* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/, policy/modules/roles/
@ 2012-08-28 17:28 Sven Vermeulen
0 siblings, 0 replies; 4+ messages in thread
From: Sven Vermeulen @ 2012-08-28 17:28 UTC (permalink / raw
To: gentoo-commits
commit: 413bec7b8ff8b290c817a4422e4d4a4bac834b63
Author: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Tue Aug 28 17:27:07 2012 +0000
Commit: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
CommitDate: Tue Aug 28 17:27:07 2012 +0000
URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=413bec7b
Add in administrative interface(s) for puppet
As the puppet domain has an named init script (puppet_initrc_exec_t and
puppetmaster_initrc_exec_t) we provide administrative interfaces to be used by
the users that need to admin the puppet domains.
Also assign this to the sysadm_t/sysadm_r user for general system administration
support.
---
policy/modules/contrib/puppet.if | 78 ++++++++++++++++++++++++++++++++++++++
policy/modules/roles/sysadm.te | 4 ++
2 files changed, 82 insertions(+), 0 deletions(-)
diff --git a/policy/modules/contrib/puppet.if b/policy/modules/contrib/puppet.if
index 2855a44..d2e5a12 100644
--- a/policy/modules/contrib/puppet.if
+++ b/policy/modules/contrib/puppet.if
@@ -10,6 +10,84 @@
################################################
## <summary>
+## All of the rules required to manage a puppet (client) domain
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access
+## </summary>
+## </param>
+## <param name="role">
+## <summary>
+## Role allowed access
+## </summary>
+## </param>
+#
+interface(`puppet_admin',`
+ gen_require(`
+ type puppet_t;
+ type puppet_initrc_exec_t;
+ type puppet_etc_t;
+ type puppet_log_t;
+ type puppet_var_run_t;
+ ')
+
+ allow $1 puppet_t:process { getattr signal_perms };
+ ps_process_pattern($1, puppet_t)
+
+ init_labeled_script_domtrans($1, puppet_initrc_exec_t)
+ domain_system_change_exemption($1)
+ role_transition $2 puppet_initrc_exec_t system_r;
+ allow $2 system_r;
+
+ files_search_etc($1)
+ admin_pattern($1, puppet_etc_t)
+
+ logging_search_logs($1)
+ admin_pattern($1, puppet_log_t)
+
+ admin_pattern($1, puppet_var_run_t)
+
+ kernel_search_proc($1)
+ allow $1 puppet_t:dir list_dir_perms;
+
+ read_lnk_files_pattern($1, puppet_t, puppet_t)
+')
+
+################################################
+## <summary>
+## All of the rules required to manage a puppetmaster domain
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access
+## </summary>
+## </param>
+## <param name="role">
+## <summary>
+## Role allowed access
+## </summary>
+## </param>
+#
+interface(`puppet_admin_puppetmaster',`
+ gen_require(`
+ type puppetmaster_t;
+ type puppetmaster_initrc_exec_t;
+ ')
+
+ allow $1 puppetmaster_t:process { getattr signal_perms };
+ ps_process_pattern($1, puppetmaster_t)
+
+ init_labeled_script_domtrans($1, puppetmaster_initrc_exec_t)
+ domain_system_change_exemption($1)
+ role_transition $2 puppetmaster_initrc_exec_t system_r;
+ allow $2 system_r;
+
+ puppet_admin($1, $2)
+')
+
+################################################
+## <summary>
## Read / Write to Puppet temp files. Puppet uses
## some system binaries (groupadd, etc) that run in
## a non-puppet domain and redirects output into temp
diff --git a/policy/modules/roles/sysadm.te b/policy/modules/roles/sysadm.te
index efba839..0a2714b 100644
--- a/policy/modules/roles/sysadm.te
+++ b/policy/modules/roles/sysadm.te
@@ -307,6 +307,10 @@ optional_policy(`
')
optional_policy(`
+ puppet_admin_puppetmaster(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
pyzor_role(sysadm_r, sysadm_t)
')
^ permalink raw reply related [flat|nested] 4+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/, policy/modules/roles/
@ 2012-10-24 18:02 Sven Vermeulen
0 siblings, 0 replies; 4+ messages in thread
From: Sven Vermeulen @ 2012-10-24 18:02 UTC (permalink / raw
To: gentoo-commits
commit: 8fc45f96b4497f454c659d14b860e7532e951db6
Author: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Wed Oct 24 17:59:03 2012 +0000
Commit: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
CommitDate: Wed Oct 24 17:59:03 2012 +0000
URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=8fc45f96
Remove puppet_admin_puppetmaster, now in puppet_admin
The necessary rules to manage puppet domains are now contained within
puppet_admin interface (we previously had puppet_admin for client, and
puppet_admin_puppetmaster for master daemon domain).
---
policy/modules/contrib/puppet.if | 32 --------------------------------
policy/modules/roles/sysadm.te | 2 +-
2 files changed, 1 insertions(+), 33 deletions(-)
diff --git a/policy/modules/contrib/puppet.if b/policy/modules/contrib/puppet.if
index d63a5be..3535650 100644
--- a/policy/modules/contrib/puppet.if
+++ b/policy/modules/contrib/puppet.if
@@ -70,38 +70,6 @@ interface(`puppet_read_config',`
################################################
## <summary>
-## All of the rules required to manage a puppetmaster domain
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access
-## </summary>
-## </param>
-## <param name="role">
-## <summary>
-## Role allowed access
-## </summary>
-## </param>
-#
-interface(`puppet_admin_puppetmaster',`
- gen_require(`
- type puppetmaster_t;
- type puppetmaster_initrc_exec_t;
- ')
-
- allow $1 puppetmaster_t:process { getattr signal_perms };
- ps_process_pattern($1, puppetmaster_t)
-
- init_labeled_script_domtrans($1, puppetmaster_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 puppetmaster_initrc_exec_t system_r;
- allow $2 system_r;
-
- puppet_admin($1, $2)
-')
-
-################################################
-## <summary>
## Read Puppet lib files.
## </summary>
## <param name="domain">
diff --git a/policy/modules/roles/sysadm.te b/policy/modules/roles/sysadm.te
index 80e9aa1..56163f4 100644
--- a/policy/modules/roles/sysadm.te
+++ b/policy/modules/roles/sysadm.te
@@ -307,7 +307,7 @@ optional_policy(`
')
optional_policy(`
- puppet_admin_puppetmaster(sysadm_t, sysadm_r)
+ puppet_admin(sysadm_t, sysadm_r)
')
optional_policy(`
^ permalink raw reply related [flat|nested] 4+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/, policy/modules/roles/
@ 2012-11-17 11:36 Sven Vermeulen
0 siblings, 0 replies; 4+ messages in thread
From: Sven Vermeulen @ 2012-11-17 11:36 UTC (permalink / raw
To: gentoo-commits
commit: 71f15bb6ef446712d2753d0490e36d63ed8fec66
Author: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Sat Nov 17 11:32:49 2012 +0000
Commit: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
CommitDate: Sat Nov 17 11:35:10 2012 +0000
URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=71f15bb6
Use postfix_admin for the administrative functions
Currently, the administration related methods were added ad hoc to the sysadm
role. However, this still lacks the proper privileges regarding the postfix init
script and other related material, as provided by postfix_admin().
Move the already created administrative methods inside postfix_admin() and use
postfix_admin() in the sysadm.te definition.
---
policy/modules/contrib/postfix.if | 4 ++++
policy/modules/roles/sysadm.te | 4 +---
2 files changed, 5 insertions(+), 3 deletions(-)
diff --git a/policy/modules/contrib/postfix.if b/policy/modules/contrib/postfix.if
index 98ef6c8..2c95cce 100644
--- a/policy/modules/contrib/postfix.if
+++ b/policy/modules/contrib/postfix.if
@@ -747,5 +747,9 @@ interface(`postfix_admin',`
')
can_exec($1, postfix_showq_exec_t)
+
+ postfix_exec_master($1)
+ postfix_exec_postqueue($1)
+ postfix_stream_connect_master($1)
')
')
diff --git a/policy/modules/roles/sysadm.te b/policy/modules/roles/sysadm.te
index dd2f4df..77233b9 100644
--- a/policy/modules/roles/sysadm.te
+++ b/policy/modules/roles/sysadm.te
@@ -296,9 +296,7 @@ optional_policy(`
')
optional_policy(`
- postfix_exec_master(sysadm_t)
- postfix_exec_postqueue(sysadm_t)
- postfix_stream_connect_master(sysadm_t)
+ postfix_admin(sysadm_t, sysadm_r)
')
optional_policy(`
^ permalink raw reply related [flat|nested] 4+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/, policy/modules/roles/
@ 2019-02-10 4:24 Jason Zaman
0 siblings, 0 replies; 4+ messages in thread
From: Jason Zaman @ 2019-02-10 4:24 UTC (permalink / raw
To: gentoo-commits
commit: 4a9fa0f6f7c5f90dc16db233210cfa4758f08bfc
Author: Jason Zaman <jason <AT> perfinion <DOT> com>
AuthorDate: Sun Feb 10 04:23:14 2019 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sun Feb 10 04:23:42 2019 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=4a9fa0f6
remove gentoo chromium policy that has been upstreamed
Signed-off-by: Jason Zaman <jason <AT> perfinion.com>
policy/modules/contrib/chromium.fc | 31 ---
policy/modules/contrib/chromium.if | 139 --------------
policy/modules/contrib/chromium.te | 375 -------------------------------------
policy/modules/roles/staff.te | 4 -
policy/modules/roles/unprivuser.te | 4 -
5 files changed, 553 deletions(-)
diff --git a/policy/modules/contrib/chromium.fc b/policy/modules/contrib/chromium.fc
deleted file mode 100644
index 534235dc..00000000
--- a/policy/modules/contrib/chromium.fc
+++ /dev/null
@@ -1,31 +0,0 @@
-/opt/google/chrome/chrome -- gen_context(system_u:object_r:chromium_exec_t,s0)
-/opt/google/chrome/chrome_sandbox -- gen_context(system_u:object_r:chromium_sandbox_exec_t,s0)
-/opt/google/chrome/chrome-sandbox -- gen_context(system_u:object_r:chromium_sandbox_exec_t,s0)
-/opt/google/chrome/google-chrome -- gen_context(system_u:object_r:chromium_exec_t,s0)
-/opt/google/chrome/nacl_helper_bootstrap -- gen_context(system_u:object_r:chromium_naclhelper_exec_t,s0)
-/opt/google/chrome/libudev.so.0 gen_context(system_u:object_r:lib_t,s0)
-
-/opt/google/chrome-beta/chrome -- gen_context(system_u:object_r:chromium_exec_t,s0)
-/opt/google/chrome-beta/chrome_sandbox -- gen_context(system_u:object_r:chromium_sandbox_exec_t,s0)
-/opt/google/chrome-beta/chrome-sandbox -- gen_context(system_u:object_r:chromium_sandbox_exec_t,s0)
-/opt/google/chrome-beta/google-chrome -- gen_context(system_u:object_r:chromium_exec_t,s0)
-/opt/google/chrome-beta/nacl_helper_bootstrap -- gen_context(system_u:object_r:chromium_naclhelper_exec_t,s0)
-/opt/google/chrome-beta/libudev.so.0 gen_context(system_u:object_r:lib_t,s0)
-
-/opt/google/chrome-unstable/chrome -- gen_context(system_u:object_r:chromium_exec_t,s0)
-/opt/google/chrome-unstable/chrome_sandbox -- gen_context(system_u:object_r:chromium_sandbox_exec_t,s0)
-/opt/google/chrome-unstable/chrome-sandbox -- gen_context(system_u:object_r:chromium_sandbox_exec_t,s0)
-/opt/google/chrome-unstable/google-chrome -- gen_context(system_u:object_r:chromium_exec_t,s0)
-/opt/google/chrome-unstable/nacl_helper_bootstrap -- gen_context(system_u:object_r:chromium_naclhelper_exec_t,s0)
-/opt/google/chrome-unstable/libudev.so.0 gen_context(system_u:object_r:lib_t,s0)
-
-/usr/lib/chromium-browser/chrome -- gen_context(system_u:object_r:chromium_exec_t,s0)
-/usr/lib/chromium-browser/chrome_sandbox -- gen_context(system_u:object_r:chromium_sandbox_exec_t,s0)
-/usr/lib/chromium-browser/chrome-sandbox -- gen_context(system_u:object_r:chromium_sandbox_exec_t,s0)
-/usr/lib/chromium-browser/chromium-launcher\.sh -- gen_context(system_u:object_r:chromium_exec_t,s0)
-/usr/lib/chromium-browser/nacl_helper_bootstrap -- gen_context(system_u:object_r:chromium_naclhelper_exec_t,s0)
-
-HOME_DIR/\.cache/chromium(/.*)? gen_context(system_u:object_r:chromium_xdg_cache_t,s0)
-HOME_DIR/\.cache/google-chrome(/.*)? gen_context(system_u:object_r:chromium_xdg_cache_t,s0)
-HOME_DIR/\.config/chromium(/.*)? gen_context(system_u:object_r:chromium_xdg_config_t,s0)
-HOME_DIR/\.config/google-chrome(/.*)? gen_context(system_u:object_r:chromium_xdg_config_t,s0)
diff --git a/policy/modules/contrib/chromium.if b/policy/modules/contrib/chromium.if
deleted file mode 100644
index 26eb0259..00000000
--- a/policy/modules/contrib/chromium.if
+++ /dev/null
@@ -1,139 +0,0 @@
-## <summary>
-## Chromium browser
-## </summary>
-
-#######################################
-## <summary>
-## Role access for chromium
-## </summary>
-## <param name="role">
-## <summary>
-## Role allowed access
-## </summary>
-## </param>
-## <param name="domain">
-## <summary>
-## User domain for the role
-## </summary>
-## </param>
-#
-interface(`chromium_role',`
- gen_require(`
- type chromium_t;
- type chromium_renderer_t;
- type chromium_sandbox_t;
- type chromium_naclhelper_t;
- type chromium_exec_t;
- ')
-
- role $1 types chromium_t;
- role $1 types chromium_renderer_t;
- role $1 types chromium_sandbox_t;
- role $1 types chromium_naclhelper_t;
-
- # Transition from the user domain to the derived domain
- chromium_domtrans($2)
-
- # Allow ps to show chromium processes and allow the user to signal it
- ps_process_pattern($2, chromium_t)
- ps_process_pattern($2, chromium_renderer_t)
-
- allow $2 chromium_t:process signal_perms;
- allow $2 chromium_renderer_t:process signal_perms;
- allow $2 chromium_naclhelper_t:process signal_perms;
-
- allow chromium_sandbox_t $2:fd use;
- allow chromium_naclhelper_t $2:fd use;
-')
-
-#######################################
-## <summary>
-## Read-write access to Chromiums' temporary fifo files
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access
-## </summary>
-## </param>
-#
-interface(`chromium_rw_tmp_pipes',`
- gen_require(`
- type chromium_tmp_t;
- ')
-
- rw_fifo_files_pattern($1, chromium_tmp_t, chromium_tmp_t)
-')
-
-##############################################
-## <summary>
-## Automatically use the specified type for resources created in chromium's
-## temporary locations
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain that creates the resource(s)
-## </summary>
-## </param>
-## <param name="class">
-## <summary>
-## Type of the resource created
-## </summary>
-## </param>
-## <param name="filename" optional="true">
-## <summary>
-## The name of the resource being created
-## </summary>
-## </param>
-#
-interface(`chromium_tmp_filetrans',`
- gen_require(`
- type chromium_tmp_t;
- ')
-
- search_dirs_pattern($1, chromium_tmp_t, chromium_tmp_t)
- filetrans_pattern($1, chromium_tmp_t, $2, $3, $4)
-')
-
-#######################################
-## <summary>
-## Execute a domain transition to the chromium domain (chromium_t)
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access
-## </summary>
-## </param>
-#
-interface(`chromium_domtrans',`
- gen_require(`
- type chromium_t;
- type chromium_exec_t;
- ')
-
- corecmd_search_bin($1)
- domtrans_pattern($1, chromium_exec_t, chromium_t)
-')
-
-#######################################
-## <summary>
-## Execute chromium in the chromium domain and allow the specified role to access the chromium domain
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access
-## </summary>
-## </param>
-## <param name="role">
-## <summary>
-## Role allowed access
-## </summary>
-## </param>
-#
-interface(`chromium_run',`
- gen_require(`
- type chromium_t;
- ')
-
- chromium_domtrans($1)
- role $2 types chromium_t;
-')
diff --git a/policy/modules/contrib/chromium.te b/policy/modules/contrib/chromium.te
deleted file mode 100644
index 7e7f4490..00000000
--- a/policy/modules/contrib/chromium.te
+++ /dev/null
@@ -1,375 +0,0 @@
-policy_module(chromium, 1.0.0)
-
-########################################
-#
-# Declarations
-#
-
-## <desc>
-## <p>
-## Allow the use of java plugins
-## </p>
-## <p>
-## Some of these plugins require the use of named pipes (fifo files) that are
-## created within the temporary directory of the first browser that instantiated
-## the plugin. Hence, if other browsers need access to java plugins, they will
-## get search rights in chromium's tmp locations
-## </p>
-## </desc>
-gen_tunable(chromium_use_java, false)
-
-## <desc>
-## <p>
-## Allow chromium to read system information
-## </p>
-## <p>
-## Although not needed for regular browsing, this will allow chromium to update
-## its own memory consumption based on system state, support additional
-## debugging, detect specific devices, etc.
-## </p>
-## </desc>
-gen_tunable(chromium_read_system_info, false)
-
-## <desc>
-## <p>
-## Allow chromium to bind to tcp ports
-## </p>
-## <p>
-## Although not needed for regular browsing, some chrome extensions need to
-## bind to tcp ports and accept connections.
-## </p>
-## </desc>
-gen_tunable(chromium_bind_tcp_unreserved_ports, false)
-
-## <desc>
-## <p>
-## Allow chromium to read/write USB devices
-## </p>
-## <p>
-## Although not needed for regular browsing, used for debugging over usb
-## or using FIDO U2F tokens.
-## </p>
-## </desc>
-gen_tunable(chromium_rw_usb_dev, false)
-
-type chromium_t;
-domain_dyntrans_type(chromium_t)
-
-type chromium_exec_t;
-application_domain(chromium_t, chromium_exec_t)
-
-type chromium_naclhelper_t;
-type chromium_naclhelper_exec_t;
-application_domain(chromium_naclhelper_t, chromium_naclhelper_exec_t)
-
-type chromium_sandbox_t;
-type chromium_sandbox_exec_t;
-application_domain(chromium_sandbox_t, chromium_sandbox_exec_t)
-
-type chromium_renderer_t;
-domain_base_type(chromium_renderer_t)
-
-type chromium_tmp_t;
-userdom_user_tmp_file(chromium_tmp_t)
-
-type chromium_tmpfs_t;
-userdom_user_tmpfs_file(chromium_tmpfs_t)
-optional_policy(`
- pulseaudio_tmpfs_content(chromium_tmpfs_t)
-')
-
-type chromium_xdg_config_t;
-xdg_config_home_content(chromium_xdg_config_t)
-
-type chromium_xdg_cache_t;
-xdg_cache_home_content(chromium_xdg_cache_t)
-
-
-
-########################################
-#
-# chromium local policy
-#
-
-# execmem for load in plugins
-allow chromium_t self:process { execmem getsched getcap setcap setrlimit setsched sigkill signal };
-allow chromium_t self:fifo_file rw_fifo_file_perms;
-allow chromium_t self:sem create_sem_perms;
-allow chromium_t self:netlink_kobject_uevent_socket client_stream_socket_perms;
-# cap_userns sys_admin for the sandbox
-allow chromium_t self:cap_userns { sys_admin sys_chroot sys_ptrace };
-
-allow chromium_t chromium_exec_t:file execute_no_trans;
-
-allow chromium_t chromium_renderer_t:dir list_dir_perms;
-allow chromium_t chromium_renderer_t:file rw_file_perms;
-allow chromium_t chromium_renderer_t:fd use;
-allow chromium_t chromium_renderer_t:process signal_perms;
-allow chromium_t chromium_renderer_t:shm rw_shm_perms;
-allow chromium_t chromium_renderer_t:unix_dgram_socket { read write };
-allow chromium_t chromium_renderer_t:unix_stream_socket { read write };
-
-allow chromium_t chromium_sandbox_t:unix_dgram_socket { read write };
-allow chromium_t chromium_sandbox_t:unix_stream_socket { read write };
-
-allow chromium_t chromium_naclhelper_t:process { share };
-
-# tmp has a wide class access (used for plugins)
-manage_files_pattern(chromium_t, chromium_tmp_t, chromium_tmp_t)
-allow chromium_t chromium_tmp_t:file map;
-manage_dirs_pattern(chromium_t, chromium_tmp_t, chromium_tmp_t)
-manage_lnk_files_pattern(chromium_t, chromium_tmp_t, chromium_tmp_t)
-manage_sock_files_pattern(chromium_t, chromium_tmp_t, chromium_tmp_t)
-manage_fifo_files_pattern(chromium_t, chromium_tmp_t, chromium_tmp_t)
-files_tmp_filetrans(chromium_t, chromium_tmp_t, { file dir sock_file })
-
-manage_files_pattern(chromium_t, chromium_tmpfs_t, chromium_tmpfs_t)
-allow chromium_t chromium_tmpfs_t:file map;
-fs_tmpfs_filetrans(chromium_t, chromium_tmpfs_t, file)
-fs_tmpfs_filetrans(chromium_renderer_t, chromium_tmpfs_t, file)
-
-manage_files_pattern(chromium_t, chromium_xdg_config_t, chromium_xdg_config_t)
-allow chromium_t chromium_xdg_config_t:file map;
-manage_lnk_files_pattern(chromium_t, chromium_xdg_config_t, chromium_xdg_config_t)
-manage_dirs_pattern(chromium_t, chromium_xdg_config_t, chromium_xdg_config_t)
-xdg_config_home_filetrans(chromium_t, chromium_xdg_config_t, dir, "chromium")
-
-manage_files_pattern(chromium_t, chromium_xdg_cache_t, chromium_xdg_cache_t)
-allow chromium_t chromium_xdg_cache_t:file map;
-manage_dirs_pattern(chromium_t, chromium_xdg_cache_t, chromium_xdg_cache_t)
-xdg_cache_home_filetrans(chromium_t, chromium_xdg_cache_t, dir, "chromium")
-
-dyntrans_pattern(chromium_t, chromium_renderer_t)
-domtrans_pattern(chromium_t, chromium_sandbox_exec_t, chromium_sandbox_t)
-domtrans_pattern(chromium_t, chromium_naclhelper_exec_t, chromium_naclhelper_t)
-
-kernel_list_proc(chromium_t)
-kernel_read_net_sysctls(chromium_t)
-
-corecmd_exec_bin(chromium_t)
-# Look for /etc/gentoo-release through a shell invocation running find
-corecmd_exec_shell(chromium_t)
-
-corenet_tcp_connect_all_unreserved_ports(chromium_t)
-corenet_tcp_connect_ftp_port(chromium_t)
-corenet_tcp_connect_http_port(chromium_t)
-corenet_udp_bind_generic_node(chromium_t)
-corenet_udp_bind_all_unreserved_ports(chromium_t)
-
-dev_read_sound(chromium_t)
-dev_write_sound(chromium_t)
-dev_read_urand(chromium_t)
-dev_read_rand(chromium_t)
-dev_rw_xserver_misc(chromium_t)
-dev_map_xserver_misc(chromium_t)
-
-domain_dontaudit_search_all_domains_state(chromium_t)
-
-files_list_home(chromium_t)
-files_search_home(chromium_t)
-files_read_usr_files(chromium_t)
-files_map_usr_files(chromium_t)
-files_read_etc_files(chromium_t)
-# During find for /etc/whatever-release we get lots of output otherwise
-files_dontaudit_getattr_all_dirs(chromium_t)
-
-fs_dontaudit_getattr_xattr_fs(chromium_t)
-
-getty_dontaudit_use_fds(chromium_t)
-
-miscfiles_read_all_certs(chromium_t)
-miscfiles_read_localization(chromium_t)
-
-sysnet_dns_name_resolve(chromium_t)
-
-userdom_user_content_access_template(chromium, chromium_t)
-userdom_dontaudit_list_user_home_dirs(chromium_t)
-# Debugging. Also on user_tty_device_t if X is started through "startx" for instance
-userdom_use_user_terminals(chromium_t)
-userdom_manage_user_certs(chromium_t)
-userdom_user_home_dir_filetrans_user_cert(chromium_t, dir, ".pki")
-
-xdg_create_cache_home_dirs(chromium_t)
-xdg_create_config_home_dirs(chromium_t)
-xdg_create_data_home_dirs(chromium_t)
-xdg_manage_downloads_home(chromium_t)
-xdg_read_config_home_files(chromium_t)
-xdg_read_data_home_files(chromium_t)
-
-xserver_user_x_domain_template(chromium, chromium_t, chromium_tmpfs_t)
-
-tunable_policy(`chromium_bind_tcp_unreserved_ports',`
- corenet_tcp_bind_generic_node(chromium_t)
- corenet_tcp_bind_all_unreserved_ports(chromium_t)
- allow chromium_t self:tcp_socket { listen accept };
-')
-
-tunable_policy(`chromium_rw_usb_dev',`
- dev_rw_generic_usb_dev(chromium_t)
- udev_read_db(chromium_t)
-')
-
-tunable_policy(`chromium_read_system_info',`
- kernel_read_kernel_sysctls(chromium_t)
- # Memory optimizations & optimizations based on OS/version
- kernel_read_system_state(chromium_t)
-
- # Debugging (sys/kernel/debug) and device information (sys/bus and sys/devices).
- dev_read_sysfs(chromium_t)
-
- storage_getattr_fixed_disk_dev(chromium_t)
-
- files_read_etc_runtime_files(chromium_t)
-
- dev_dontaudit_getattr_all_chr_files(chromium_t)
- init_dontaudit_getattr_initctl(chromium_t)
-',`
- kernel_dontaudit_read_kernel_sysctls(chromium_t)
- kernel_dontaudit_read_system_state(chromium_t)
-
- dev_dontaudit_read_sysfs(chromium_t)
-
- files_dontaudit_read_etc_runtime(chromium_t)
-')
-
-optional_policy(`
- cups_read_config(chromium_t)
- cups_stream_connect(chromium_t)
-')
-
-optional_policy(`
- dbus_all_session_bus_client(chromium_t)
- dbus_system_bus_client(chromium_t)
-
- optional_policy(`
- unconfined_dbus_chat(chromium_t)
- ')
- optional_policy(`
- gnome_dbus_chat_all_gkeyringd(chromium_t)
- ')
- optional_policy(`
- devicekit_dbus_chat_power(chromium_t)
- ')
-')
-
-optional_policy(`
- flash_manage_home(chromium_t)
-')
-
-optional_policy(`
- # Java (iced-tea) plugin .so creates /tmp/icedteaplugin-<name> directory
- # and fifo files within. These are then used by the renderer and a
- # freshly forked java process to communicate between each other.
- tunable_policy(`chromium_use_java',`
- java_noatsecure_domtrans(chromium_t)
- ')
-')
-
-optional_policy(`
- # Chromium reads in .mozilla for user plugins
- mozilla_read_user_home(chromium_t)
-')
-
-ifdef(`use_alsa',`
- optional_policy(`
- alsa_domain(chromium_t, chromium_tmpfs_t)
- ')
-
- optional_policy(`
- pulseaudio_domtrans(chromium_t)
- ')
-')
-
-########################################
-#
-# chromium_renderer local policy
-#
-
-allow chromium_renderer_t self:process execmem;
-
-allow chromium_renderer_t self:fifo_file rw_fifo_file_perms;
-allow chromium_renderer_t self:shm create_shm_perms;
-allow chromium_renderer_t self:unix_dgram_socket { create read sendto };
-allow chromium_renderer_t self:unix_stream_socket { create getattr read write };
-
-allow chromium_renderer_t chromium_t:fd use;
-allow chromium_renderer_t chromium_t:unix_stream_socket rw_stream_socket_perms;
-allow chromium_renderer_t chromium_tmpfs_t:file rw_file_perms;
-
-dontaudit chromium_renderer_t chromium_t:dir search; # /proc/... access
-dontaudit chromium_renderer_t self:process getsched;
-
-read_files_pattern(chromium_renderer_t, chromium_xdg_config_t, chromium_xdg_config_t)
-
-rw_fifo_files_pattern(chromium_renderer_t, chromium_tmp_t, chromium_tmp_t)
-
-dev_read_urand(chromium_renderer_t)
-
-files_dontaudit_list_tmp(chromium_renderer_t)
-files_dontaudit_read_etc_files(chromium_renderer_t)
-files_search_var(chromium_renderer_t)
-
-init_sigchld(chromium_renderer_t)
-
-miscfiles_read_localization(chromium_renderer_t)
-
-userdom_dontaudit_use_all_users_fds(chromium_renderer_t)
-userdom_use_user_terminals(chromium_renderer_t)
-
-xdg_read_config_home_files(chromium_renderer_t)
-
-xserver_user_x_domain_template(chromium_renderer, chromium_renderer_t, chromium_tmpfs_t)
-
-tunable_policy(`chromium_read_system_info',`
- kernel_read_kernel_sysctls(chromium_renderer_t)
- kernel_read_system_state(chromium_renderer_t)
-',`
- kernel_dontaudit_read_kernel_sysctls(chromium_renderer_t)
- kernel_dontaudit_read_system_state(chromium_renderer_t)
-')
-
-#########################################
-#
-# Chromium sandbox local policy
-#
-
-allow chromium_sandbox_t self:capability { dac_read_search setgid setuid sys_admin sys_chroot sys_ptrace };
-allow chromium_sandbox_t self:process { setrlimit };
-allow chromium_sandbox_t self:unix_stream_socket create_stream_socket_perms;
-
-allow chromium_sandbox_t chromium_t:process { share };
-# /proc access
-allow chromium_sandbox_t chromium_t:dir list_dir_perms;
-allow chromium_sandbox_t chromium_t:lnk_file read_lnk_file_perms;
-allow chromium_sandbox_t chromium_t:file rw_file_perms;
-
-allow chromium_sandbox_t chromium_t:unix_stream_socket { read write };
-allow chromium_sandbox_t chromium_t:unix_dgram_socket { read write };
-
-kernel_list_proc(chromium_sandbox_t)
-
-domain_dontaudit_read_all_domains_state(chromium_sandbox_t)
-
-userdom_use_user_ptys(chromium_sandbox_t)
-
-chromium_domtrans(chromium_sandbox_t)
-
-##########################################
-#
-# Chromium nacl helper local policy
-#
-
-allow chromium_naclhelper_t chromium_t:unix_stream_socket { read write };
-
-domain_mmap_low_uncond(chromium_naclhelper_t)
-
-userdom_use_user_ptys(chromium_naclhelper_t)
-
-tunable_policy(`chromium_read_system_info',`
- kernel_read_kernel_sysctls(chromium_naclhelper_t)
- kernel_read_system_state(chromium_naclhelper_t)
-',`
- kernel_dontaudit_read_kernel_sysctls(chromium_naclhelper_t)
- kernel_dontaudit_read_system_state(chromium_naclhelper_t)
-')
-
diff --git a/policy/modules/roles/staff.te b/policy/modules/roles/staff.te
index 7379868a..fbe1829b 100644
--- a/policy/modules/roles/staff.te
+++ b/policy/modules/roles/staff.te
@@ -228,10 +228,6 @@ ifdef(`distro_gentoo',`
at_role(staff_r, staff_t)
')
- optional_policy(`
- chromium_role(staff_r, staff_t)
- ')
-
optional_policy(`
# bug 531784
devicekit_dbus_chat_disk(staff_t)
diff --git a/policy/modules/roles/unprivuser.te b/policy/modules/roles/unprivuser.te
index aa0c518f..e71c17e9 100644
--- a/policy/modules/roles/unprivuser.te
+++ b/policy/modules/roles/unprivuser.te
@@ -216,10 +216,6 @@ ifdef(`distro_gentoo',`
at_role(user_r, user_t)
')
- optional_policy(`
- chromium_role(user_r, user_t)
- ')
-
optional_policy(`
devicekit_dbus_chat_disk(user_t)
devicekit_dbus_chat_power(user_t)
^ permalink raw reply related [flat|nested] 4+ messages in thread
end of thread, other threads:[~2019-02-10 4:24 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2012-11-17 11:36 [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/, policy/modules/roles/ Sven Vermeulen
-- strict thread matches above, loose matches on Subject: below --
2019-02-10 4:24 Jason Zaman
2012-10-24 18:02 Sven Vermeulen
2012-08-28 17:28 Sven Vermeulen
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox