[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/, policy/modules/system/

[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/, policy/modules/system/

[Sven Vermeulen]

commit:     c88699fa4b3a4dcbbfbe4e9b04a57f485cf9b773
Author:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Sat Dec  8 12:38:20 2012 +0000
Commit:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
CommitDate: Sat Dec  8 12:38:20 2012 +0000
URL:        http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=c88699fa

Updates on stunnel policy

Allow the stunnel init script to read the stunnel configuration (needed to find
out where the PID file will be).

Also allow stunnel to read generic certificates (for instance when providing the
CA certificate for mutual authentication purposes).

Allow stunnel to bind on any port (name_bind privilege) as the primary purpose
of stunnel is to provide encrypted tunneling regardless of the underlying
service.

---
 policy/modules/contrib/stunnel.if |   21 +++++++++++++++++++++
 policy/modules/contrib/stunnel.te |    6 ++++++
 policy/modules/system/init.te     |    6 ++++++
 3 files changed, 33 insertions(+), 0 deletions(-)

diff --git a/policy/modules/contrib/stunnel.if b/policy/modules/contrib/stunnel.if
index 47fea00..94758b2 100644
--- a/policy/modules/contrib/stunnel.if
+++ b/policy/modules/contrib/stunnel.if
@@ -23,3 +23,24 @@ interface(`stunnel_service_domain',`
 	domtrans_pattern(stunnel_t, $2, $1)
 	allow $1 stunnel_t:tcp_socket rw_socket_perms;
 ')
+
+# Gentoo specific code, but I cannot use ifdef distro_gentoo in if files
+
+########################################
+## <summary>
+##	Read the stunnel configuration
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access
+##	</summary>
+## </param>
+#
+interface(`stunnel_read_config',`
+	gen_require(`
+		type stunnel_etc_t;
+	')
+
+	files_search_etc($1)
+	read_files_pattern($1, stunnel_etc_t, stunnel_etc_t)
+')

diff --git a/policy/modules/contrib/stunnel.te b/policy/modules/contrib/stunnel.te
index bdfee61..deb0bdc 100644
--- a/policy/modules/contrib/stunnel.te
+++ b/policy/modules/contrib/stunnel.te
@@ -104,3 +104,9 @@ gen_require(`
 	type stunnel_port_t;
 ')
 allow stunnel_t stunnel_port_t:tcp_socket name_bind;
+
+ifdef(`distro_gentoo',`
+	corenet_tcp_bind_all_ports(stunnel_t)
+
+	miscfiles_read_generic_certs(stunnel_t)
+')

diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
index 4306768..e71d117 100644
--- a/policy/modules/system/init.te
+++ b/policy/modules/system/init.te
@@ -913,3 +913,9 @@ optional_policy(`
 optional_policy(`
 	zebra_read_config(initrc_t)
 ')
+
+ifdef(`distro_gentoo',`
+	optional_policy(`
+		stunnel_read_config(initrc_t)
+	')
+')

[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/, policy/modules/system/

[Jason Zaman]

commit:     9f3d195fffbd77c7d116aaec94cac4724d82ca19
Author:     Jason Zaman <jason <AT> perfinion <DOT> com>
AuthorDate: Sun May  7 17:05:55 2017 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sun May  7 17:06:27 2017 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=9f3d195f

Remove duplicate fcontexts that were merged upstream

 policy/modules/contrib/cron.fc    | 2 +-
 policy/modules/contrib/ntp.fc     | 1 -
 policy/modules/contrib/vnstatd.fc | 1 -
 policy/modules/system/udev.fc     | 2 --
 4 files changed, 1 insertion(+), 5 deletions(-)

diff --git a/policy/modules/contrib/cron.fc b/policy/modules/contrib/cron.fc
index e1b3e7b3..ea6a0da8 100644
--- a/policy/modules/contrib/cron.fc
+++ b/policy/modules/contrib/cron.fc
@@ -4,7 +4,7 @@
 /etc/crontab	--	gen_context(system_u:object_r:system_cron_spool_t,s0)
 
 /usr/bin/anacron	--	gen_context(system_u:object_r:anacron_exec_t,s0)
-/usr/bin/at	--	gen_context(system_u:object_r:crontab_exec_t,s0)
+#/usr/bin/at	--	gen_context(system_u:object_r:crontab_exec_t,s0)
 /usr/bin/atd	--	gen_context(system_u:object_r:crond_exec_t,s0)
 /usr/bin/cron(d)?	--	gen_context(system_u:object_r:crond_exec_t,s0)
 /usr/bin/fcron	--	gen_context(system_u:object_r:crond_exec_t,s0)

diff --git a/policy/modules/contrib/ntp.fc b/policy/modules/contrib/ntp.fc
index 903c131c..9c8c35c9 100644
--- a/policy/modules/contrib/ntp.fc
+++ b/policy/modules/contrib/ntp.fc
@@ -39,7 +39,6 @@
 /run/ntpd\.sock	-s	gen_context(system_u:object_r:ntpd_var_run_t,s0)
 
 ifdef(`distro_gentoo',`
-/usr/bin/sntp	--	gen_context(system_u:object_r:ntpdate_exec_t,s0)
 /var/lib/openntpd/ntpd.drift	--	gen_context(system_u:object_r:ntp_drift_t,s0)
 
 # hardlinked to ntpd

diff --git a/policy/modules/contrib/vnstatd.fc b/policy/modules/contrib/vnstatd.fc
index c3e1ad90..303f5009 100644
--- a/policy/modules/contrib/vnstatd.fc
+++ b/policy/modules/contrib/vnstatd.fc
@@ -14,5 +14,4 @@
 ifdef(`distro_gentoo',`
 # Fix bug 528602 - name is vnstatd in Gentoo
 /etc/rc\.d/init\.d/vnstatd	--	gen_context(system_u:object_r:vnstatd_initrc_exec_t,s0)
-/usr/bin/vnstatd	--	gen_context(system_u:object_r:vnstatd_exec_t,s0)
 ')

diff --git a/policy/modules/system/udev.fc b/policy/modules/system/udev.fc
index 68c047c1..84705e32 100644
--- a/policy/modules/system/udev.fc
+++ b/policy/modules/system/udev.fc
@@ -48,8 +48,6 @@ ifdef(`distro_gentoo',`
 /usr/lib/udev/udevd	--	gen_context(system_u:object_r:udev_exec_t,s0)
 /usr/lib/udev/rules\.d(/.*)?	gen_context(system_u:object_r:udev_rules_t,s0)
 
-/usr/bin/udevadm	--	gen_context(system_u:object_r:udev_exec_t,s0)
-
 /usr/lib/ConsoleKit/udev-acl	--	gen_context(system_u:object_r:udev_exec_t,s0)
 
 /run/udev/rules\.d(/.*)?	gen_context(system_u:object_r:udev_rules_t,s0)

[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/, policy/modules/system/

[Jason Zaman]

commit:     0daaba932bdff924e1e9bbb75d258b49ab21bb4a
Author:     Jason Zaman <jason <AT> perfinion <DOT> com>
AuthorDate: Sun Feb  5 15:07:38 2017 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sun Feb  5 15:10:31 2017 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=0daaba93

transition gentoo-specific fcontexts to /run

commit c80ffeb4cb306cebeb849844203d53c3a576bcab
Author: cgzones <cgzones <AT> googlemail.com>
Date:   Sat Dec 17 04:17:52 2016

    transition file contexts to /run

updated the fcontexts for upstream. this commit updates the rest of the
missing fcontexts.

 policy/modules/contrib/at.fc             |  2 +-
 policy/modules/contrib/ceph.fc           | 12 ++++++------
 policy/modules/contrib/cgmanager.fc      |  6 +++---
 policy/modules/contrib/dirsrv.fc         |  4 ++--
 policy/modules/contrib/networkmanager.fc |  2 +-
 policy/modules/contrib/ntp.fc            |  2 +-
 policy/modules/contrib/phpfpm.fc         |  4 ++--
 policy/modules/contrib/qemu.fc           |  2 +-
 policy/modules/contrib/resolvconf.fc     |  2 +-
 policy/modules/contrib/salt.fc           | 10 +++++-----
 policy/modules/contrib/subsonic.fc       |  2 +-
 policy/modules/contrib/uwsgi.fc          |  4 +++-
 policy/modules/contrib/vde.fc            |  2 +-
 policy/modules/system/init.fc            |  2 +-
 policy/modules/system/lvm.fc             |  2 +-
 policy/modules/system/sysnetwork.fc      |  4 ++--
 policy/modules/system/tmpfiles.fc        |  2 +-
 policy/modules/system/udev.fc            |  4 ++--
 18 files changed, 35 insertions(+), 33 deletions(-)

diff --git a/policy/modules/contrib/at.fc b/policy/modules/contrib/at.fc
index ba2e7a13..b3cf1863 100644
--- a/policy/modules/contrib/at.fc
+++ b/policy/modules/contrib/at.fc
@@ -3,7 +3,7 @@
 /usr/bin/at	--	gen_context(system_u:object_r:at_exec_t,s0)
 /usr/sbin/atd	--	gen_context(system_u:object_r:atd_exec_t,s0)
 
-/var/run/atd\.pid	--	gen_context(system_u:object_r:atd_var_run_t,s0)
+/run/atd\.pid	--	gen_context(system_u:object_r:atd_var_run_t,s0)
 
 /var/spool/at(/.*)?	gen_context(system_u:object_r:at_spool_t,s0)
 /var/spool/at/atjobs(/.*)?	gen_context(system_u:object_r:at_job_t,s0)

diff --git a/policy/modules/contrib/ceph.fc b/policy/modules/contrib/ceph.fc
index 1548b1e3..8e2e1799 100644
--- a/policy/modules/contrib/ceph.fc
+++ b/policy/modules/contrib/ceph.fc
@@ -1,7 +1,7 @@
 #
 # /etc
 #
-/etc/ceph(/.*)?		gen_context(system_u:object_r:ceph_conf_t,s0)
+/etc/ceph(/.*)?			gen_context(system_u:object_r:ceph_conf_t,s0)
 /etc/ceph/.*\.secret	--	gen_context(system_u:object_r:ceph_key_t,s0)
 /etc/ceph/.*\.keyring	--	gen_context(system_u:object_r:ceph_key_t,s0)
 /etc/rc\.d/init\.d/ceph.*	gen_context(system_u:object_r:ceph_initrc_exec_t,s0)
@@ -23,8 +23,8 @@
 
 /var/log/ceph(/.*)?		gen_context(system_u:object_r:ceph_log_t,s0)
 
-/var/run/ceph	-d	gen_context(system_u:object_r:ceph_var_run_t,s0)
-/var/run/ceph/ceph-osd.*		gen_context(system_u:object_r:ceph_osd_var_run_t,s0)
-/var/run/ceph/ceph-mon.*		gen_context(system_u:object_r:ceph_mon_var_run_t,s0)
-/var/run/ceph/ceph-mds.*		gen_context(system_u:object_r:ceph_mds_var_run_t,s0)
-/var/run/ceph/mds.*	--	gen_context(system_u:object_r:ceph_mds_var_run_t,s0)
+/run/ceph		-d	gen_context(system_u:object_r:ceph_var_run_t,s0)
+/run/ceph/ceph-osd.*		gen_context(system_u:object_r:ceph_osd_var_run_t,s0)
+/run/ceph/ceph-mon.*		gen_context(system_u:object_r:ceph_mon_var_run_t,s0)
+/run/ceph/ceph-mds.*		gen_context(system_u:object_r:ceph_mds_var_run_t,s0)
+/run/ceph/mds.*		--	gen_context(system_u:object_r:ceph_mds_var_run_t,s0)

diff --git a/policy/modules/contrib/cgmanager.fc b/policy/modules/contrib/cgmanager.fc
index 17c6f882..d53e92f5 100644
--- a/policy/modules/contrib/cgmanager.fc
+++ b/policy/modules/contrib/cgmanager.fc
@@ -4,6 +4,6 @@
 
 /sys/fs/cgroup/cgmanager(/.*)?		gen_context(system_u:object_r:cgmanager_cgroup_t,s0)
 
-/var/run/cgmanager(/.*)?		gen_context(system_u:object_r:cgmanager_run_t,s0)
-/var/run/cgmanager.pid			gen_context(system_u:object_r:cgmanager_run_t,s0)
-/var/run/cgmanager/fs(/.*)?		<<none>>
+/run/cgmanager(/.*)?			gen_context(system_u:object_r:cgmanager_run_t,s0)
+/run/cgmanager.pid			gen_context(system_u:object_r:cgmanager_run_t,s0)
+/run/cgmanager/fs(/.*)?			<<none>>

diff --git a/policy/modules/contrib/dirsrv.fc b/policy/modules/contrib/dirsrv.fc
index f7590a03..88b1a6eb 100644
--- a/policy/modules/contrib/dirsrv.fc
+++ b/policy/modules/contrib/dirsrv.fc
@@ -6,7 +6,7 @@
 /var/lock/dirsrv(/.*)?	gen_context(system_u:object_r:dirsrv_var_lock_t,s0)
 /var/log/dirsrv(/.*)?	gen_context(system_u:object_r:dirsrv_var_log_t,s0)
 /var/log/dirsrv/ldap-agent.log	gen_context(system_u:object_r:dirsrv_snmp_var_log_t,s0)
-/var/run/dirsrv(/.*)?	gen_context(system_u:object_r:dirsrv_var_run_t,s0)
-/var/run/ldap-agent.pid	gen_context(system_u:object_r:dirsrv_snmp_var_run_t,s0)
+/run/dirsrv(/.*)?	gen_context(system_u:object_r:dirsrv_var_run_t,s0)
+/run/ldap-agent.pid	gen_context(system_u:object_r:dirsrv_snmp_var_run_t,s0)
 
 /etc/dirsrv(/.*)?	gen_context(system_u:object_r:dirsrv_config_t,s0)

diff --git a/policy/modules/contrib/networkmanager.fc b/policy/modules/contrib/networkmanager.fc
index d24e9f0c..fe5f8b4c 100644
--- a/policy/modules/contrib/networkmanager.fc
+++ b/policy/modules/contrib/networkmanager.fc
@@ -44,4 +44,4 @@
 /run/nm-dns-dnsmasq\.conf	--	gen_context(system_u:object_r:NetworkManager_var_run_t,s0)
 /run/wpa_supplicant(/.*)?	gen_context(system_u:object_r:NetworkManager_var_run_t,s0)
 /run/wpa_supplicant-global	-s	gen_context(system_u:object_r:NetworkManager_var_run_t,s0)
-/var/run/wpa_cli-.*		--	gen_context(system_u:object_r:wpa_cli_var_run_t,s0)
+/run/wpa_cli-.*		--	gen_context(system_u:object_r:wpa_cli_var_run_t,s0)

diff --git a/policy/modules/contrib/ntp.fc b/policy/modules/contrib/ntp.fc
index a5a1ac6d..16428bc2 100644
--- a/policy/modules/contrib/ntp.fc
+++ b/policy/modules/contrib/ntp.fc
@@ -28,7 +28,7 @@
 /var/log/xntpd.*	--	gen_context(system_u:object_r:ntpd_log_t,s0)
 
 /run/ntpd\.pid	--	gen_context(system_u:object_r:ntpd_var_run_t,s0)
-/var/run/ntpd\.sock	-s	gen_context(system_u:object_r:ntpd_var_run_t,s0)
+/run/ntpd\.sock	-s	gen_context(system_u:object_r:ntpd_var_run_t,s0)
 
 ifdef(`distro_gentoo',`
 /usr/bin/sntp	--	gen_context(system_u:object_r:ntpdate_exec_t,s0)

diff --git a/policy/modules/contrib/phpfpm.fc b/policy/modules/contrib/phpfpm.fc
index 51da02a9..dd00177a 100644
--- a/policy/modules/contrib/phpfpm.fc
+++ b/policy/modules/contrib/phpfpm.fc
@@ -1,5 +1,5 @@
 /usr/lib(64)?/php.*/bin/php-fpm		gen_context(system_u:object_r:phpfpm_exec_t,s0)
-/var/run/php*-fpm/*.sock		gen_context(system_u:object_r:phpfpm_var_run_t,s0)
+/run/php*-fpm/*.sock			gen_context(system_u:object_r:phpfpm_var_run_t,s0)
 
 /var/log/php-fpm.log			gen_context(system_u:object_r:phpfpm_log_t,s0)
-/var/run/php-fpm.pid			gen_context(system_u:object_r:phpfpm_var_run_t,s0)
+/run/php-fpm.pid			gen_context(system_u:object_r:phpfpm_var_run_t,s0)

diff --git a/policy/modules/contrib/qemu.fc b/policy/modules/contrib/qemu.fc
index cfb18ece..db9ff368 100644
--- a/policy/modules/contrib/qemu.fc
+++ b/policy/modules/contrib/qemu.fc
@@ -13,5 +13,5 @@ ifdef(`distro_gentoo',`
 /var/log/qemu-ga.log	--	gen_context(system_u:object_r:qemu_ga_log_t,s0)
 /var/log/qemu-ga(/.*)?	--	gen_context(system_u:object_r:qemu_ga_log_t,s0)
 
-/var/run/qemu-ga.pid	--	gen_context(system_u:object_r:qemu_ga_run_t,s0)
+/run/qemu-ga.pid	--	gen_context(system_u:object_r:qemu_ga_run_t,s0)
 ')

diff --git a/policy/modules/contrib/resolvconf.fc b/policy/modules/contrib/resolvconf.fc
index 7db4cb82..651bbe0a 100644
--- a/policy/modules/contrib/resolvconf.fc
+++ b/policy/modules/contrib/resolvconf.fc
@@ -4,4 +4,4 @@
 
 /usr/sbin/resolvconf	--	gen_context(system_u:object_r:resolvconf_exec_t,s0)
 
-/var/run/resolvconf(/.*)?       gen_context(system_u:object_r:resolvconf_var_run_t,s0)
+/run/resolvconf(/.*)?       gen_context(system_u:object_r:resolvconf_var_run_t,s0)

diff --git a/policy/modules/contrib/salt.fc b/policy/modules/contrib/salt.fc
index 22c2d13e..ccc8028f 100644
--- a/policy/modules/contrib/salt.fc
+++ b/policy/modules/contrib/salt.fc
@@ -16,11 +16,11 @@
 /var/log/salt/master	--	gen_context(system_u:object_r:salt_master_log_t,s0)
 /var/log/salt/minion	--	gen_context(system_u:object_r:salt_minion_log_t,s0)
 
-/var/run/salt	-d	gen_context(system_u:object_r:salt_var_run_t,s0)
-/var/run/salt/master(/.*)?	gen_context(system_u:object_r:salt_master_var_run_t,s0)
-/var/run/salt/minion(/.*)?	gen_context(system_u:object_r:salt_minion_var_run_t,s0)
-/var/run/salt-master\.pid	--	gen_context(system_u:object_r:salt_master_var_run_t,s0)
-/var/run/salt-minion\.pid	--	gen_context(system_u:object_r:salt_minion_var_run_t,s0)
+/run/salt	-d	gen_context(system_u:object_r:salt_var_run_t,s0)
+/run/salt/master(/.*)?	gen_context(system_u:object_r:salt_master_var_run_t,s0)
+/run/salt/minion(/.*)?	gen_context(system_u:object_r:salt_minion_var_run_t,s0)
+/run/salt-master\.pid	--	gen_context(system_u:object_r:salt_master_var_run_t,s0)
+/run/salt-minion\.pid	--	gen_context(system_u:object_r:salt_minion_var_run_t,s0)
 
 /var/cache/salt	-d	gen_context(system_u:object_r:salt_cache_t,s0)
 /var/cache/salt/master(/.*)?	gen_context(system_u:object_r:salt_master_cache_t,s0)

diff --git a/policy/modules/contrib/subsonic.fc b/policy/modules/contrib/subsonic.fc
index b1d2550c..df15d39e 100644
--- a/policy/modules/contrib/subsonic.fc
+++ b/policy/modules/contrib/subsonic.fc
@@ -3,4 +3,4 @@
 
 /var/lib/subsonic(/.*)?				gen_context(system_u:object_r:subsonic_var_lib_t,s0)
 
-/var/run/subsonic(/.*)?				gen_context(system_u:object_r:subsonic_run_t,s0)
+/run/subsonic(/.*)?				gen_context(system_u:object_r:subsonic_run_t,s0)

diff --git a/policy/modules/contrib/uwsgi.fc b/policy/modules/contrib/uwsgi.fc
index 7d2210b0..2cf031c1 100644
--- a/policy/modules/contrib/uwsgi.fc
+++ b/policy/modules/contrib/uwsgi.fc
@@ -2,8 +2,10 @@
 
 /usr/bin/uwsgi.*				--	gen_context(system_u:object_r:uwsgi_exec_t,s0)
 
+/run/uwsgi(/.*)?					gen_context(system_u:object_r:uwsgi_run_t,s0)
+
 /var/log/uwsgi(/.*)?					gen_context(system_u:object_r:uwsgi_var_log_t,s0)
-/var/run/uwsgi(/.*)?					gen_context(system_u:object_r:uwsgi_run_t,s0)
+
 /var/www/wsgi/.*\.so				--	gen_context(system_u:object_r:uwsgi_content_exec_t,s0)
 /var/www/wsgi/.*/bin/.*					gen_context(system_u:object_r:uwsgi_content_exec_t,s0)
 /var/www/wsgi(/.*)?					gen_context(system_u:object_r:uwsgi_content_t,s0)

diff --git a/policy/modules/contrib/vde.fc b/policy/modules/contrib/vde.fc
index d449e06d..fa0b6b28 100644
--- a/policy/modules/contrib/vde.fc
+++ b/policy/modules/contrib/vde.fc
@@ -1,5 +1,5 @@
 /etc/rc\.d/init\.d/vde	--	gen_context(system_u:object_r:vde_initrc_exec_t,s0)
 /usr/bin/vde_switch	--	gen_context(system_u:object_r:vde_exec_t,s0)
 /usr/sbin/vde_tunctl	--	gen_context(system_u:object_r:vde_exec_t,s0)
-/var/run/vde\.ctl(/.*)?		gen_context(system_u:object_r:vde_var_run_t,s0)
+/run/vde\.ctl(/.*)?		gen_context(system_u:object_r:vde_var_run_t,s0)
 /tmp/vde.[0-9-]*	-s	gen_context(system_u:object_r:vde_tmp_t,s0)

diff --git a/policy/modules/system/init.fc b/policy/modules/system/init.fc
index 19a953f9..1fb15ae0 100644
--- a/policy/modules/system/init.fc
+++ b/policy/modules/system/init.fc
@@ -94,5 +94,5 @@ ifdef(`distro_gentoo',`
 #
 /var/lib/ip6?tables(/.*)?		gen_context(system_u:object_r:initrc_tmp_t,s0)
 
-/var/run/openrc(/.*)?		gen_context(system_u:object_r:initrc_state_t,s0)
+/run/openrc(/.*)?			gen_context(system_u:object_r:initrc_state_t,s0)
 ')

diff --git a/policy/modules/system/lvm.fc b/policy/modules/system/lvm.fc
index 3fc24cc0..e50ce47a 100644
--- a/policy/modules/system/lvm.fc
+++ b/policy/modules/system/lvm.fc
@@ -101,7 +101,7 @@ ifdef(`distro_gentoo',`
 ifdef(`distro_gentoo',`
 # Bug 529430 comment 7
 /usr/sbin/lvmetad		--	gen_context(system_u:object_r:lvm_exec_t,s0)
-/var/run/lvm(/.*)?		gen_context(system_u:object_r:lvm_var_run_t,s0)
+/run/lvm(/.*)?				gen_context(system_u:object_r:lvm_var_run_t,s0)
 
 # Bug 529430 comment 8
 /usr/sbin/dmeventd		--	gen_context(system_u:object_r:lvm_exec_t,s0)

diff --git a/policy/modules/system/sysnetwork.fc b/policy/modules/system/sysnetwork.fc
index 2c93c410..a2329a85 100644
--- a/policy/modules/system/sysnetwork.fc
+++ b/policy/modules/system/sysnetwork.fc
@@ -73,6 +73,6 @@ ifdef(`distro_debian',`
 
 ifdef(`distro_gentoo',`
 /usr/lib/dhcpcd/dhcpcd-run-hooks	--	gen_context(system_u:object_r:dhcpc_script_exec_t,s0)
-/var/run/dhcpcd\.sock	-s	gen_context(system_u:object_r:dhcpc_var_run_t,s0)
-/var/run/dhcpcd\.unpriv\.sock	-s	gen_context(system_u:object_r:dhcpc_var_run_t,s0)
+/run/dhcpcd\.sock			-s	gen_context(system_u:object_r:dhcpc_var_run_t,s0)
+/run/dhcpcd\.unpriv\.sock		-s	gen_context(system_u:object_r:dhcpc_var_run_t,s0)
 ')

diff --git a/policy/modules/system/tmpfiles.fc b/policy/modules/system/tmpfiles.fc
index 3f9b2b88..47fd4b8c 100644
--- a/policy/modules/system/tmpfiles.fc
+++ b/policy/modules/system/tmpfiles.fc
@@ -1,6 +1,6 @@
 
 /etc/tmpfiles.d(/.*)?				gen_context(system_u:object_r:tmpfiles_conf_t,s0)
-/var/run/tmpfiles.d(/.*)?			gen_context(system_u:object_r:tmpfiles_var_run_t,s0)
+/run/tmpfiles.d(/.*)?				gen_context(system_u:object_r:tmpfiles_var_run_t,s0)
 
 /usr/lib/rc/bin/checkpath			--	gen_context(system_u:object_r:tmpfiles_exec_t,s0)
 /usr/lib/rc/sh/tmpfiles.sh			--	gen_context(system_u:object_r:tmpfiles_exec_t,s0)

diff --git a/policy/modules/system/udev.fc b/policy/modules/system/udev.fc
index de646705..709d8330 100644
--- a/policy/modules/system/udev.fc
+++ b/policy/modules/system/udev.fc
@@ -49,6 +49,6 @@ ifdef(`distro_gentoo',`
 
 /usr/lib/ConsoleKit/udev-acl	--	gen_context(system_u:object_r:udev_exec_t,s0)
 
-/var/run/udev/rules\.d(/.*)?	gen_context(system_u:object_r:udev_rules_t,s0)
-/var/run/udev/data(/.*)?	gen_context(system_u:object_r:udev_tbl_t,s0)
+/run/udev/rules\.d(/.*)?	gen_context(system_u:object_r:udev_rules_t,s0)
+/run/udev/data(/.*)?		gen_context(system_u:object_r:udev_tbl_t,s0)
 ')

[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/, policy/modules/system/

[Jason Zaman]

commit:     3d4dc1aadb5f62f59194b634bcf64ac7abbef9dd
Author:     Luis Ressel <aranea <AT> aixah <DOT> de>
AuthorDate: Sun Nov 27 14:36:22 2016 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sun Nov 27 14:39:26 2016 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=3d4dc1aa

modutils.if: Remove obsolete modutils_list_module_config

This interface is a custom gentoo addition and is solely used by the
dracut policy. However, the permissions it grants have been added to the
modutils_read_module_config interface back in 2012 (commit e74b098).

 policy/modules/contrib/dracut.te  |  1 -
 policy/modules/system/modutils.if | 24 ------------------------
 2 files changed, 25 deletions(-)

diff --git a/policy/modules/contrib/dracut.te b/policy/modules/contrib/dracut.te
index d61e49e..f2f3df6 100644
--- a/policy/modules/contrib/dracut.te
+++ b/policy/modules/contrib/dracut.te
@@ -52,7 +52,6 @@ libs_exec_lib_files(dracut_t)
 
 miscfiles_read_localization(dracut_t)
 
-modutils_list_module_config(dracut_t) #find /etc/modprobe.d
 modutils_read_module_config(dracut_t)
 modutils_read_module_deps(dracut_t)
 

diff --git a/policy/modules/system/modutils.if b/policy/modules/system/modutils.if
index a5222e2..d4d6f55 100644
--- a/policy/modules/system/modutils.if
+++ b/policy/modules/system/modutils.if
@@ -39,30 +39,6 @@ interface(`modutils_read_module_deps',`
 
 ########################################
 ## <summary>
-##	List the module configuration option files
-## </summary>
-## <param name="domain">
-##	<summary>
-##	Domain allowed access.
-##	</summary>
-## </param>
-## <rolecap/>
-#
-interface(`modutils_list_module_config',`
-	gen_require(`
-		type modules_conf_t;
-	')
-
-	# This file type can be in /etc or
-	# /lib(64)?/modules
-	files_search_etc($1)
-	files_search_boot($1)
-
-	list_dirs_pattern($1, modules_conf_t, modules_conf_t)
-')
-
-########################################
-## <summary>
 ##	Read the configuration options used when
 ##	loading modules.
 ## </summary>

[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/, policy/modules/system/

[Sven Vermeulen]

commit:     cdb454ef832509e56baed5d22fb7d5d267be869c
Author:     Jason Zaman <jason <AT> perfinion <DOT> com>
AuthorDate: Tue Jul 15 16:10:32 2014 +0000
Commit:     Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Tue Jul 15 16:12:41 2014 +0000
URL:        http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=cdb454ef

init_daemon_run_dir ==> init_daemon_pid_file

init_daemon_run_dir has been deprecated, it should be
replaced with init_daemon_pid_file instead

Signed-off-by: Jason Zaman <jason <AT> perfinion.com>

---
 policy/modules/contrib/apache.te   | 4 ++--
 policy/modules/contrib/clamav.te   | 2 +-
 policy/modules/contrib/ldap.te     | 2 +-
 policy/modules/system/authlogin.te | 2 +-
 4 files changed, 5 insertions(+), 5 deletions(-)

diff --git a/policy/modules/contrib/apache.te b/policy/modules/contrib/apache.te
index f39b6ca..5570175 100644
--- a/policy/modules/contrib/apache.te
+++ b/policy/modules/contrib/apache.te
@@ -1434,8 +1434,8 @@ ifdef(`distro_gentoo',`
 ## </desc>
 gen_tunable(hiawatha_httpd, false)
 
-init_daemon_run_dir(httpd_var_run_t, "apache_ssl_mutex")
-init_daemon_run_dir(httpd_var_run_t, "apache2")
+init_daemon_pid_file(httpd_var_run_t, dir, "apache_ssl_mutex")
+init_daemon_pid_file(httpd_var_run_t, dir, "apache2")
 
 tunable_policy(`hiawatha_httpd',`
 	# bug 513362

diff --git a/policy/modules/contrib/clamav.te b/policy/modules/contrib/clamav.te
index 34e3f61..5e74354 100644
--- a/policy/modules/contrib/clamav.te
+++ b/policy/modules/contrib/clamav.te
@@ -323,5 +323,5 @@ optional_policy(`
 ')
 
 ifdef(`distro_gentoo',`
-	init_daemon_run_dir(clamd_var_run_t, "clamav")
+	init_daemon_pid_file(clamd_var_run_t, dir, "clamav")
 ')

diff --git a/policy/modules/contrib/ldap.te b/policy/modules/contrib/ldap.te
index 0f65384..2a2dfd0 100644
--- a/policy/modules/contrib/ldap.te
+++ b/policy/modules/contrib/ldap.te
@@ -150,7 +150,7 @@ optional_policy(`
 ')
 
 ifdef(`distro_gentoo',`
-	init_daemon_run_dir(slapd_var_run_t, "openldap")
+	init_daemon_pid_file(slapd_var_run_t, dir, "openldap")
 
 	########################################
 	#

diff --git a/policy/modules/system/authlogin.te b/policy/modules/system/authlogin.te
index 06db47e..984fe54 100644
--- a/policy/modules/system/authlogin.te
+++ b/policy/modules/system/authlogin.te
@@ -466,5 +466,5 @@ optional_policy(`
 ')
 
 ifdef(`distro_gentoo',`
-	init_daemon_run_dir(pam_var_run_t, "sepermit")
+	init_daemon_pid_file(pam_var_run_t, dir, "sepermit")
 ')

[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/, policy/modules/system/

[Sven Vermeulen]

commit:     9dafa9a3a637709131e17d7cab38d29afd45a796
Author:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Wed Jun 25 19:58:15 2014 +0000
Commit:     Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Wed Jun 25 19:58:15 2014 +0000
URL:        http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=9dafa9a3

Add NetworkManager_t and dhcpc_t as resolvconf clients

---
 policy/modules/contrib/networkmanager.te | 11 +++++++++++
 policy/modules/system/sysnetwork.te      |  4 ++++
 2 files changed, 15 insertions(+)

diff --git a/policy/modules/contrib/networkmanager.te b/policy/modules/contrib/networkmanager.te
index a4a45c0..f70479a 100644
--- a/policy/modules/contrib/networkmanager.te
+++ b/policy/modules/contrib/networkmanager.te
@@ -367,6 +367,17 @@ miscfiles_read_localization(wpa_cli_t)
 term_dontaudit_use_console(wpa_cli_t)
 
 ifdef(`distro_gentoo',`
+	#
+	# NetworkManager_t policy
+	#
+
+	optional_policy(`
+		resolvconf_client_domain(NetworkManager_t)
+	')
+
+	#
+	# wpa_cli_t policy
+	#
 	manage_files_pattern(wpa_cli_t, wpa_cli_var_run_t, wpa_cli_var_run_t)
 	files_pid_filetrans(wpa_cli_t, wpa_cli_var_run_t, file)
 

diff --git a/policy/modules/system/sysnetwork.te b/policy/modules/system/sysnetwork.te
index 3f79de9..945ffb5 100644
--- a/policy/modules/system/sysnetwork.te
+++ b/policy/modules/system/sysnetwork.te
@@ -406,4 +406,8 @@ ifdef(`distro_gentoo',`
 	# Fixes bug 468878
 	files_pid_filetrans(dhcpc_t, dhcpc_var_run_t, sock_file)
 	allow dhcpc_t self:unix_stream_socket { create_stream_socket_perms connectto };
+
+	optional_policy(`
+		resolvconf_client_domain(dhcpc_t)
+	')
 ')

[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/, policy/modules/system/

[Sven Vermeulen]

commit:     9f77e8ffa96b88b03bab2d2cee834c666de5a6b1
Author:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Tue Dec 17 08:50:17 2013 +0000
Commit:     Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Tue Dec 17 08:50:17 2013 +0000
URL:        http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=9f77e8ff

Fix bug #489572 Add in daemon rundirs for automated file transitions

Various daemon init scripts use the tmpfiles feature to setup the run
directories. By default, this would create those directories with the
initrc_var_run_t type, which is incorrect.

We add in the necessary init_daemon_run_dir() statements to
automatically have the right context set.

---
 policy/modules/contrib/apache.te   | 3 +++
 policy/modules/contrib/ldap.te     | 6 ++++++
 policy/modules/contrib/mysql.te    | 4 ++++
 policy/modules/system/authlogin.te | 4 ++++
 4 files changed, 17 insertions(+)

diff --git a/policy/modules/contrib/apache.te b/policy/modules/contrib/apache.te
index 4960a8b..5608148 100644
--- a/policy/modules/contrib/apache.te
+++ b/policy/modules/contrib/apache.te
@@ -1421,4 +1421,7 @@ optional_policy(`
 ifdef(`distro_gentoo',`
 	attribute httpd_ra_content;
 	attribute httpd_rw_content;
+
+	init_daemon_run_dir(httpd_var_run_t, "apache_ssl_mutex")
+	init_daemon_run_dir(httpd_var_run_t, "apache2")
 ')

diff --git a/policy/modules/contrib/ldap.te b/policy/modules/contrib/ldap.te
index 7629d1e..d2d5e94 100644
--- a/policy/modules/contrib/ldap.te
+++ b/policy/modules/contrib/ldap.te
@@ -150,6 +150,12 @@ optional_policy(`
 ')
 
 ifdef(`distro_gentoo',`
+	init_daemon_rundir(slapd_var_run_t, "openldap")
+
+	########################################
+	#
+	# Local slapd_t policy
+	#
 	allow slapd_t self:process signal;
 	allow slapd_t self:unix_stream_socket listen;
 

diff --git a/policy/modules/contrib/mysql.te b/policy/modules/contrib/mysql.te
index 7584bbe..d425838 100644
--- a/policy/modules/contrib/mysql.te
+++ b/policy/modules/contrib/mysql.te
@@ -258,3 +258,7 @@ files_search_var_lib(mysqlmanagerd_t)
 miscfiles_read_localization(mysqlmanagerd_t)
 
 userdom_search_user_home_dirs(mysqlmanagerd_t)
+
+ifdef(`distro_gentoo',`
+	init_daemon_run_dir(mysqld_var_run_t, "mysqld")
+')

diff --git a/policy/modules/system/authlogin.te b/policy/modules/system/authlogin.te
index 1e0390f..4f4116e 100644
--- a/policy/modules/system/authlogin.te
+++ b/policy/modules/system/authlogin.te
@@ -464,3 +464,7 @@ optional_policy(`
 	samba_read_var_files(nsswitch_domain)
 	samba_dontaudit_write_var_files(nsswitch_domain)
 ')
+
+ifdef(`distro_gentoo',`
+	init_daemon_rundir(pam_var_run_t, "sepermit")
+')

[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/, policy/modules/system/

[Sven Vermeulen]

commit:     7f3b569f4994552e4eeec980a3aa292de991b2eb
Author:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Mon Feb 11 19:50:21 2013 +0000
Commit:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
CommitDate: Mon Feb 11 19:50:21 2013 +0000
URL:        http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=7f3b569f

Allow initrc_t to write to alsa OSS compat files

While saving and reloading the previously stored ALSA OSS state, initrc_t
needs to write this state in the /var/lib/alsa/oss/card* files.

18:45 < amade> SwifT: I blame you for my lack of music... cp: cannot create regular file /var/lib/alsa/oss/card0_pcm0c:
               Permission denied
18:45 <@SwifT> amade: music is overrated
18:45 < amade> Feb 11 19:43:59 lain kernel: [16008.582246] type=1400 audit(1360608239.978:61): avc:  denied  { write } for
               pid=19411 comm="cp" name="card0_pcm0c" dev="dm-0" ino=6706162 scontext=system_u:system_r:initrc_t
               tcontext=system_u:object_r:alsa_var_lib_t tclass=file

---
 policy/modules/contrib/alsa.if |   21 +++++++++++++++++++++
 policy/modules/system/init.te  |    4 ++++
 2 files changed, 25 insertions(+), 0 deletions(-)

diff --git a/policy/modules/contrib/alsa.if b/policy/modules/contrib/alsa.if
index f46c4a2..7d2e33a 100644
--- a/policy/modules/contrib/alsa.if
+++ b/policy/modules/contrib/alsa.if
@@ -286,3 +286,24 @@ interface(`alsa_domain',`
 	allow $1 alsadomain:shm rw_shm_perms;
 	allow $1 alsatmpfsfile:file rw_file_perms;
 ')
+
+# Gentoo specific for now, but cannot use ifdef distro_gentoo in an interface
+
+########################################
+## <summary>
+##	Write Alsa lib files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`alsa_write_lib',`
+	gen_require(`
+		type alsa_var_lib_t;
+	')
+
+	files_search_var_lib($1)
+	write_files_pattern($1, alsa_var_lib_t, alsa_var_lib_t)
+')

diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
index e6754cd..f91f807 100644
--- a/policy/modules/system/init.te
+++ b/policy/modules/system/init.te
@@ -927,6 +927,10 @@ ifdef(`distro_gentoo',`
 	logging_delete_devlog_socket(initrc_t)
 
 	optional_policy(`
+		alsa_write_lib(initrc_t)
+	')
+
+	optional_policy(`
 		mysql_setattr_run_dirs(initrc_t)
 	')
 

[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/, policy/modules/system/

[Sven Vermeulen]

commit:     2e34d4ed1a88947b99dc82d88f1e5e0b0f026211
Author:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Mon Dec 31 17:24:39 2012 +0000
Commit:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
CommitDate: Mon Dec 31 17:24:39 2012 +0000
URL:        http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=2e34d4ed

Create filetransition for ld.so.cache~

When portage calls ldconfig (which runs in the portage domain, so no transition
occurs), ldconfig creates the ld.so.cache~ file (which later gets renamed to
ld.so.cache). As this file would then be labeled as etc_t, this results in a
wrongly labeled ld.so.cache file.

Introduce a file transition for ld.so.cache~ so that this comes through
correctly.

---
 policy/modules/contrib/portage.te  |    7 +++++++
 policy/modules/system/libraries.if |   33 +++++++++++++++++++++++++++++++++
 2 files changed, 40 insertions(+), 0 deletions(-)

diff --git a/policy/modules/contrib/portage.te b/policy/modules/contrib/portage.te
index 5a1e463..dd5c0d0 100644
--- a/policy/modules/contrib/portage.te
+++ b/policy/modules/contrib/portage.te
@@ -383,6 +383,13 @@ ifdef(`distro_gentoo',`
 
 	##########################################
 	#
+	# Portage local policy
+	#
+
+	libs_generic_etc_filetrans_ld_so_cache(portage_t, file, "ld.so.cache~")
+
+	##########################################
+	#
 	# Portage sandbox local policy
 	#
 

diff --git a/policy/modules/system/libraries.if b/policy/modules/system/libraries.if
index 808ba93..41a44f3 100644
--- a/policy/modules/system/libraries.if
+++ b/policy/modules/system/libraries.if
@@ -534,3 +534,36 @@ interface(`lib_filetrans_shared_lib',`
 interface(`files_lib_filetrans_shared_lib',`
 	refpolicywarn(`$0($*) has been deprecated.')
 ')
+
+# This is gentoo specific but cannot use ifdef distro_gentoo here
+
+########################################
+## <summary>
+##	Create an object in etc with a type transition to
+##	the ld_so_cache_t type
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access
+##	</summary>
+## </param>
+## <param name="class">
+##	<summary>
+##	Class of the resource for which a type transition occurs.
+##	This is usually file as ld_so_cache is currently not used
+##	for any other resources.
+##	</summary>
+## </param>
+## <param name="filename" optional="true">
+##	<summary>
+##	Name of the resource created for which a type transition occurs
+##	</summary>
+## </param>
+#
+interface(`libs_generic_etc_filetrans_ld_so_cache',`
+	gen_require(`
+		type ld_so_cache_t;
+	')
+
+	files_etc_filetrans($1, ld_so_cache_t, $2, $3)
+')

[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/, policy/modules/system/

[Sven Vermeulen]

commit:     c3b8252a4d7ff12412a2245155d4316bcab8c756
Author:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Fri Dec  7 17:27:39 2012 +0000
Commit:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
CommitDate: Fri Dec  7 17:57:26 2012 +0000
URL:        http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=c3b8252a

Remove gentoo-only pam_console_data support

We introduced the pam_console_data support earlier on, but a new and upstream'ed
patch obsoletes it (and has a different naming usage).

---
 policy/modules/contrib/consolekit.te |    2 +-
 policy/modules/system/authlogin.if   |   48 ----------------------------------
 2 files changed, 1 insertions(+), 49 deletions(-)

diff --git a/policy/modules/contrib/consolekit.te b/policy/modules/contrib/consolekit.te
index 5dce1a8..c5dbccb 100644
--- a/policy/modules/contrib/consolekit.te
+++ b/policy/modules/contrib/consolekit.te
@@ -81,7 +81,7 @@ userdom_read_user_tmp_files(consolekit_t)
 
 ifdef(`distro_gentoo',`
 	# consolekit daemon creates /var/run/console for tagfiles
-	auth_generic_run_filetrans_pam_console_data(consolekit_t, dir, "console")
+	auth_pid_filetrans_pam_console_data(consolekit_t, dir, "console")
 	auth_create_pam_console_data_dirs(consolekit_t)
 
 	optional_policy(`

diff --git a/policy/modules/system/authlogin.if b/policy/modules/system/authlogin.if
index fea1b6e..8225390 100644
--- a/policy/modules/system/authlogin.if
+++ b/policy/modules/system/authlogin.if
@@ -1102,36 +1102,6 @@ interface(`auth_list_pam_console_data',`
 
 ########################################
 ## <summary>
-##	Automatically transition when a resource is created in the generic run
-##	location (/var/run or /run) to the pam console data label
-##	(pam_var_console_t).
-## </summary>
-## <param name="domain">
-##	<summary>
-##	Domain allowed access
-##	</summary>
-## </param>
-## <param name="class">
-##	<summary>
-##	Class of the resource created
-##	</summary>
-## </param>
-## <param name="filename" optional="true">
-##	<summary>
-##	Name of the resource created (optional).
-##	</summary>
-## </param>
-#
-interface(`auth_generic_run_filetrans_pam_console_data',`
-	gen_require(`
-		type pam_var_console_t;
-	')
-
-	files_pid_filetrans($1, pam_var_console_t, $2, $3)
-')
-
-########################################
-## <summary>
 ##	Create pam var console pid directories.
 ## </summary>
 ## <param name="domain">
@@ -1189,24 +1159,6 @@ interface(`auth_read_pam_console_data',`
 
 ########################################
 ## <summary>
-##	Create pam console data directories
-## </summary>
-## <param name="domain">
-##	<summary>
-##	Domain allowed access
-##	</summary>
-## </param>
-#
-interface(`auth_create_pam_console_data_dirs',`
-	gen_require(`
-		type pam_var_console_t;
-	')
-
-	allow $1 pam_var_console_t:dir create_dir_perms;
-')
-
-########################################
-## <summary>
 ##	Create, read, write, and delete
 ##	pam_console data files.
 ## </summary>

[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/, policy/modules/system/

[Sven Vermeulen]

commit:     b5bbb70f93b06cfea73f0ce3e4876b1a513a79c3
Author:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Fri Dec  7 17:27:39 2012 +0000
Commit:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
CommitDate: Fri Dec  7 17:27:39 2012 +0000
URL:        http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=b5bbb70f

Remove gentoo-only pam_console_data support

We introduced the pam_console_data support earlier on, but a new and upstream'ed
patch obsoletes it (and has a different naming usage).

---
 policy/modules/contrib/consolekit.te |    2 +-
 policy/modules/system/authlogin.if   |   48 ----------------------------------
 2 files changed, 1 insertions(+), 49 deletions(-)

diff --git a/policy/modules/contrib/consolekit.te b/policy/modules/contrib/consolekit.te
index 5dce1a8..c5dbccb 100644
--- a/policy/modules/contrib/consolekit.te
+++ b/policy/modules/contrib/consolekit.te
@@ -81,7 +81,7 @@ userdom_read_user_tmp_files(consolekit_t)
 
 ifdef(`distro_gentoo',`
 	# consolekit daemon creates /var/run/console for tagfiles
-	auth_generic_run_filetrans_pam_console_data(consolekit_t, dir, "console")
+	auth_pid_filetrans_pam_console_data(consolekit_t, dir, "console")
 	auth_create_pam_console_data_dirs(consolekit_t)
 
 	optional_policy(`

diff --git a/policy/modules/system/authlogin.if b/policy/modules/system/authlogin.if
index fea1b6e..8225390 100644
--- a/policy/modules/system/authlogin.if
+++ b/policy/modules/system/authlogin.if
@@ -1102,36 +1102,6 @@ interface(`auth_list_pam_console_data',`
 
 ########################################
 ## <summary>
-##	Automatically transition when a resource is created in the generic run
-##	location (/var/run or /run) to the pam console data label
-##	(pam_var_console_t).
-## </summary>
-## <param name="domain">
-##	<summary>
-##	Domain allowed access
-##	</summary>
-## </param>
-## <param name="class">
-##	<summary>
-##	Class of the resource created
-##	</summary>
-## </param>
-## <param name="filename" optional="true">
-##	<summary>
-##	Name of the resource created (optional).
-##	</summary>
-## </param>
-#
-interface(`auth_generic_run_filetrans_pam_console_data',`
-	gen_require(`
-		type pam_var_console_t;
-	')
-
-	files_pid_filetrans($1, pam_var_console_t, $2, $3)
-')
-
-########################################
-## <summary>
 ##	Create pam var console pid directories.
 ## </summary>
 ## <param name="domain">
@@ -1189,24 +1159,6 @@ interface(`auth_read_pam_console_data',`
 
 ########################################
 ## <summary>
-##	Create pam console data directories
-## </summary>
-## <param name="domain">
-##	<summary>
-##	Domain allowed access
-##	</summary>
-## </param>
-#
-interface(`auth_create_pam_console_data_dirs',`
-	gen_require(`
-		type pam_var_console_t;
-	')
-
-	allow $1 pam_var_console_t:dir create_dir_perms;
-')
-
-########################################
-## <summary>
 ##	Create, read, write, and delete
 ##	pam_console data files.
 ## </summary>

[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/, policy/modules/system/

[Sven Vermeulen]

commit:     d049175602c7f2b6650030039276b6bb99d10757
Author:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Mon Nov 12 21:26:26 2012 +0000
Commit:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
CommitDate: Mon Nov 12 21:26:26 2012 +0000
URL:        http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=d0491756

Introduce syslogmanaged attribute

The syslogmanaged attribute is assigned to types that are used as target system
log managed log files. When assigned, the system logger has manage privileges on
the type. The privileges are both on file and directory level.

Modules can enable this by marking their filetype with
"logging_syslog_managed_log_file" or "logging_syslog_managed_log_dir". The first
option is the type, the second one is an (optional) name to use for the file or
directory for a proper file transition.

For instance, for cron (also part of this commit):

type cron_log_t;
logging_syslog_managed_log_file(cron_log_t, "cron.log")

This will create the following transition:
type_transition syslogd_t var_log_t : file cron_log_t "cron.log";

Using logging_syslog_managed_log_dir will do the same, but on directory level.

See also https://bugs.gentoo.org/show_bug.cgi?id=440128

---
 policy/modules/contrib/cron.te   |    2 +
 policy/modules/system/logging.if |   69 ++++++++++++++++++++++++++++++++++++++
 policy/modules/system/logging.te |    6 +++
 3 files changed, 77 insertions(+), 0 deletions(-)

diff --git a/policy/modules/contrib/cron.te b/policy/modules/contrib/cron.te
index d6af321..5460980 100644
--- a/policy/modules/contrib/cron.te
+++ b/policy/modules/contrib/cron.te
@@ -124,6 +124,8 @@ mta_system_content(user_cron_spool_t)
 ifdef(`distro_gentoo',`
 	domain_interactive_fd(cronjob_t)
 	domain_interactive_fd(system_cronjob_t)
+
+	logging_syslog_managed_log_file(cron_log_t, "cron.log")
 ')
 
 ifdef(`enable_mcs',`

diff --git a/policy/modules/system/logging.if b/policy/modules/system/logging.if
index 857e07d..6bd6586 100644
--- a/policy/modules/system/logging.if
+++ b/policy/modules/system/logging.if
@@ -1104,3 +1104,72 @@ interface(`logging_admin',`
 	logging_admin_audit($1, $2)
 	logging_admin_syslog($1, $2)
 ')
+
+########################################
+## <summary>
+##	Mark the type as a syslog managed log file
+##	and introduce the proper file transition when
+##	created by the system logger in the generic
+##	log directory
+## </summary>
+## <param name="type">
+##	<summary>
+##	Type to mark as a syslog managed log file
+##	</summary>
+## </param>
+## <param name="filename" optional="true">
+##	<summary>
+##	Name to use for the file
+##	</summary>
+## </param>
+#
+interface(`logging_syslog_managed_log_file',`
+	gen_require(`
+		attribute syslogmanaged;
+		type syslogd_t;
+	')
+
+	typeattribute $1 syslogmanaged;
+
+	logging_log_file($1)
+	logging_log_filetrans(syslogd_t, $1, file, $2)
+')
+
+########################################
+## <summary>
+##	Mark the type as a syslog managed log dir
+##	and introduce the proper file transition when
+##	created by the system logger in the generic
+##	log directory
+## </summary>
+## <desc>
+##	<p>
+##	Once set, the system logger is able to fully
+##	manage files and directory of the given type.
+##	You do not need to use logging_syslog_managed_file
+##	anymore (unless a file name transition is needed
+##	for that as well).
+##	</p>
+## </desc>
+## <param name="type">
+##	<summary>
+##	Type to mark as a syslog managed log dir
+##	</summary>
+## </param>
+## <param name="filename" optional="true">
+##	<summary>
+##	Name to use for the directory
+##	</summary>
+## </param>
+#
+interface(`logging_syslog_managed_log_dir',`
+	gen_require(`
+		attribute syslogmanaged;
+		type syslogd_t;
+	')
+
+	typeattribute $1 syslogmanaged;
+
+	logging_log_file($1)
+	logging_log_filetrans(syslogd_t, $1, dir, $2)
+')

diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te
index 7a4250e..08f66fb 100644
--- a/policy/modules/system/logging.te
+++ b/policy/modules/system/logging.te
@@ -86,6 +86,10 @@ ifdef(`enable_mls',`
 	init_ranged_daemon_domain(syslogd_t, syslogd_exec_t, mls_systemhigh)
 ')
 
+ifdef(`distro_gentoo',`
+	attribute syslogmanaged;
+')
+
 ########################################
 #
 # Auditctl local policy
@@ -470,6 +474,8 @@ userdom_dontaudit_use_unpriv_user_fds(syslogd_t)
 userdom_dontaudit_search_user_home_dirs(syslogd_t)
 
 ifdef(`distro_gentoo',`
+	manage_dirs_pattern(syslogd_t, syslogmanaged, syslogmanaged)
+	manage_files_pattern(syslogd_t, syslogmanaged, syslogmanaged)
 	# default gentoo syslog-ng config appends kernel
 	# and high priority messages to /dev/tty12
 	term_append_unallocated_ttys(syslogd_t)

[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/, policy/modules/system/

[Sven Vermeulen]

commit:     47e52f4053dbb7f6c1c8e87ca1281138ae9fdd50
Author:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Mon Oct 29 18:36:58 2012 +0000
Commit:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
CommitDate: Mon Oct 29 18:36:58 2012 +0000
URL:        http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=47e52f40

Fixing cron access

Update the system logger policy to not allow write access on all possible log
files (too many log types are marked as logfile even though many of them are not
meant to be managed by the system logger). Instead, we use specific rights - in
this case for the cron log file.

Introduce a named file transition for when the system logger creates the initial
cron.log file. Also allow the write, setattr and create rights. We don't
implement full _manage_ rights as system loggers are not meant to remove log
files (unless someone points me to a use case for that).

---
 policy/modules/contrib/cron.if   |   83 ++++++++++++++++++++++++++++++++++++++
 policy/modules/system/logging.te |    7 ++-
 2 files changed, 88 insertions(+), 2 deletions(-)

diff --git a/policy/modules/contrib/cron.if b/policy/modules/contrib/cron.if
index 2981f1f..e6259bd 100644
--- a/policy/modules/contrib/cron.if
+++ b/policy/modules/contrib/cron.if
@@ -409,6 +409,89 @@ interface(`cron_sigchld',`
 
 ########################################
 ## <summary>
+##	Set the attributes of cron log files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`cron_setattr_log_files',`
+	gen_require(`
+		type cron_log_t;
+	')
+
+	allow $1 cron_log_t:file setattr_file_perms;
+')
+
+########################################
+## <summary>
+##	Create cron log files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`cron_create_log_files',`
+	gen_require(`
+		type cron_log_t;
+	')
+
+	allow $1 cron_log_t:file create_file_perms;
+')
+
+########################################
+## <summary>
+##	Write to cron log files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`cron_write_log_files',`
+	gen_require(`
+		type cron_log_t;
+	')
+
+	allow $1 cron_log_t:file write_file_perms;
+')
+
+########################################
+## <summary>
+##	Create specified objects in generic
+##	log directories with the cron log file type.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <param name="object_class">
+##	<summary>
+##	Class of the object being created.
+##	</summary>
+## </param>
+## <param name="name" optional="true">
+##	<summary>
+##	The name of the object being created.
+##	</summary>
+## </param>
+#
+interface(`cron_generic_log_filetrans_log',`
+	gen_require(`
+		type cron_log_t;
+	')
+
+	logging_log_filetrans($1, cron_log_t, $2, $3)
+')
+
+########################################
+## <summary>
 ##	Read cron daemon unnamed pipes.
 ## </summary>
 ## <param name="domain">

diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te
index 0e817b7..116b338 100644
--- a/policy/modules/system/logging.te
+++ b/policy/modules/system/logging.te
@@ -470,12 +470,15 @@ userdom_dontaudit_use_unpriv_user_fds(syslogd_t)
 userdom_dontaudit_search_user_home_dirs(syslogd_t)
 
 ifdef(`distro_gentoo',`
-	allow syslogd_t logfile:file { write_file_perms setattr_file_perms };
-
 	# default gentoo syslog-ng config appends kernel
 	# and high priority messages to /dev/tty12
 	term_append_unallocated_ttys(syslogd_t)
 	term_dontaudit_setattr_unallocated_ttys(syslogd_t)
+
+	cron_create_log_files(syslogd_t)
+	cron_generic_log_filetrans_log(syslogd_t, file, "cron.log")
+	cron_setattr_log_files(syslogd_t)
+	cron_write_log_files(syslogd_t)
 ')
 
 ifdef(`distro_suse',`

[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/, policy/modules/system/

[Sven Vermeulen]

commit:     4f610d3cc9efa86e4d975e76e7e600d1d97ed927
Author:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Wed Aug 29 18:09:56 2012 +0000
Commit:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
CommitDate: Wed Aug 29 18:09:56 2012 +0000
URL:        http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=4f610d3c

Support tagfiles for consolekit

Gentoo currently still uses the pam-foreground compatibility, which causes
ConsoleKit to set tagfiles in the pam_console tag directory (/var/run/console).
As /var/run is dynamic nowadays, ConsoleKit also creates the directory.

Allow ConsoleKit to create such directory with the right file transition in
place.

See also sys-auth/consolekit files/pam-foreground-compat.ck

---
 policy/modules/contrib/consolekit.te |    3 ++
 policy/modules/system/authlogin.if   |   48 ++++++++++++++++++++++++++++++++++
 2 files changed, 51 insertions(+), 0 deletions(-)

diff --git a/policy/modules/contrib/consolekit.te b/policy/modules/contrib/consolekit.te
index 516328a..383317e 100644
--- a/policy/modules/contrib/consolekit.te
+++ b/policy/modules/contrib/consolekit.te
@@ -58,7 +58,10 @@ mcs_ptrace_all(consolekit_t)
 
 term_use_all_terms(consolekit_t)
 
+# consolekit daemon creates /var/run/console for tagfiles
+auth_generic_run_filetrans_pam_console_data(consolekit_t, dir, "console")
 auth_use_nsswitch(consolekit_t)
+auth_create_pam_console_data_dirs(consolekit_t)
 auth_manage_pam_console_data(consolekit_t)
 auth_write_login_records(consolekit_t)
 

diff --git a/policy/modules/system/authlogin.if b/policy/modules/system/authlogin.if
index 8989233..405a9d1 100644
--- a/policy/modules/system/authlogin.if
+++ b/policy/modules/system/authlogin.if
@@ -1102,6 +1102,36 @@ interface(`auth_list_pam_console_data',`
 
 ########################################
 ## <summary>
+##	Automatically transition when a resource is created in the generic run
+##	location (/var/run or /run) to the pam console data label
+##	(pam_var_console_t).
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access
+##	</summary>
+## </param>
+## <param name="class">
+##	<summary>
+##	Class of the resource created
+##	</summary>
+## </param>
+## <param name="filename" optional="true">
+##	<summary>
+##	Name of the resource created (optional).
+##	</summary>
+## </param>
+#
+interface(`auth_generic_run_filetrans_pam_console_data',`
+	gen_require(`
+		type pam_var_console_t;
+	')
+
+	files_pid_filetrans($1, pam_var_console_t, $2, $3)
+')
+
+########################################
+## <summary>
 ##	Relabel pam_console data directories.
 ## </summary>
 ## <param name="domain">
@@ -1140,6 +1170,24 @@ interface(`auth_read_pam_console_data',`
 
 ########################################
 ## <summary>
+##	Create pam console data directories
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access
+##	</summary>
+## </param>
+#
+interface(`auth_create_pam_console_data_dirs',`
+	gen_require(`
+		type pam_var_console_t;
+	')
+
+	allow $1 pam_var_console_t:dir create_dir_perms;
+')
+
+########################################
+## <summary>
 ##	Create, read, write, and delete
 ##	pam_console data files.
 ## </summary>

[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/, policy/modules/system/

[Sven Vermeulen]

commit:     e71ecb4831f970f0755c123401096de1e07f3e2d
Author:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Tue Aug 14 16:28:12 2012 +0000
Commit:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
CommitDate: Tue Aug 14 17:31:16 2012 +0000
URL:        http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=e71ecb48

Use the newly introduced init_daemon_run_dir interface

Use the init_daemon_run_dir interface rather than the ping-pong-like game
between interfaces in order to allow initrc_t to create the run dirs of the
given daemons with the proper file transition.

---
 policy/modules/contrib/dbus.if  |    9 +++------
 policy/modules/contrib/dbus.te  |    1 +
 policy/modules/contrib/mysql.if |    9 +++------
 policy/modules/contrib/mysql.te |    1 +
 policy/modules/system/init.te   |    5 -----
 policy/modules/system/udev.if   |    9 +++------
 policy/modules/system/udev.te   |    1 +
 7 files changed, 12 insertions(+), 23 deletions(-)

diff --git a/policy/modules/contrib/dbus.if b/policy/modules/contrib/dbus.if
index f0e21ac..96ba874 100644
--- a/policy/modules/contrib/dbus.if
+++ b/policy/modules/contrib/dbus.if
@@ -394,7 +394,8 @@ interface(`dbus_send_system_bus',`
 ########################################
 ## <summary>
 ##	Create resources in /run or /var/run with the system_dbusd_var_run_t
-##	label
+##	label. This method is deprecated in favor of the init_daemon_run_dir
+##	call.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -413,11 +414,7 @@ interface(`dbus_send_system_bus',`
 ## </param>
 #
 interface(`dbus_generic_pid_filetrans_system_dbusd_var_run',`
-	gen_require(`
-		type system_dbusd_var_run_t;
-	')
-
-	files_pid_filetrans($1, system_dbusd_var_run_t, $2, $3)
+	refpolicywarn(`$0($*) has been deprecated.')
 ')
 
 ########################################

diff --git a/policy/modules/contrib/dbus.te b/policy/modules/contrib/dbus.te
index 625cb32..05f2b89 100644
--- a/policy/modules/contrib/dbus.te
+++ b/policy/modules/contrib/dbus.te
@@ -35,6 +35,7 @@ files_type(system_dbusd_var_lib_t)
 
 type system_dbusd_var_run_t;
 files_pid_file(system_dbusd_var_run_t)
+init_daemon_run_dir(system_dbusd_var_run_t, "dbus")
 
 ifdef(`enable_mcs',`
 	init_ranged_system_domain(system_dbusd_t, dbusd_exec_t, s0 - mcs_systemhigh)

diff --git a/policy/modules/contrib/mysql.if b/policy/modules/contrib/mysql.if
index da9b321..01ef7b5 100644
--- a/policy/modules/contrib/mysql.if
+++ b/policy/modules/contrib/mysql.if
@@ -350,7 +350,8 @@ interface(`mysql_create_run_dirs',`
 #######################################
 ## <summary>
 ##	Automatically use the MySQL run label for created resources in generic
-##	run locations
+##	run locations. This method is deprecated in favor of the
+##	init_daemon_run_dir call.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -370,11 +371,7 @@ interface(`mysql_create_run_dirs',`
 ## </param>
 #
 interface(`mysql_generic_run_filetrans_run',`
-	gen_require(`
-		type mysqld_var_run_t;
-	')
-
-	files_pid_filetrans($1, mysqld_var_run_t, $2, $3)
+	refpolicywarn(`$0($*) has been deprecated.')
 ')
 
 ########################################

diff --git a/policy/modules/contrib/mysql.te b/policy/modules/contrib/mysql.te
index 1cf05a3..d4206c9 100644
--- a/policy/modules/contrib/mysql.te
+++ b/policy/modules/contrib/mysql.te
@@ -22,6 +22,7 @@ init_daemon_domain(mysqld_safe_t, mysqld_safe_exec_t)
 
 type mysqld_var_run_t;
 files_pid_file(mysqld_var_run_t)
+init_daemon_run_dir(mysqld_var_run_t, "mysqld")
 
 type mysqld_db_t;
 files_type(mysqld_db_t)

diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
index db0f013..e0ea2db 100644
--- a/policy/modules/system/init.te
+++ b/policy/modules/system/init.te
@@ -647,10 +647,8 @@ optional_policy(`
 
 optional_policy(`
 	dbus_connect_system_bus(initrc_t)
-	dbus_create_system_dbusd_var_run_dirs(initrc_t)
 	dbus_system_bus_client(initrc_t)
 	dbus_read_config(initrc_t)
-	dbus_generic_pid_filetrans_system_dbusd_var_run(initrc_t, dir, "dbus")
 
 	optional_policy(`
 		consolekit_dbus_chat(initrc_t)
@@ -764,8 +762,6 @@ optional_policy(`
 	ifdef(`distro_redhat',`
 		mysql_manage_db_dirs(initrc_t)
 	')
-	mysql_create_run_dirs(initrc_t)
-	mysql_generic_run_filetrans_run(initrc_t, dir, "mysqld")
 	mysql_read_config(initrc_t)
 	mysql_setattr_run_dirs(initrc_t)
 	mysql_stream_connect(initrc_t)
@@ -862,7 +858,6 @@ optional_policy(`
 
 optional_policy(`
 	udev_create_db_dirs(initrc_t)
-	udev_generic_pid_filetrans_run_dirs(initrc_t, "udev")
 	udev_pid_filetrans_db(initrc_t, dir, "rules.d")
 	udev_manage_pid_files(initrc_t)
 	udev_manage_pid_dirs(initrc_t)

diff --git a/policy/modules/system/udev.if b/policy/modules/system/udev.if
index 7423f26..e6409d2 100644
--- a/policy/modules/system/udev.if
+++ b/policy/modules/system/udev.if
@@ -296,7 +296,8 @@ interface(`udev_pid_filetrans_db',`
 
 ########################################
 ## <summary>
-##	Write dirs in /var/run with the udev_var_run file type
+##	Write dirs in /var/run with the udev_var_run file type.
+##	This method is deprecated in favor of the init_daemon_run_dir call.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -310,11 +311,7 @@ interface(`udev_pid_filetrans_db',`
 ## </param>
 #
 interface(`udev_generic_pid_filetrans_run_dirs',`
-	gen_require(`
-		type udev_var_run_t;
-	')
-
-	files_pid_filetrans($1, udev_var_run_t, dir, $2)
+	refpolicywarn(`$0($*) has been deprecated.')
 ')
 
 ########################################

diff --git a/policy/modules/system/udev.te b/policy/modules/system/udev.te
index b4fbfef..a8fe208 100644
--- a/policy/modules/system/udev.te
+++ b/policy/modules/system/udev.te
@@ -25,6 +25,7 @@ files_type(udev_rules_t)
 
 type udev_var_run_t;
 files_pid_file(udev_var_run_t)
+init_daemon_run_dir(udev_var_run_t, "udev")
 
 ifdef(`enable_mcs',`
 	kernel_ranged_domtrans_to(udev_t, udev_exec_t, s0 - mcs_systemhigh)

[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/, policy/modules/system/

[Sven Vermeulen]

commit:     353e82c7125c6f53b8605cc40d119d66406ac7b3
Author:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Tue Jul 31 17:35:15 2012 +0000
Commit:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
CommitDate: Tue Jul 31 17:35:15 2012 +0000
URL:        http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=353e82c7

Allow init to setattr on mysqld dir

---
 policy/modules/contrib/mysql.if |   18 ++++++++++++++++++
 policy/modules/system/init.te   |    1 +
 2 files changed, 19 insertions(+), 0 deletions(-)

diff --git a/policy/modules/contrib/mysql.if b/policy/modules/contrib/mysql.if
index 19ea188..949b0b2 100644
--- a/policy/modules/contrib/mysql.if
+++ b/policy/modules/contrib/mysql.if
@@ -313,6 +313,24 @@ interface(`mysql_search_pid_files',`
 
 #######################################
 ## <summary>
+##	Set the attributes of the MySQL run directories
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access
+##	</summary>
+## </param>
+#
+interface(`mysql_setattr_run_dirs',`
+	gen_require(`
+		type mysqld_var_run_t;
+	')
+
+	search_dirs_pattern($1, mysqld_var_run_t, mysqld_var_run_t)
+')
+
+#######################################
+## <summary>
 ##	Create MySQL run directories
 ## </summary>
 ## <param name="domain">

diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
index 56bfca9..fcb537b 100644
--- a/policy/modules/system/init.te
+++ b/policy/modules/system/init.te
@@ -762,6 +762,7 @@ optional_policy(`
 	mysql_create_run_dirs(initrc_t)
 	mysql_generic_run_filetrans_run(initrc_t, dir, "mysqld")
 	mysql_read_config(initrc_t)
+	mysql_setattr_run_dirs(initrc_t)
 	mysql_stream_connect(initrc_t)
 	mysql_write_log(initrc_t)
 ')

[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/, policy/modules/system/

[Sven Vermeulen]

commit:     8c1ff02f727be2bb89983948b4fc64e2aedff870
Author:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Tue Jul 24 09:23:50 2012 +0000
Commit:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
CommitDate: Tue Jul 24 09:23:50 2012 +0000
URL:        http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=8c1ff02f

Adding run support from init to mysql dir

---
 policy/modules/contrib/mysql.if |   48 +++++++++++++++++++++++++++++++++++++++
 policy/modules/system/init.te   |    5 ++-
 2 files changed, 51 insertions(+), 2 deletions(-)

diff --git a/policy/modules/contrib/mysql.if b/policy/modules/contrib/mysql.if
index e9c0982..19ea188 100644
--- a/policy/modules/contrib/mysql.if
+++ b/policy/modules/contrib/mysql.if
@@ -311,6 +311,54 @@ interface(`mysql_search_pid_files',`
 	search_dirs_pattern($1, mysqld_var_run_t, mysqld_var_run_t)
 ')
 
+#######################################
+## <summary>
+##	Create MySQL run directories
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access
+##	</summary>
+## </param>
+#
+interface(`mysql_create_run_dirs',`
+	gen_require(`
+		type mysqld_var_run_t;
+	')
+
+	create_dirs_pattern($1, mysqld_var_run_t, mysqld_var_run_t)
+')
+
+#######################################
+## <summary>
+##	Automatically use the MySQL run label for created resources in generic
+##	run locations
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access
+##	</summary>
+## </param>
+## <param name="class">
+## 	<summary>
+##	Type of the resource created for which the automatic file transition
+##	should occur
+##	</summary>
+## </param>
+## <param name="filename" optional="true">
+## 	<summary>
+##	The name of the resource being created
+##	</summary>
+## </param>
+#
+interface(`mysql_generic_run_filetrans_run',`
+	gen_require(`
+		type mysqld_var_run_t;
+	')
+
+	files_pid_filetrans($1, mysqld_var_run_t, $2, $3)
+')
+
 ########################################
 ## <summary>
 ##	All of the rules required to administrate an mysql environment

diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
index bb6e95e..6b56b57 100644
--- a/policy/modules/system/init.te
+++ b/policy/modules/system/init.te
@@ -758,10 +758,11 @@ optional_policy(`
 	ifdef(`distro_redhat',`
 		mysql_manage_db_dirs(initrc_t)
 	')
-
+	mysql_create_run_dirs(initrc_t)
+	mysql_generic_run_filetrans_run(initrc_t, dir, "mysqld")
+	mysql_read_config(initrc_t)
 	mysql_stream_connect(initrc_t)
 	mysql_write_log(initrc_t)
-	mysql_read_config(initrc_t)
 ')
 
 optional_policy(`

[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/, policy/modules/system/

[Sven Vermeulen]

commit:     8d99fd5c8373c47952996202078879a673c2e00b
Author:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Tue Jul 17 17:14:49 2012 +0000
Commit:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
CommitDate: Tue Jul 17 17:14:49 2012 +0000
URL:        http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=8d99fd5c

Allow init script to create (/var)/run/dbus

---
 policy/modules/contrib/dbus.if |   47 ++++++++++++++++++++++++++++++++++++++++
 policy/modules/system/init.te  |    2 +
 2 files changed, 49 insertions(+), 0 deletions(-)

diff --git a/policy/modules/contrib/dbus.if b/policy/modules/contrib/dbus.if
index 57dd64b..f0e21ac 100644
--- a/policy/modules/contrib/dbus.if
+++ b/policy/modules/contrib/dbus.if
@@ -393,6 +393,53 @@ interface(`dbus_send_system_bus',`
 
 ########################################
 ## <summary>
+##	Create resources in /run or /var/run with the system_dbusd_var_run_t
+##	label
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access
+##	</summary>
+## </param>
+## <param name="class">
+##	<summary>
+##	Classes supported for the created resources
+##	</summary>
+## </param>
+## <param name="filename" optional="true">
+##	<summary>
+##	Optional file name used for the resource
+##	</summary>
+## </param>
+#
+interface(`dbus_generic_pid_filetrans_system_dbusd_var_run',`
+	gen_require(`
+		type system_dbusd_var_run_t;
+	')
+
+	files_pid_filetrans($1, system_dbusd_var_run_t, $2, $3)
+')
+
+########################################
+## <summary>
+##	Create directories with the system_dbusd_var_run_t label
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access
+##	</summary>
+## </param>
+#
+interface(`dbus_create_system_dbusd_var_run_dirs',`
+	gen_require(`
+		type system_dbusd_var_run_t;
+	')
+
+	create_dirs_pattern($1, system_dbusd_var_run_t, system_dbusd_var_run_t)
+')
+
+########################################
+## <summary>
 ##	Allow unconfined access to the system DBUS.
 ## </summary>
 ## <param name="domain">

diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
index 4481731..bb6e95e 100644
--- a/policy/modules/system/init.te
+++ b/policy/modules/system/init.te
@@ -641,8 +641,10 @@ optional_policy(`
 
 optional_policy(`
 	dbus_connect_system_bus(initrc_t)
+	dbus_create_system_dbusd_var_run_dirs(initrc_t)
 	dbus_system_bus_client(initrc_t)
 	dbus_read_config(initrc_t)
+	dbus_generic_pid_filetrans_system_dbusd_var_run(initrc_t, dir, "dbus")
 
 	optional_policy(`
 		consolekit_dbus_chat(initrc_t)

[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/, policy/modules/system/

[Sven Vermeulen]

commit:     5b5fe1e70e188beeef04718e2abd37009946d913
Author:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Thu Jul 12 20:02:32 2012 +0000
Commit:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
CommitDate: Thu Jul 12 20:02:32 2012 +0000
URL:        http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=5b5fe1e7

Use attribute (portage_eselect_domain) instead of enhancing the domains

---
 policy/modules/contrib/portage.if    |   10 +++-------
 policy/modules/contrib/portage.te    |   16 ++++++++++++++++
 policy/modules/system/selinuxutil.te |    2 +-
 3 files changed, 20 insertions(+), 8 deletions(-)

diff --git a/policy/modules/contrib/portage.if b/policy/modules/contrib/portage.if
index c52cad2..367ed76 100644
--- a/policy/modules/contrib/portage.if
+++ b/policy/modules/contrib/portage.if
@@ -380,15 +380,11 @@ interface(`portage_dontaudit_rw_tmp_files',`
 #   marking the target binaries doesn't always work, since for python scripts the
 #   wrapper doesn't execute it, but treats the target as a library.
 #
-interface(`gentoo_portage_eselect_module',`
+interface(`portage_eselect_module',`
        gen_require(`
-               type portage_t;
+               attribute portage_eselect_domain;
        ')
-       allow $1 self:fifo_file { read write };
 
-       corecmd_exec_shell($1)  
-
-       # Support for /etc/env.d changes
-       files_manage_etc_runtime_files($1)
+       typeattribute $1 portage_eselect_domain;
 ')
 

diff --git a/policy/modules/contrib/portage.te b/policy/modules/contrib/portage.te
index 1f83dd8..8b46f52 100644
--- a/policy/modules/contrib/portage.te
+++ b/policy/modules/contrib/portage.te
@@ -29,6 +29,9 @@ gen_tunable(gentoo_wait_requests, false)
 
 attribute_role portage_roles;
 
+# Assigned to domains that are managed by eselect
+attribute portage_eselect_domain;
+
 type gcc_config_t;
 type gcc_config_exec_t;
 application_domain(gcc_config_t, gcc_config_exec_t)
@@ -365,3 +368,16 @@ ifdef(`hide_broken_symptoms',`
 	dontaudit portage_sandbox_t portage_cache_t:dir { setattr };
 	dontaudit portage_sandbox_t portage_cache_t:file { setattr write };
 ')
+
+##########################################
+#
+# Portage eselect module domain
+#
+
+allow portage_eselect_domain self:fifo_file { read write };
+
+corecmd_exec_shell(portage_eselect_domain)
+
+# Support for /etc/env.d changes
+files_manage_etc_runtime_files(portage_eselect_domain)
+

diff --git a/policy/modules/system/selinuxutil.te b/policy/modules/system/selinuxutil.te
index 748ef65..c489ed5 100644
--- a/policy/modules/system/selinuxutil.te
+++ b/policy/modules/system/selinuxutil.te
@@ -520,7 +520,7 @@ ifdef(`distro_ubuntu',`
 ')
 
 optional_policy(`
-	gentoo_portage_eselect_module(semanage_t)
+	portage_eselect_module(semanage_t)
 ')
 
 ########################################

[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/, policy/modules/system/

[Sven Vermeulen]

commit:     65c75e23dccd7c35b7ba50a5e8f1d094c0410c80
Author:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Wed Jun 27 19:11:14 2012 +0000
Commit:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
CommitDate: Wed Jun 27 19:11:14 2012 +0000
URL:        http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=65c75e23

Rework and refactoring based on refpolicy feedback

---
 policy/modules/contrib/apache.if         |    2 +-
 policy/modules/contrib/dracut.fc         |    3 ++-
 policy/modules/contrib/dracut.if         |    8 +++-----
 policy/modules/contrib/dracut.te         |   29 ++++++++++-------------------
 policy/modules/contrib/networkmanager.te |    8 --------
 policy/modules/contrib/rpm.fc            |    3 +++
 policy/modules/system/libraries.te       |    4 ----
 policy/modules/system/modutils.if        |    9 ++++++---
 policy/modules/system/modutils.te        |    2 +-
 policy/modules/system/udev.if            |    2 ++
 10 files changed, 28 insertions(+), 42 deletions(-)

diff --git a/policy/modules/contrib/apache.if b/policy/modules/contrib/apache.if
index a1d1905..6696f6b 100644
--- a/policy/modules/contrib/apache.if
+++ b/policy/modules/contrib/apache.if
@@ -479,7 +479,7 @@ interface(`apache_read_all_ra_content',`
 ## </param>
 ## <rolecap/>
 #
-interface(`apache_append_all_ra_content_files',`
+interface(`apache_append_all_ra_content',`
 	gen_require(`
 		attribute httpd_ra_content;
 	')

diff --git a/policy/modules/contrib/dracut.fc b/policy/modules/contrib/dracut.fc
index fca0d67..75533ca 100644
--- a/policy/modules/contrib/dracut.fc
+++ b/policy/modules/contrib/dracut.fc
@@ -1,4 +1,5 @@
 #
 # /usr
 #
-/usr/(s)?bin/dracut	--	gen_context(system_u:object_r:dracut_exec_t,s0)
+/usr/sbin/dracut	--	gen_context(system_u:object_r:dracut_exec_t,s0)
+/usr/bin/dracut	--	gen_context(system_u:object_r:dracut_exec_t,s0)

diff --git a/policy/modules/contrib/dracut.if b/policy/modules/contrib/dracut.if
index 929fffd..e8a0e53 100644
--- a/policy/modules/contrib/dracut.if
+++ b/policy/modules/contrib/dracut.if
@@ -46,7 +46,7 @@ interface(`dracut_run',`
 
 ########################################
 ## <summary>
-## 	Allow domain to manage dracut temporary files
+## 	Read/write dracut temporary files
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -54,7 +54,7 @@ interface(`dracut_run',`
 ##	</summary>
 ## </param>
 #
-interface(`dracut_manage_tmp_files',`
+interface(`dracut_rw_tmp_files',`
 	gen_require(`
 		type dracut_tmp_t;
 	')
@@ -62,8 +62,6 @@ interface(`dracut_manage_tmp_files',`
 	files_search_var($1)
 	files_search_tmp($1)
 
-	manage_files_pattern($1, dracut_tmp_t, dracut_tmp_t)
-	manage_dirs_pattern($1, dracut_tmp_t, dracut_tmp_t)
-	read_lnk_files_pattern($1, dracut_tmp_t, dracut_tmp_t)
+	rw_files_pattern($1, dracut_tmp_t, dracut_tmp_t)
 ')
 

diff --git a/policy/modules/contrib/dracut.te b/policy/modules/contrib/dracut.te
index 4bd6cb3..d61e49e 100644
--- a/policy/modules/contrib/dracut.te
+++ b/policy/modules/contrib/dracut.te
@@ -15,23 +15,27 @@ files_tmp_file(dracut_tmp_t)
 # Local policy
 #
 allow dracut_t self:process setfscreate;
+allow dracut_t self:capability dac_override;
 allow dracut_t self:fifo_file rw_fifo_file_perms;
 allow dracut_t self:unix_stream_socket create_stream_socket_perms;
 
 manage_files_pattern(dracut_t, dracut_tmp_t, dracut_tmp_t)
-manage_lnk_files_pattern(dracut_t, dracut_tmp_t, dracut_tmp_t)
 manage_dirs_pattern(dracut_t, dracut_tmp_t, dracut_tmp_t)
-files_tmp_filetrans(dracut_t, dracut_tmp_t, { file lnk_file dir })
+manage_lnk_files_pattern(dracut_t, dracut_tmp_t, dracut_tmp_t)
+manage_chr_files_pattern(dracut_t, dracut_tmp_t, dracut_tmp_t)
+files_tmp_filetrans(dracut_t, dracut_tmp_t, dir)
 
 manage_files_pattern(dracut_t, dracut_var_log_t, dracut_var_log_t)
 logging_log_filetrans(dracut_t, dracut_var_log_t, file)
 
+kernel_read_messages(dracut_t)
 kernel_read_system_state(dracut_t)
 
 corecmd_exec_bin(dracut_t)
 corecmd_exec_shell(dracut_t)
-corecmd_read_all_executables(dracut_t)
+corecmd_mmap_all_executables(dracut_t)
 
+dev_read_kmsg(dracut_t)
 dev_read_sysfs(dracut_t)
 
 domain_use_interactive_fds(dracut_t)
@@ -42,35 +46,22 @@ files_read_kernel_modules(dracut_t)
 files_read_usr_files(dracut_t)
 files_search_pids(dracut_t)
 
-fstools_exec(dracut_t)
-
-libs_domtrans_ldconfig(dracut_t)
+libs_exec_ldconfig(dracut_t)
 libs_exec_ld_so(dracut_t)
 libs_exec_lib_files(dracut_t)
 
 miscfiles_read_localization(dracut_t)
 
-modutils_exec_depmod(dracut_t)
-modutils_exec_insmod(dracut_t)
-modutils_list_module_config(dracut_t)
+modutils_list_module_config(dracut_t) #find /etc/modprobe.d
 modutils_read_module_config(dracut_t)
 modutils_read_module_deps(dracut_t)
 
-mount_exec(dracut_t)
-
-seutil_exec_setfiles(dracut_t)
-
-udev_exec(dracut_t)
 udev_read_rules_files(dracut_t)
 
+userdom_search_user_home_dirs(dracut_t)
 userdom_use_user_terminals(dracut_t)
 
 optional_policy(`
-	dmesg_exec(dracut_t)
-')
-
-optional_policy(`
-	lvm_exec(dracut_t)
 	lvm_read_config(dracut_t)
 ')
 

diff --git a/policy/modules/contrib/networkmanager.te b/policy/modules/contrib/networkmanager.te
index 8e89b43..1e1dab0 100644
--- a/policy/modules/contrib/networkmanager.te
+++ b/policy/modules/contrib/networkmanager.te
@@ -295,14 +295,6 @@ domain_use_interactive_fds(wpa_cli_t)
 files_read_etc_files(wpa_cli_t)
 files_search_pids(wpa_cli_t)
 
-fs_manage_tmpfs_dirs(wpa_cli_t)
-fs_manage_tmpfs_sockets(wpa_cli_t)
-fs_manage_tmpfs_sockets(NetworkManager_t)
-fs_rw_tmpfs_files(wpa_cli_t)
-fs_rw_tmpfs_files(NetworkManager_t)
-fs_search_tmpfs(wpa_cli_t)
-fs_search_tmpfs(NetworkManager_t)
-
 term_dontaudit_use_console(wpa_cli_t)
 
 getty_use_fds(wpa_cli_t)

diff --git a/policy/modules/contrib/rpm.fc b/policy/modules/contrib/rpm.fc
index b206bf6..b2a0b6a 100644
--- a/policy/modules/contrib/rpm.fc
+++ b/policy/modules/contrib/rpm.fc
@@ -7,6 +7,7 @@
 
 /usr/bin/yum 			--	gen_context(system_u:object_r:rpm_exec_t,s0)
 
+/usr/libexec/packagekitd	--	gen_context(system_u:object_r:rpm_exec_t,s0)
 /usr/libexec/yumDBUSBackend.py	--	gen_context(system_u:object_r:rpm_exec_t,s0)
 
 /usr/sbin/yum-complete-transaction --	gen_context(system_u:object_r:rpm_exec_t,s0)
@@ -27,9 +28,11 @@ ifdef(`distro_redhat', `
 /usr/sbin/up2date		--	gen_context(system_u:object_r:rpm_exec_t,s0)
 ')
 
+/var/cache/PackageKit(/.*)?		gen_context(system_u:object_r:rpm_var_cache_t,s0)
 /var/cache/yum(/.*)?			gen_context(system_u:object_r:rpm_var_cache_t,s0)
 
 /var/lib/alternatives(/.*)?		gen_context(system_u:object_r:rpm_var_lib_t,s0)
+/var/lib/PackageKit(/.*)?		gen_context(system_u:object_r:rpm_var_lib_t,s0)
 /var/lib/rpm(/.*)?			gen_context(system_u:object_r:rpm_var_lib_t,s0)
 /var/lib/yum(/.*)?			gen_context(system_u:object_r:rpm_var_lib_t,s0)
 

diff --git a/policy/modules/system/libraries.te b/policy/modules/system/libraries.te
index 50332d3..5a16f99 100644
--- a/policy/modules/system/libraries.te
+++ b/policy/modules/system/libraries.te
@@ -131,10 +131,6 @@ optional_policy(`
 ')
 
 optional_policy(`
-	dracut_manage_tmp_files(ldconfig_t)
-')
-
-optional_policy(`
 	puppet_rw_tmp(ldconfig_t)
 ')
 

diff --git a/policy/modules/system/modutils.if b/policy/modules/system/modutils.if
index 19d328a..ad5f878 100644
--- a/policy/modules/system/modutils.if
+++ b/policy/modules/system/modutils.if
@@ -39,7 +39,7 @@ interface(`modutils_read_module_deps',`
 
 ########################################
 ## <summary>
-##	List the module configuration option files 
+##	List the module configuration option files
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -53,11 +53,14 @@ interface(`modutils_list_module_config',`
 		type modules_conf_t;
 	')
 
+	# This file type can be in /etc or
+	# /lib(64)?/modules
+	files_search_etc($1)
+	files_search_boot($1)
+
 	list_dirs_pattern($1, modules_conf_t, modules_conf_t)
 ')
 
-
-
 ########################################
 ## <summary>
 ##	Read the configuration options used when

diff --git a/policy/modules/system/modutils.te b/policy/modules/system/modutils.te
index 43e99e5..78137a5 100644
--- a/policy/modules/system/modutils.te
+++ b/policy/modules/system/modutils.te
@@ -89,7 +89,7 @@ tunable_policy(`use_samba_home_dirs',`
 ')
 
 optional_policy(`
-	dracut_manage_tmp_files(depmod_t)
+	dracut_rw_tmp_files(depmod_t)
 ')
 
 optional_policy(`

diff --git a/policy/modules/system/udev.if b/policy/modules/system/udev.if
index 46c8e82..8f59ae9 100644
--- a/policy/modules/system/udev.if
+++ b/policy/modules/system/udev.if
@@ -184,6 +184,8 @@ interface(`udev_read_rules_files',`
 		type udev_rules_t;
 	')
 
+	files_search_etc($1) # /etc/udev/rules.d
+	udev_search_pids($1) # /run/udev/rules.d
 	read_files_pattern($1, udev_rules_t, udev_rules_t)
 ')