* [gentoo-commits] proj/hardened-dev:master commit in: sec-policy/selinux-chromium/, sec-policy/selinux-nginx/files/, ...
@ 2012-11-25 19:44 Sven Vermeulen
0 siblings, 0 replies; only message in thread
From: Sven Vermeulen @ 2012-11-25 19:44 UTC (permalink / raw
To: gentoo-commits
commit: 349f55ac0d848e65e0cd28a629a7da5b770ab18e
Author: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Sun Nov 25 19:42:09 2012 +0000
Commit: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
CommitDate: Sun Nov 25 19:42:09 2012 +0000
URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-dev.git;a=commit;h=349f55ac
Fix build failures on r8
Package-Manager: portage-2.1.11.31
Manifest-Sign-Key: 0xCDBA2FDB
---
.../files/fix-make-gpg-optional-r8.patch | 52 ++++++++++++++++++++
.../selinux-apache-2.20120725-r8.ebuild | 2 +
.../selinux-chromium-2.20120725-r8.ebuild | 4 ++
.../selinux-mplayer-2.20120725-r8.ebuild | 4 ++
.../selinux-nginx/files/fix-tunable-names-r8.patch | 42 ++++++++++++++++
.../selinux-nginx-2.20120725-r8.ebuild | 2 +
.../files/fix-qemu-is-optional-r8.patch | 15 ++++++
.../selinux-virt/selinux-virt-2.20120725-r8.ebuild | 1 +
8 files changed, 122 insertions(+), 0 deletions(-)
diff --git a/sec-policy/selinux-apache/files/fix-make-gpg-optional-r8.patch b/sec-policy/selinux-apache/files/fix-make-gpg-optional-r8.patch
new file mode 100644
index 0000000..ce8aac3
--- /dev/null
+++ b/sec-policy/selinux-apache/files/fix-make-gpg-optional-r8.patch
@@ -0,0 +1,52 @@
+--- contrib/apache.te 2012-11-25 20:20:08.229745244 +0100
++++ contrib/apache.te 2012-11-24 20:02:13.095338898 +0100
+@@ -357,7 +357,6 @@
+
+ type httpd_gpg_t;
+ domain_type(httpd_gpg_t)
+-gpg_entry_type(httpd_gpg_t)
+ role system_r types httpd_gpg_t;
+
+ ifdef(`distro_gentoo',`
+@@ -586,10 +585,6 @@
+ allow httpd_t httpd_script_exec_type:dir list_dir_perms;
+ ')
+
+-tunable_policy(`httpd_enable_cgi && httpd_use_gpg',`
+- gpg_spec_domtrans(httpd_t, httpd_gpg_t)
+-')
+-
+ tunable_policy(`httpd_enable_cgi && httpd_use_nfs',`
+ fs_nfs_domtrans(httpd_t, httpd_sys_script_t)
+ ')
+@@ -677,6 +672,13 @@
+ ')
+
+ optional_policy(`
++ tunable_policy(`httpd_enable_cgi && httpd_use_gpg',`
++ gpg_spec_domtrans(httpd_t, httpd_gpg_t)
++ ')
++')
++
++
++optional_policy(`
+ tunable_policy(`httpd_mod_auth_ntlm_winbind',`
+ samba_domtrans_winbind_helper(httpd_t)
+ ')
+@@ -1398,7 +1400,6 @@
+
+ miscfiles_read_localization(httpd_gpg_t)
+
+-gpg_exec(httpd_gpg_t)
+
+ tunable_policy(`httpd_gpg_anon_write',`
+ miscfiles_manage_public_files(httpd_gpg_t)
+@@ -1407,3 +1408,8 @@
+ optional_policy(`
+ apache_manage_sys_rw_content(httpd_gpg_t)
+ ')
++
++optional_policy(`
++ gpg_entry_type(httpd_gpg_t)
++ gpg_exec(httpd_gpg_t)
++')
diff --git a/sec-policy/selinux-apache/selinux-apache-2.20120725-r8.ebuild b/sec-policy/selinux-apache/selinux-apache-2.20120725-r8.ebuild
index 2afdf68..83c23d7 100644
--- a/sec-policy/selinux-apache/selinux-apache-2.20120725-r8.ebuild
+++ b/sec-policy/selinux-apache/selinux-apache-2.20120725-r8.ebuild
@@ -16,3 +16,5 @@ DEPEND="${DEPEND}
sec-policy/selinux-kerberos
"
RDEPEND="${DEPEND}"
+
+POLICY_PATCH="${FILESDIR}/fix-make-gpg-optional-r8.patch"
diff --git a/sec-policy/selinux-chromium/selinux-chromium-2.20120725-r8.ebuild b/sec-policy/selinux-chromium/selinux-chromium-2.20120725-r8.ebuild
index fe71d8c..80d7d4f 100644
--- a/sec-policy/selinux-chromium/selinux-chromium-2.20120725-r8.ebuild
+++ b/sec-policy/selinux-chromium/selinux-chromium-2.20120725-r8.ebuild
@@ -12,3 +12,7 @@ inherit selinux-policy-2
DESCRIPTION="SELinux policy for chromium"
KEYWORDS="~amd64 ~x86"
+DEPEND="${DEPEND}
+ sec-policy/selinux-xserver
+"
+RDEPEND="${DEPEND}"
diff --git a/sec-policy/selinux-mplayer/selinux-mplayer-2.20120725-r8.ebuild b/sec-policy/selinux-mplayer/selinux-mplayer-2.20120725-r8.ebuild
index 2728c70..588c7e3 100644
--- a/sec-policy/selinux-mplayer/selinux-mplayer-2.20120725-r8.ebuild
+++ b/sec-policy/selinux-mplayer/selinux-mplayer-2.20120725-r8.ebuild
@@ -12,3 +12,7 @@ inherit selinux-policy-2
DESCRIPTION="SELinux policy for mplayer"
KEYWORDS="~amd64 ~x86"
+DEPEND="${DEPEND}
+ sec-policy/selinux-xserver
+"
+RDEPEND="${DEPEND}"
diff --git a/sec-policy/selinux-nginx/files/fix-tunable-names-r8.patch b/sec-policy/selinux-nginx/files/fix-tunable-names-r8.patch
new file mode 100644
index 0000000..3a5b69f
--- /dev/null
+++ b/sec-policy/selinux-nginx/files/fix-tunable-names-r8.patch
@@ -0,0 +1,42 @@
+--- contrib.orig/nginx.te 2012-11-24 19:52:13.439337617 +0100
++++ contrib/nginx.te 2012-11-24 18:34:57.565327680 +0100
+@@ -124,33 +124,33 @@
+ sysnet_dns_name_resolve(nginx_t)
+
+
+-tunable_policy(`gentoo_nginx_enable_http_server',`
++tunable_policy(`nginx_enable_http_server',`
+ corenet_tcp_bind_http_port(nginx_t)
+ apache_read_all_content(nginx_t)
+ apache_manage_all_rw_content(nginx_t)
+ ')
+
+ # We enable both binding and connecting, since nginx acts here as a reverse proxy
+-tunable_policy(`gentoo_nginx_enable_imap_server',`
++tunable_policy(`nginx_enable_imap_server',`
+ corenet_tcp_bind_pop_port(nginx_t)
+ corenet_tcp_connect_pop_port(nginx_t)
+ ')
+
+-tunable_policy(`gentoo_nginx_enable_pop3_server',`
++tunable_policy(`nginx_enable_pop3_server',`
+ corenet_tcp_bind_pop_port(nginx_t)
+ corenet_tcp_connect_pop_port(nginx_t)
+ ')
+
+-tunable_policy(`gentoo_nginx_enable_smtp_server',`
++tunable_policy(`nginx_enable_smtp_server',`
+ corenet_tcp_bind_smtp_port(nginx_t)
+ corenet_tcp_connect_smtp_port(nginx_t)
+ ')
+
+-tunable_policy(`gentoo_nginx_can_network_connect_http',`
++tunable_policy(`nginx_can_network_connect_http',`
+ corenet_tcp_connect_http_port(nginx_t)
+ ')
+
+-tunable_policy(`gentoo_nginx_can_network_connect',`
++tunable_policy(`nginx_can_network_connect',`
+ corenet_tcp_connect_all_ports(nginx_t)
+ ')
+
diff --git a/sec-policy/selinux-nginx/selinux-nginx-2.20120725-r8.ebuild b/sec-policy/selinux-nginx/selinux-nginx-2.20120725-r8.ebuild
index 33dbef2..61fec2a 100644
--- a/sec-policy/selinux-nginx/selinux-nginx-2.20120725-r8.ebuild
+++ b/sec-policy/selinux-nginx/selinux-nginx-2.20120725-r8.ebuild
@@ -16,3 +16,5 @@ DEPEND="${DEPEND}
sec-policy/selinux-apache
"
RDEPEND="${DEPEND}"
+
+POLICY_PATCH="${FILESDIR}/fix-tunable-names-r8.patch"
diff --git a/sec-policy/selinux-virt/files/fix-qemu-is-optional-r8.patch b/sec-policy/selinux-virt/files/fix-qemu-is-optional-r8.patch
new file mode 100644
index 0000000..08db031
--- /dev/null
+++ b/sec-policy/selinux-virt/files/fix-qemu-is-optional-r8.patch
@@ -0,0 +1,15 @@
+--- contrib/virt.te 2012-11-25 20:32:20.060892255 +0100
++++ contrib/virt.te 2012-11-25 20:31:23.778880957 +0100
+@@ -281,7 +281,11 @@
+ userdom_search_user_home_dirs(virt_domain)
+ userdom_read_all_users_state(virt_domain)
+
+-qemu_exec(virt_domain)
++ifdef(`distro_gentoo',`
++ optional_policy(`
++ qemu_exec(virt_domain)
++ ')
++')
+
+ tunable_policy(`virt_use_execmem',`
+ allow virt_domain self:process { execmem execstack };
diff --git a/sec-policy/selinux-virt/selinux-virt-2.20120725-r8.ebuild b/sec-policy/selinux-virt/selinux-virt-2.20120725-r8.ebuild
index a11ad0e..5c5389f 100644
--- a/sec-policy/selinux-virt/selinux-virt-2.20120725-r8.ebuild
+++ b/sec-policy/selinux-virt/selinux-virt-2.20120725-r8.ebuild
@@ -12,3 +12,4 @@ inherit selinux-policy-2
DESCRIPTION="SELinux policy for virt"
KEYWORDS="~amd64 ~x86"
+POLICY_PATCH="${FILESDIR}/fix-qemu-is-optional-r8.patch"
^ permalink raw reply related [flat|nested] only message in thread
only message in thread, other threads:[~2012-11-25 19:44 UTC | newest]
Thread overview: (only message) (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2012-11-25 19:44 [gentoo-commits] proj/hardened-dev:master commit in: sec-policy/selinux-chromium/, sec-policy/selinux-nginx/files/, Sven Vermeulen
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox