Grzegorz Filo (1):
+ files context for merged-usr profile on gentoo
+
+Guido Trentalancia (1):
+ Allow interactive user terminal output for the NetLabel management tool.
+
+Kenton Groombridge (46):
+ init: allow systemd to use sshd pidfds
+ fail2ban: allow reading net sysctls
+ dovecot: allow dovecot-auth to read SASL keytab
+ userdom: allow users to read user home dir symlinks
+ postgres: add a standalone execmem tunable
+ asterisk: allow binding to all unreserved UDP ports
+ bootloader: allow systemd-boot to manage EFI binaries
+ matrixd: add tunable for binding to all unreserved ports
+ container: allow system container engines to mmap runtime files
+ container: allow containers to getcap
+ systemd: allow systemd-sysctl to search tmpfs
+ container, podman: various fixes
+ container, crio, kubernetes: minor fixes
+ various: various fixes
+ systemd: allow systemd-logind to use sshd pidfds
+ sysnetwork: allow ifconfig to read usr files
+ postfix: allow smtpd to mmap SASL keytab files
+ sudo: allow systemd-logind to read cgroup state of sudo
+ su, sudo: allow sudo to signal all su domains
+ asterisk: allow watching spool dirs
+ dbus, init: add interface for pidfd usage
+ init: use pidfds from local login
+ haproxy: initial policy
+ sysadm: make haproxy admin
+ container: allow containers to execute tmpfs files
+ node_exporter: allow reading localization
+ netutils: allow ping to read net sysctls
+ postfix: allow postfix pipe to watch mail spool
+ asterisk: allow reading certbot lib
+ node_exporter: allow reading RPC sysctls
+ systemd: allow logind to use locallogin pidfds
+ sshd: label sshd-session as sshd_exec_t
+ iptables: allow reading usr files
+ podman: allow managing init runtime units
+ haproxy: allow interactive usage
+ kubernetes: allow kubelet to create unlabeled dirs
+ container: allow super privileged containers to manage BPF dirs
+ dbus: dontaudit session bus domains the netadmin capability
+ container, kubernetes: add supporting rules for kubevirt and multus
+ container: allow spc various rules for kubevirt
+ iptables: allow reading container engine tmp files
+ container: add container_kvm_t and supporting kubevirt rules
+ various: rules required for DV manipulation in kubevirt
+ testing: add container_kvm_t to net admin exempt list
+ container: allow reading generic certs
+ kubernetes: allow kubelet to connect all TCP ports
+
+Matt Sheets (1):
+ Allow systemd to pass down sig mask
+
+Naga Bhavani Akella (3):
+ Adding Sepolicy rules to allow bluetoothctl and dbus-daemon to access unix
+ stream sockets.
+ Setting bluetooth helper domain for bluetoothctl
+ Adding SE Policy rules to allow usage of unix stream sockets by dbus and
+ bluetooth contexts when Gatt notifications are turned on by remote.
+
+Raghavender Reddy Bujala (1):
+ Adding Sepolicy rules to allow pulseaudio to access bluetooth sockets.
+
+Rick Alther (2):
+ fix: minor correction in MCS_CATS range comment
+ Set the type on /etc/machine-info to net_conf_t so hostnamectl can
+ manipulate it (CRUD)
+
+Yi Zhao (12):
+ sysnetwork: fixes for dhcpcd
+ newrole: allow newrole to search faillock runtime directory
+ selinuxutil: make policykit optional
+ userdomain: allow administrative user to get attributes of shadow history
+ file
+ systemd: make xdg optional
+ systemd: set context to systemd_networkd_var_lib_t for
+ /var/lib/systemd/network
+ systemd: allow systemd-networkd to manage sock files under
+ /run/systemd/netif
+ systemd: allow system --user to create netlink_route_socket
+ systemd: add policy for systemd-nsresourced
+ devices: add label vsock_device_t for /dev/vsock
+ systemd: fix policy for systemd-ssh-generator
+ systemd: allow systemd-hostnamed to read vsock device
+
+freedom1b2830 (2):
+ Reorder perms and classes
+ Reorder perms and classes
+
+nisbet-hubbard (1):
+ Update mysql.fc
+
* Mon Feb 26 2024 Chris PeBenito <pebenito@ieee.org> - 2.20240226
Chris PeBenito (174):
tests.yml: Pin ubuntu 20.04.
diff --git a/VERSION b/VERSION
index 238b92fda..3cbd6b36e 100644
--- a/VERSION
+++ b/VERSION
@@ -1 +1 @@
-2.20240226
+2.20240916
^ permalink raw reply related [flat|nested] 101+ messages in thread
end of thread, other threads:[~2024-09-22 0:03 UTC | newest]
Thread overview: 101+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2012-10-06 17:05 [gentoo-commits] proj/hardened-refpolicy:master commit in: / Sven Vermeulen
-- strict thread matches above, loose matches on Subject: below --
2024-09-22 0:03 Jason Zaman
2024-09-22 0:03 Jason Zaman
2024-03-01 19:56 Kenton Groombridge
2024-03-01 19:56 Kenton Groombridge
2024-03-01 19:56 Kenton Groombridge
2024-03-01 19:56 Kenton Groombridge
2024-03-01 19:56 Kenton Groombridge
2023-02-10 20:30 Kenton Groombridge
2022-03-31 3:31 Jason Zaman
2022-03-31 3:31 Jason Zaman
2022-03-31 3:31 Jason Zaman
2022-03-31 3:31 Jason Zaman
2021-11-11 21:27 Jason Zaman
2021-04-03 3:10 Jason Zaman
2021-02-07 3:21 Jason Zaman
2021-02-07 3:20 Jason Zaman
2021-02-07 3:20 Jason Zaman
2021-02-07 3:20 Jason Zaman
2021-02-07 3:20 Jason Zaman
2021-02-07 3:20 Jason Zaman
2021-02-07 3:20 Jason Zaman
2021-02-07 3:20 Jason Zaman
2021-01-11 1:27 Jason Zaman
2020-10-13 3:02 Jason Zaman
2019-12-16 17:48 Jason Zaman
2019-07-13 7:01 Jason Zaman
2019-07-13 7:01 Jason Zaman
2019-02-10 4:14 Jason Zaman
2018-07-08 11:47 Jason Zaman
2018-06-24 8:46 Jason Zaman
2018-03-25 10:29 Sven Vermeulen
2018-01-18 16:37 Sven Vermeulen
2017-06-13 8:25 Jason Zaman
2017-04-10 16:59 Sven Vermeulen
2017-03-30 17:06 Jason Zaman
2017-03-30 17:06 Jason Zaman
2017-03-02 10:17 Sven Vermeulen
2017-02-27 10:50 Jason Zaman
2017-02-25 16:58 Jason Zaman
2017-02-21 7:11 Jason Zaman
2017-02-21 7:11 Jason Zaman
2017-02-05 6:29 Jason Zaman
2017-01-23 15:44 Jason Zaman
2017-01-23 15:44 Jason Zaman
2017-01-23 15:44 Jason Zaman
2017-01-13 18:43 Sven Vermeulen
2017-01-13 18:43 Sven Vermeulen
2017-01-13 18:43 Sven Vermeulen
2016-12-06 13:39 Jason Zaman
2016-10-24 16:02 [gentoo-commits] proj/hardened-refpolicy:swift " Sven Vermeulen
2016-10-24 16:02 ` [gentoo-commits] proj/hardened-refpolicy:master " Sven Vermeulen
2016-10-24 16:02 [gentoo-commits] proj/hardened-refpolicy:swift " Sven Vermeulen
2016-10-24 16:02 ` [gentoo-commits] proj/hardened-refpolicy:master " Sven Vermeulen
2016-10-24 16:02 Sven Vermeulen
2016-08-31 16:38 Jason Zaman
2016-08-31 16:38 Jason Zaman
2016-05-13 5:37 Jason Zaman
2016-05-13 5:37 Jason Zaman
2015-12-17 16:10 Jason Zaman
2015-10-26 5:36 [gentoo-commits] proj/hardened-refpolicy:next " Jason Zaman
2015-10-26 5:48 ` [gentoo-commits] proj/hardened-refpolicy:master " Jason Zaman
2015-03-29 9:59 Jason Zaman
2015-02-15 17:39 Sven Vermeulen
2014-12-04 1:46 Jason Zaman
2014-11-27 8:31 Jason Zaman
2014-11-22 16:25 Sven Vermeulen
2014-09-21 14:08 [gentoo-commits] proj/hardened-refpolicy:mailinfra " Sven Vermeulen
2014-09-13 9:38 ` [gentoo-commits] proj/hardened-refpolicy:master " Sven Vermeulen
2014-06-25 19:06 Sven Vermeulen
2014-03-17 8:24 Sven Vermeulen
2014-03-17 8:24 Sven Vermeulen
2014-03-17 8:24 Sven Vermeulen
2014-03-06 15:20 Sven Vermeulen
2014-01-19 19:01 Sven Vermeulen
2013-09-30 19:03 Sven Vermeulen
2013-09-30 19:03 Sven Vermeulen
2013-09-26 13:19 Sven Vermeulen
2013-09-23 13:31 Sven Vermeulen
2013-09-23 6:29 [gentoo-commits] proj/hardened-refpolicy:merge " Sven Vermeulen
2013-09-23 13:31 ` [gentoo-commits] proj/hardened-refpolicy:master " Sven Vermeulen
2013-09-23 6:29 [gentoo-commits] proj/hardened-refpolicy:merge " Sven Vermeulen
2013-09-23 13:31 ` [gentoo-commits] proj/hardened-refpolicy:master " Sven Vermeulen
2013-05-01 18:23 Sven Vermeulen
2013-05-01 18:23 Sven Vermeulen
2013-01-16 19:48 Sven Vermeulen
2012-12-08 12:41 Sven Vermeulen
2012-12-03 21:03 Sven Vermeulen
2012-12-03 9:35 Sven Vermeulen
2012-11-06 20:21 Sven Vermeulen
2012-10-27 11:06 Sven Vermeulen
2012-10-22 18:15 Sven Vermeulen
2012-10-17 17:41 Sven Vermeulen
2012-10-16 17:39 Sven Vermeulen
2012-10-16 17:39 Sven Vermeulen
2012-10-16 17:39 Sven Vermeulen
2012-10-06 17:14 Sven Vermeulen
2012-10-06 17:05 Sven Vermeulen
2012-10-06 15:56 Sven Vermeulen
2012-10-06 15:56 Sven Vermeulen
2012-10-04 17:36 Sven Vermeulen
2012-10-04 17:36 Sven Vermeulen
2012-10-04 17:36 Sven Vermeulen
2012-10-02 18:11 Sven Vermeulen
2012-10-02 18:11 Sven Vermeulen
2012-09-27 18:05 Sven Vermeulen
2012-09-27 18:05 Sven Vermeulen
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox