public inbox for gentoo-commits@lists.gentoo.org
 help / color / mirror / Atom feed
* [gentoo-commits] proj/hardened-refpolicy:merge commit in: policy/modules/contrib/
  2013-09-23 13:31 [gentoo-commits] proj/hardened-refpolicy:master " Sven Vermeulen
@ 2013-09-23  6:29 ` Sven Vermeulen
  0 siblings, 0 replies; 20+ messages in thread
From: Sven Vermeulen @ 2013-09-23  6:29 UTC (permalink / raw
  To: gentoo-commits

commit:     1306dae79c45f570f9c5ecec1fbf2788a2f96ea6
Author:     Dominick Grift <dominick.grift <AT> gmail <DOT> com>
AuthorDate: Thu Sep 19 17:11:58 2013 +0000
Commit:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
CommitDate: Mon Sep 23 06:26:37 2013 +0000
URL:        http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=1306dae7

Remove duplicate rules due to addition of auth_use_nsswitch()

Signed-off-by: Dominick Grift <dominick.grift <AT> gmail.com>

---
 policy/modules/contrib/rpcbind.te | 9 +--------
 1 file changed, 1 insertion(+), 8 deletions(-)

diff --git a/policy/modules/contrib/rpcbind.te b/policy/modules/contrib/rpcbind.te
index 31d9287..bad1939 100644
--- a/policy/modules/contrib/rpcbind.te
+++ b/policy/modules/contrib/rpcbind.te
@@ -1,4 +1,4 @@
-policy_module(rpcbind, 1.6.0)
+policy_module(rpcbind, 1.6.1)
 
 ########################################
 #
@@ -62,7 +62,6 @@ corecmd_exec_shell(rpcbind_t)
 
 domain_use_interactive_fds(rpcbind_t)
 
-files_read_etc_files(rpcbind_t)
 files_read_etc_runtime_files(rpcbind_t)
 
 auth_use_nsswitch(rpcbind_t)
@@ -70,9 +69,3 @@ auth_use_nsswitch(rpcbind_t)
 logging_send_syslog_msg(rpcbind_t)
 
 miscfiles_read_localization(rpcbind_t)
-
-sysnet_dns_name_resolve(rpcbind_t)
-
-optional_policy(`
-	nis_use_ypbind(rpcbind_t)
-')


^ permalink raw reply related	[flat|nested] 20+ messages in thread

* [gentoo-commits] proj/hardened-refpolicy:merge commit in: policy/modules/contrib/
@ 2013-09-23  6:29 Sven Vermeulen
  0 siblings, 0 replies; 20+ messages in thread
From: Sven Vermeulen @ 2013-09-23  6:29 UTC (permalink / raw
  To: gentoo-commits

commit:     ca18cb22cf84906139910c600d5bb2afd4bae1a1
Author:     Miroslav Grepl <mgrepl <AT> redhat <DOT> com>
AuthorDate: Fri Aug 23 08:27:18 2013 +0000
Commit:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
CommitDate: Mon Sep 23 06:26:38 2013 +0000
URL:        http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=ca18cb22

Add support for abrt-upload-watch

---
 policy/modules/contrib/abrt.fc |  1 +
 policy/modules/contrib/abrt.te | 23 +++++++++++++++++++++++
 2 files changed, 24 insertions(+)

diff --git a/policy/modules/contrib/abrt.fc b/policy/modules/contrib/abrt.fc
index e4f84de..1a93dc5 100644
--- a/policy/modules/contrib/abrt.fc
+++ b/policy/modules/contrib/abrt.fc
@@ -12,6 +12,7 @@
 
 /usr/sbin/abrtd	--	gen_context(system_u:object_r:abrt_exec_t,s0)
 /usr/sbin/abrt-dbus	--	gen_context(system_u:object_r:abrt_exec_t,s0)
+/usr/sbin/abrt-upload-watch	--	gen_context(system_u:object_r:abrt_upload_watch_exec_t,s0)
 
 /var/cache/abrt(/.*)?	gen_context(system_u:object_r:abrt_var_cache_t,s0)
 /var/cache/abrt-di(/.*)?	gen_context(system_u:object_r:abrt_var_cache_t,s0)

diff --git a/policy/modules/contrib/abrt.te b/policy/modules/contrib/abrt.te
index 09a02b2..de3f140 100644
--- a/policy/modules/contrib/abrt.te
+++ b/policy/modules/contrib/abrt.te
@@ -15,6 +15,14 @@ policy_module(abrt, 1.4.0)
 gen_tunable(abrt_anon_write, false)
 
 ## <desc>
+## <p>
+## Allow abrt-handle-upload to modify public files
+## used for public file transfer services in /var/spool/abrt-upload/.
+## </p>
+## </desc>
+gen_tunable(abrt_upload_watch_anon_write, true)
+
+## <desc>
 ##	<p>
 ##	Determine whether ABRT can run in
 ##	the abrt_handle_event_t domain to
@@ -87,6 +95,10 @@ type abrt_watch_log_t, abrt_domain;
 type abrt_watch_log_exec_t;
 init_daemon_domain(abrt_watch_log_t, abrt_watch_log_exec_t)
 
+# Support for abrt-upload-watch
+abrt_basic_types_template(abrt_upload_watch)
+init_daemon_domain(abrt_upload_watch_t, abrt_upload_watch_exec_t)
+
 ifdef(`enable_mcs',`
 	init_ranged_daemon_domain(abrt_t, abrt_exec_t, s0 - mcs_systemhigh)
 ')
@@ -403,6 +415,17 @@ logging_read_all_logs(abrt_watch_log_t)
 
 #######################################
 #
+# abrt-upload-watch local policy
+#
+
+corecmd_exec_bin(abrt_upload_watch_t)
+
+tunable_policy(`abrt_upload_watch_anon_write',`
+	miscfiles_manage_public_files(abrt_upload_watch_t)
+')
+
+#######################################
+#
 # Global local policy
 #
 


^ permalink raw reply related	[flat|nested] 20+ messages in thread

* [gentoo-commits] proj/hardened-refpolicy:merge commit in: policy/modules/contrib/
@ 2013-09-23  6:29 Sven Vermeulen
  2013-09-23 13:31 ` [gentoo-commits] proj/hardened-refpolicy:master " Sven Vermeulen
  0 siblings, 1 reply; 20+ messages in thread
From: Sven Vermeulen @ 2013-09-23  6:29 UTC (permalink / raw
  To: gentoo-commits

commit:     d8ad674f9b897235cd243b9a37543bcfedb71d6e
Author:     Dominick Grift <dominick.grift <AT> gmail <DOT> com>
AuthorDate: Thu Sep 19 17:39:39 2013 +0000
Commit:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
CommitDate: Mon Sep 23 06:27:19 2013 +0000
URL:        http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=d8ad674f

Clean up libstoragemngmt policy module We do not yet support systemd

Signed-off-by: Dominick Grift <dominick.grift <AT> gmail.com>

---
 policy/modules/contrib/lsm.fc |  4 +--
 policy/modules/contrib/lsm.if | 79 ++-----------------------------------------
 policy/modules/contrib/lsm.te |  9 ++---
 3 files changed, 7 insertions(+), 85 deletions(-)

diff --git a/policy/modules/contrib/lsm.fc b/policy/modules/contrib/lsm.fc
index 711c04b..51777c1 100644
--- a/policy/modules/contrib/lsm.fc
+++ b/policy/modules/contrib/lsm.fc
@@ -1,5 +1,3 @@
-/usr/bin/lsmd		--	gen_context(system_u:object_r:lsmd_exec_t,s0)
-
-/usr/lib/systemd/system/libstoragemgmt.*		--	gen_context(system_u:object_r:lsmd_unit_file_t,s0)
+/usr/bin/lsmd	--	gen_context(system_u:object_r:lsmd_exec_t,s0)
 
 /var/run/lsm(/.*)?	--	gen_context(system_u:object_r:lsmd_var_run_t,s0)

diff --git a/policy/modules/contrib/lsm.if b/policy/modules/contrib/lsm.if
index f3e94d7..d314333 100644
--- a/policy/modules/contrib/lsm.if
+++ b/policy/modules/contrib/lsm.if
@@ -1,72 +1,9 @@
-
-## <summary>lsmd SELINUX policy </summary>
-
-########################################
-## <summary>
-##	Execute TEMPLATE in the lsmd domin.
-## </summary>
-## <param name="domain">
-## <summary>
-##	Domain allowed to transition.
-## </summary>
-## </param>
-#
-interface(`lsmd_domtrans',`
-	gen_require(`
-		type lsmd_t, lsmd_exec_t;
-	')
-
-	corecmd_search_bin($1)
-	domtrans_pattern($1, lsmd_exec_t, lsmd_t)
-')
-########################################
-## <summary>
-##	Read lsmd PID files.
-## </summary>
-## <param name="domain">
-##	<summary>
-##	Domain allowed access.
-##	</summary>
-## </param>
-#
-interface(`lsmd_read_pid_files',`
-	gen_require(`
-		type lsmd_var_run_t;
-	')
-
-	files_search_pids($1)
-	read_files_pattern($1, lsmd_var_run_t, lsmd_var_run_t)
-')
-
-########################################
-## <summary>
-##	Execute lsmd server in the lsmd domain.
-## </summary>
-## <param name="domain">
-##	<summary>
-##	Domain allowed to transition.
-##	</summary>
-## </param>
-#
-interface(`lsmd_systemctl',`
-	gen_require(`
-		type lsmd_t;
-		type lsmd_unit_file_t;
-	')
-
-	systemd_exec_systemctl($1)
-        systemd_read_fifo_file_password_run($1)
-	allow $1 lsmd_unit_file_t:file read_file_perms;
-	allow $1 lsmd_unit_file_t:service manage_service_perms;
-
-	ps_process_pattern($1, lsmd_t)
-')
-
+## <summary>Storage array management library.</summary>
 
 ########################################
 ## <summary>
 ##	All of the rules required to administrate
-##	an lsmd environment
+##	an lsmd environment.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -82,9 +19,7 @@ interface(`lsmd_systemctl',`
 #
 interface(`lsmd_admin',`
 	gen_require(`
-		type lsmd_t;
-		type lsmd_var_run_t;
-	type lsmd_unit_file_t;
+		type lsmd_t, type lsmd_var_run_t;
 	')
 
 	allow $1 lsmd_t:process { ptrace signal_perms };
@@ -92,12 +27,4 @@ interface(`lsmd_admin',`
 
 	files_search_pids($1)
 	admin_pattern($1, lsmd_var_run_t)
-
-	lsmd_systemctl($1)
-	admin_pattern($1, lsmd_unit_file_t)
-	allow $1 lsmd_unit_file_t:service all_service_perms;
-	optional_policy(`
-		systemd_passwd_agent_exec($1)
-		systemd_read_fifo_file_passwd_run($1)
-	')
 ')

diff --git a/policy/modules/contrib/lsm.te b/policy/modules/contrib/lsm.te
index 14fe4d7..7f0ca47 100644
--- a/policy/modules/contrib/lsm.te
+++ b/policy/modules/contrib/lsm.te
@@ -12,15 +12,12 @@ init_daemon_domain(lsmd_t, lsmd_exec_t)
 type lsmd_var_run_t;
 files_pid_file(lsmd_var_run_t)
 
-type lsmd_unit_file_t;
-systemd_unit_file(lsmd_unit_file_t)
-
 ########################################
 #
-# lsmd local policy
+# Local policy
 #
-allow lsmd_t self:capability { setgid  };
-allow lsmd_t self:process { fork };
+
+allow lsmd_t self:capability setgid;
 allow lsmd_t self:unix_stream_socket create_stream_socket_perms;
 
 manage_dirs_pattern(lsmd_t, lsmd_var_run_t, lsmd_var_run_t)


^ permalink raw reply related	[flat|nested] 20+ messages in thread

* [gentoo-commits] proj/hardened-refpolicy:merge commit in: policy/modules/contrib/
  2013-09-23 13:31 [gentoo-commits] proj/hardened-refpolicy:master " Sven Vermeulen
@ 2013-09-23  6:29 ` Sven Vermeulen
  0 siblings, 0 replies; 20+ messages in thread
From: Sven Vermeulen @ 2013-09-23  6:29 UTC (permalink / raw
  To: gentoo-commits

commit:     9c2fcb4cc9c84006d9cb99e67d2ecf56570ea440
Author:     Miroslav Grepl <mgrepl <AT> redhat <DOT> com>
AuthorDate: Fri Aug 23 08:14:08 2013 +0000
Commit:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
CommitDate: Mon Sep 23 06:26:45 2013 +0000
URL:        http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=9c2fcb4c

Allow virtd to relabel unix stream socket

---
 policy/modules/contrib/virt.te | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/policy/modules/contrib/virt.te b/policy/modules/contrib/virt.te
index 65ede42..3f48d7f 100644
--- a/policy/modules/contrib/virt.te
+++ b/policy/modules/contrib/virt.te
@@ -418,7 +418,7 @@ corenet_tcp_connect_all_ports(svirt_t)
 allow virtd_t self:capability { chown dac_override fowner ipc_lock kill mknod net_admin net_raw setpcap setuid setgid sys_admin sys_nice };
 allow virtd_t self:process { getcap getsched setcap sigkill signal signull execmem setexec setfscreate setsockcreate setsched };
 allow virtd_t self:fifo_file { manage_fifo_file_perms relabelfrom relabelto };
-allow virtd_t self:unix_stream_socket { accept connectto listen };
+allow virtd_t self:unix_stream_socket { accept connectto listen relabelfrom relabelto };
 allow virtd_t self:tcp_socket { accept listen };
 allow virtd_t self:tun_socket { create_socket_perms relabelfrom relabelto };
 allow virtd_t self:rawip_socket create_socket_perms;


^ permalink raw reply related	[flat|nested] 20+ messages in thread

* [gentoo-commits] proj/hardened-refpolicy:merge commit in: policy/modules/contrib/
  2013-09-23 13:31 [gentoo-commits] proj/hardened-refpolicy:master " Sven Vermeulen
@ 2013-09-23  6:29 ` Sven Vermeulen
  0 siblings, 0 replies; 20+ messages in thread
From: Sven Vermeulen @ 2013-09-23  6:29 UTC (permalink / raw
  To: gentoo-commits

commit:     c285f2ef655360833348a3d57ec2962c0a818194
Author:     Miroslav Grepl <mgrepl <AT> redhat <DOT> com>
AuthorDate: Tue Sep  3 14:44:31 2013 +0000
Commit:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
CommitDate: Mon Sep 23 06:27:24 2013 +0000
URL:        http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=c285f2ef

Also sock_file trans rule is needed in lsm

Conflicts:
	lsm.te

---
 policy/modules/contrib/lsm.te | 1 +
 1 file changed, 1 insertion(+)

diff --git a/policy/modules/contrib/lsm.te b/policy/modules/contrib/lsm.te
index 7f0ca47..4ec0eea 100644
--- a/policy/modules/contrib/lsm.te
+++ b/policy/modules/contrib/lsm.te
@@ -24,5 +24,6 @@ manage_dirs_pattern(lsmd_t, lsmd_var_run_t, lsmd_var_run_t)
 manage_files_pattern(lsmd_t, lsmd_var_run_t, lsmd_var_run_t)
 manage_lnk_files_pattern(lsmd_t, lsmd_var_run_t, lsmd_var_run_t)
 manage_sock_files_pattern(lsmd_t, lsmd_var_run_t, lsmd_var_run_t)
+files_pid_filetrans(lsmd_t, lsmd_var_run_t, { dir file sock_file })
 
 logging_send_syslog_msg(lsmd_t)


^ permalink raw reply related	[flat|nested] 20+ messages in thread

* [gentoo-commits] proj/hardened-refpolicy:merge commit in: policy/modules/contrib/
@ 2013-09-23  6:29 Sven Vermeulen
  0 siblings, 0 replies; 20+ messages in thread
From: Sven Vermeulen @ 2013-09-23  6:29 UTC (permalink / raw
  To: gentoo-commits

commit:     da10fcbc0b173d636603c46203a47ef2ca51f74c
Author:     Dominick Grift <dominick.grift <AT> gmail <DOT> com>
AuthorDate: Thu Sep 19 17:25:11 2013 +0000
Commit:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
CommitDate: Mon Sep 23 06:26:40 2013 +0000
URL:        http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=da10fcbc

We dont use the arbt domain types template. Use a more uniform boolean discription

Signed-off-by: Dominick Grift <dominick.grift <AT> gmail.com>

---
 policy/modules/contrib/abrt.te | 17 +++++++++--------
 1 file changed, 9 insertions(+), 8 deletions(-)

diff --git a/policy/modules/contrib/abrt.te b/policy/modules/contrib/abrt.te
index de3f140..eb50f07 100644
--- a/policy/modules/contrib/abrt.te
+++ b/policy/modules/contrib/abrt.te
@@ -1,4 +1,4 @@
-policy_module(abrt, 1.4.0)
+policy_module(abrt, 1.4.1)
 
 ########################################
 #
@@ -15,10 +15,11 @@ policy_module(abrt, 1.4.0)
 gen_tunable(abrt_anon_write, false)
 
 ## <desc>
-## <p>
-## Allow abrt-handle-upload to modify public files
-## used for public file transfer services in /var/spool/abrt-upload/.
-## </p>
+##	<p>
+##	Determine whether abrt-handle-upload
+##	can modify public files used for public file
+##	transfer services in /var/spool/abrt-upload/.
+##	</p>
 ## </desc>
 gen_tunable(abrt_upload_watch_anon_write, true)
 
@@ -95,8 +96,8 @@ type abrt_watch_log_t, abrt_domain;
 type abrt_watch_log_exec_t;
 init_daemon_domain(abrt_watch_log_t, abrt_watch_log_exec_t)
 
-# Support for abrt-upload-watch
-abrt_basic_types_template(abrt_upload_watch)
+type abrt_upload_watch_t, abrt_domain;
+type abrt_upload_watch_exec_t;
 init_daemon_domain(abrt_upload_watch_t, abrt_upload_watch_exec_t)
 
 ifdef(`enable_mcs',`
@@ -415,7 +416,7 @@ logging_read_all_logs(abrt_watch_log_t)
 
 #######################################
 #
-# abrt-upload-watch local policy
+# Upload watch local policy
 #
 
 corecmd_exec_bin(abrt_upload_watch_t)


^ permalink raw reply related	[flat|nested] 20+ messages in thread

* [gentoo-commits] proj/hardened-refpolicy:merge commit in: policy/modules/contrib/
  2013-09-23 13:31 [gentoo-commits] proj/hardened-refpolicy:master " Sven Vermeulen
@ 2013-09-23  6:29 ` Sven Vermeulen
  0 siblings, 0 replies; 20+ messages in thread
From: Sven Vermeulen @ 2013-09-23  6:29 UTC (permalink / raw
  To: gentoo-commits

commit:     2aab42920d3153bffa3f3b618c622c709bb762f3
Author:     Miroslav Grepl <mgrepl <AT> redhat <DOT> com>
AuthorDate: Wed Sep  4 10:28:28 2013 +0000
Commit:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
CommitDate: Mon Sep 23 06:27:20 2013 +0000
URL:        http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=2aab4292

Fix lsm.fc for pid files

---
 policy/modules/contrib/lsm.fc | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/policy/modules/contrib/lsm.fc b/policy/modules/contrib/lsm.fc
index 51777c1..c455730 100644
--- a/policy/modules/contrib/lsm.fc
+++ b/policy/modules/contrib/lsm.fc
@@ -1,3 +1,3 @@
 /usr/bin/lsmd	--	gen_context(system_u:object_r:lsmd_exec_t,s0)
 
-/var/run/lsm(/.*)?	--	gen_context(system_u:object_r:lsmd_var_run_t,s0)
+/var/run/lsm(/.*)?	gen_context(system_u:object_r:lsmd_var_run_t,s0)


^ permalink raw reply related	[flat|nested] 20+ messages in thread

* [gentoo-commits] proj/hardened-refpolicy:merge commit in: policy/modules/contrib/
@ 2013-09-23  6:29 Sven Vermeulen
  0 siblings, 0 replies; 20+ messages in thread
From: Sven Vermeulen @ 2013-09-23  6:29 UTC (permalink / raw
  To: gentoo-commits

commit:     433ae56729bc46e1888bace2d296927d2b4bcffd
Author:     Miroslav Grepl <mgrepl <AT> redhat <DOT> com>
AuthorDate: Thu Aug 22 11:03:42 2013 +0000
Commit:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
CommitDate: Mon Sep 23 06:27:34 2013 +0000
URL:        http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=433ae567

Allow condor domains to manage own logs

---
 policy/modules/contrib/condor.te | 4 +---
 1 file changed, 1 insertion(+), 3 deletions(-)

diff --git a/policy/modules/contrib/condor.te b/policy/modules/contrib/condor.te
index 5fd1388..32b299a 100644
--- a/policy/modules/contrib/condor.te
+++ b/policy/modules/contrib/condor.te
@@ -68,9 +68,7 @@ allow condor_domain self:unix_stream_socket { accept listen };
 rw_files_pattern(condor_domain, condor_conf_t, condor_conf_t)
 
 manage_dirs_pattern(condor_domain, condor_log_t, condor_log_t)
-append_files_pattern(condor_domain, condor_log_t, condor_log_t)
-create_files_pattern(condor_domain, condor_log_t, condor_log_t)
-getattr_files_pattern(condor_domain, condor_log_t, condor_log_t)
+manage_files_pattern(condor_domain, condor_log_t, condor_log_t)
 logging_log_filetrans(condor_domain, condor_log_t, { dir file })
 
 manage_dirs_pattern(condor_domain, condor_var_lib_t, condor_var_lib_t)


^ permalink raw reply related	[flat|nested] 20+ messages in thread

* [gentoo-commits] proj/hardened-refpolicy:merge commit in: policy/modules/contrib/
@ 2013-09-23  6:29 Sven Vermeulen
  0 siblings, 0 replies; 20+ messages in thread
From: Sven Vermeulen @ 2013-09-23  6:29 UTC (permalink / raw
  To: gentoo-commits

commit:     0afa74b4db3fc54e1d1e5937667246cb6621df3e
Author:     Miroslav Grepl <mgrepl <AT> redhat <DOT> com>
AuthorDate: Thu Aug 22 11:10:10 2013 +0000
Commit:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
CommitDate: Mon Sep 23 06:27:27 2013 +0000
URL:        http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=0afa74b4

Add labeling for /etc/condor and allow condor domain to write it (bug)

---
 policy/modules/contrib/condor.fc | 2 ++
 policy/modules/contrib/condor.te | 7 +++++++
 2 files changed, 9 insertions(+)

diff --git a/policy/modules/contrib/condor.fc b/policy/modules/contrib/condor.fc
index 23dc348..543321b 100644
--- a/policy/modules/contrib/condor.fc
+++ b/policy/modules/contrib/condor.fc
@@ -1,3 +1,5 @@
+/etc/condor(/.*)?	gen_context(system_u:object_r:condor_etc_rw_t,s0)
+
 /etc/rc\.d/init\.d/condor	--	gen_context(system_u:object_r:condor_initrc_exec_t,s0)
 
 /usr/sbin/condor_collector	--	gen_context(system_u:object_r:condor_collector_exec_t,s0)

diff --git a/policy/modules/contrib/condor.te b/policy/modules/contrib/condor.te
index 4ca829b..7666be4 100644
--- a/policy/modules/contrib/condor.te
+++ b/policy/modules/contrib/condor.te
@@ -34,6 +34,9 @@ files_tmp_file(condor_startd_tmp_t)
 type condor_startd_tmpfs_t;
 files_tmpfs_file(condor_startd_tmpfs_t)
 
+type condor_etc_rw_t;
+files_config_file(condor_etc_rw_t)
+
 type condor_log_t;
 logging_log_file(condor_log_t)
 
@@ -62,6 +65,8 @@ allow condor_domain self:fifo_file rw_fifo_file_perms;
 allow condor_domain self:tcp_socket { accept listen };
 allow condor_domain self:unix_stream_socket { accept listen };
 
+rw_files_pattern(condor_domain, condor_etc_rw_t, condor_etc_rw_t)
+
 manage_dirs_pattern(condor_domain, condor_log_t, condor_log_t)
 append_files_pattern(condor_domain, condor_log_t, condor_log_t)
 create_files_pattern(condor_domain, condor_log_t, condor_log_t)
@@ -110,6 +115,8 @@ logging_send_syslog_msg(condor_domain)
 
 miscfiles_read_localization(condor_domain)
 
+sysnet_dns_name_resolve(condor_domain)
+
 tunable_policy(`condor_tcp_network_connect',`
 	corenet_sendrecv_all_client_packets(condor_domain)
 	corenet_tcp_connect_all_ports(condor_domain)


^ permalink raw reply related	[flat|nested] 20+ messages in thread

* [gentoo-commits] proj/hardened-refpolicy:merge commit in: policy/modules/contrib/
@ 2013-09-23  6:29 Sven Vermeulen
  0 siblings, 0 replies; 20+ messages in thread
From: Sven Vermeulen @ 2013-09-23  6:29 UTC (permalink / raw
  To: gentoo-commits

commit:     ece5508dd2c59b8100fdcea7032a0b927069b222
Author:     Dominick Grift <dominick.grift <AT> gmail <DOT> com>
AuthorDate: Fri Sep 20 06:51:35 2013 +0000
Commit:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
CommitDate: Mon Sep 23 06:27:32 2013 +0000
URL:        http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=ece5508d

We will find another way to run pa as a system server

Signed-off-by: Dominick Grift <dominick.grift <AT> gmail.com>

---
 policy/modules/contrib/pulseaudio.te | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/policy/modules/contrib/pulseaudio.te b/policy/modules/contrib/pulseaudio.te
index 643d58e..fca8b1d 100644
--- a/policy/modules/contrib/pulseaudio.te
+++ b/policy/modules/contrib/pulseaudio.te
@@ -12,7 +12,7 @@ attribute_role pulseaudio_roles;
 
 type pulseaudio_t;
 type pulseaudio_exec_t;
-init_daemon_domain(pulseaudio_t, pulseaudio_exec_t)
+# init_daemon_domain(pulseaudio_t, pulseaudio_exec_t)
 userdom_user_application_domain(pulseaudio_t, pulseaudio_exec_t)
 role pulseaudio_roles types pulseaudio_t;
 


^ permalink raw reply related	[flat|nested] 20+ messages in thread

* [gentoo-commits] proj/hardened-refpolicy:merge commit in: policy/modules/contrib/
@ 2013-09-23  6:29 Sven Vermeulen
  0 siblings, 0 replies; 20+ messages in thread
From: Sven Vermeulen @ 2013-09-23  6:29 UTC (permalink / raw
  To: gentoo-commits

commit:     71888201c517f31907207e0060d1809dd5c8b6ed
Author:     Miroslav Grepl <mgrepl <AT> redhat <DOT> com>
AuthorDate: Thu Aug 22 09:13:26 2013 +0000
Commit:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
CommitDate: Mon Sep 23 06:27:36 2013 +0000
URL:        http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=71888201

Allow glusterd to read domains state

---
 policy/modules/contrib/glusterfs.te | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/policy/modules/contrib/glusterfs.te b/policy/modules/contrib/glusterfs.te
index d9f8ec1..0a8e91e 100644
--- a/policy/modules/contrib/glusterfs.te
+++ b/policy/modules/contrib/glusterfs.te
@@ -92,6 +92,8 @@ corenet_tcp_connect_all_unreserved_ports(glusterd_t)
 dev_read_sysfs(glusterd_t)
 dev_read_urand(glusterd_t)
 
+domain_read_all_domains_state(glusterd_t)
+
 domain_use_interactive_fds(glusterd_t)
 
 files_read_usr_files(glusterd_t)


^ permalink raw reply related	[flat|nested] 20+ messages in thread

* [gentoo-commits] proj/hardened-refpolicy:merge commit in: policy/modules/contrib/
  2013-09-23 13:31 [gentoo-commits] proj/hardened-refpolicy:master " Sven Vermeulen
@ 2013-09-23  6:29 ` Sven Vermeulen
  0 siblings, 0 replies; 20+ messages in thread
From: Sven Vermeulen @ 2013-09-23  6:29 UTC (permalink / raw
  To: gentoo-commits

commit:     6e23089d1f62f91276576f9038553bba5dd232bd
Author:     Dominick Grift <dominick.grift <AT> gmail <DOT> com>
AuthorDate: Thu Sep 19 17:59:43 2013 +0000
Commit:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
CommitDate: Mon Sep 23 06:27:30 2013 +0000
URL:        http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=6e23089d

Hit by a nasty optional policy nesting issue

Basically gnome keyring daemon depends on a window manager, and window
managers depend on dbus

Thus for restricted xwindows users, the gnome_per_role_template optional
policy needs to be nested in the wm_per_role_template optional policy,
which needs to be nested in the dbus_per_role_template optional policy

I tried to get dbus out of the equation but was not able to

Signed-off-by: Dominick Grift <dominick.grift <AT> gmail.com>

---
 policy/modules/contrib/gnome.if |  4 +++-
 policy/modules/contrib/wm.if    | 12 +++++++-----
 policy/modules/contrib/wm.te    |  4 ----
 3 files changed, 10 insertions(+), 10 deletions(-)

diff --git a/policy/modules/contrib/gnome.if b/policy/modules/contrib/gnome.if
index d03fd43..ab09d61 100644
--- a/policy/modules/contrib/gnome.if
+++ b/policy/modules/contrib/gnome.if
@@ -111,7 +111,9 @@ template(`gnome_role_template',`
 	optional_policy(`
 		dbus_spec_session_domain($1, gkeyringd_exec_t, $1_gkeyringd_t)
 
-		gnome_dbus_chat_gkeyringd($1, $3)
+		optional_policy(`
+			gnome_dbus_chat_gkeyringd($1, $3)
+		')
 	')
 ')
 

diff --git a/policy/modules/contrib/wm.if b/policy/modules/contrib/wm.if
index 25b702d..fbd84ba 100644
--- a/policy/modules/contrib/wm.if
+++ b/policy/modules/contrib/wm.if
@@ -68,6 +68,9 @@ template(`wm_role_template',`
 
 	auth_use_nsswitch($1_wm_t)
 
+	xserver_role($2, $1_wm_t)
+	xserver_manage_core_devices($1_wm_t)
+
 	optional_policy(`
 		dbus_spec_session_bus_client($1, $1_wm_t)
 		dbus_system_bus_client($1_wm_t)
@@ -77,13 +80,12 @@ template(`wm_role_template',`
 		')
 	')
 
-	optional_policy(`
-		pulseaudio_run($1_wm_t, $2)
-	')
+	# optional_policy(`
+	#	gnome_stream_connect_gkeyringd($1, $1_wm_t)
+	# ')
 
 	optional_policy(`
-		xserver_role($2, $1_wm_t)
-		xserver_manage_core_devices($1_wm_t)
+		pulseaudio_run($1_wm_t, $2)
 	')
 ')
 

diff --git a/policy/modules/contrib/wm.te b/policy/modules/contrib/wm.te
index 0f5148e..ffe166f 100644
--- a/policy/modules/contrib/wm.te
+++ b/policy/modules/contrib/wm.te
@@ -57,10 +57,6 @@ optional_policy(`
 ')
 
 optional_policy(`
-	gnome_stream_connect_gkeyringd(wm_domain)
-')
-
-optional_policy(`
 	networkmanager_dbus_chat(wm_domain)
 ')
 


^ permalink raw reply related	[flat|nested] 20+ messages in thread

* [gentoo-commits] proj/hardened-refpolicy:merge commit in: policy/modules/contrib/
@ 2013-09-23  6:29 Sven Vermeulen
  0 siblings, 0 replies; 20+ messages in thread
From: Sven Vermeulen @ 2013-09-23  6:29 UTC (permalink / raw
  To: gentoo-commits

commit:     259ffaed9af0165011cc36ed38c140d9f007cd94
Author:     Miroslav Grepl <mgrepl <AT> redhat <DOT> com>
AuthorDate: Thu Aug 22 11:25:49 2013 +0000
Commit:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
CommitDate: Mon Sep 23 06:27:26 2013 +0000
URL:        http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=259ffaed

Update condor_master rules to allow read system state info and allow logging

---
 policy/modules/contrib/condor.te | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/policy/modules/contrib/condor.te b/policy/modules/contrib/condor.te
index 3f2b672..4ca829b 100644
--- a/policy/modules/contrib/condor.te
+++ b/policy/modules/contrib/condor.te
@@ -185,7 +185,7 @@ allow condor_negotiator_t condor_master_t:udp_socket getattr;
 
 allow condor_procd_t self:capability { fowner chown kill dac_override sys_ptrace };
 
-allow condor_procd_t condor_startd_t:process sigkill;
+allow condor_procd_t condor_domain:process sigkill;
 
 domain_read_all_domains_state(condor_procd_t)
 


^ permalink raw reply related	[flat|nested] 20+ messages in thread

* [gentoo-commits] proj/hardened-refpolicy:merge commit in: policy/modules/contrib/
  2013-09-23 13:31 [gentoo-commits] proj/hardened-refpolicy:master " Sven Vermeulen
@ 2013-09-23  6:29 ` Sven Vermeulen
  0 siblings, 0 replies; 20+ messages in thread
From: Sven Vermeulen @ 2013-09-23  6:29 UTC (permalink / raw
  To: gentoo-commits

commit:     5562e1cd22a89358906eb674325fb40a10cf9ae2
Author:     Dominick Grift <dominick.grift <AT> gmail <DOT> com>
AuthorDate: Thu Sep 19 17:54:51 2013 +0000
Commit:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
CommitDate: Mon Sep 23 06:27:28 2013 +0000
URL:        http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=5562e1cd

Change type from etc_rw to conf for readability admin access to condor_conf_t

Signed-off-by: Dominick Grift <dominick.grift <AT> gmail.com>

---
 policy/modules/contrib/condor.fc | 2 +-
 policy/modules/contrib/condor.if | 5 ++++-
 policy/modules/contrib/condor.te | 6 +++---
 3 files changed, 8 insertions(+), 5 deletions(-)

diff --git a/policy/modules/contrib/condor.fc b/policy/modules/contrib/condor.fc
index 543321b..ad2b696 100644
--- a/policy/modules/contrib/condor.fc
+++ b/policy/modules/contrib/condor.fc
@@ -1,4 +1,4 @@
-/etc/condor(/.*)?	gen_context(system_u:object_r:condor_etc_rw_t,s0)
+/etc/condor(/.*)?	gen_context(system_u:object_r:condor_conf_t,s0)
 
 /etc/rc\.d/init\.d/condor	--	gen_context(system_u:object_r:condor_initrc_exec_t,s0)
 

diff --git a/policy/modules/contrib/condor.if b/policy/modules/contrib/condor.if
index 3fe3cb8..881d92f 100644
--- a/policy/modules/contrib/condor.if
+++ b/policy/modules/contrib/condor.if
@@ -60,7 +60,7 @@ interface(`condor_admin',`
 		attribute condor_domain;
 		type condor_initrc_exec_config_t, condor_log_t;
 		type condor_var_lib_t, condor_var_lock_t, condor_schedd_tmp_t;
-		type condor_var_run_t, condor_startd_tmp_t;
+		type condor_var_run_t, condor_startd_tmp_t, condor_conf_t;
 	')
 
 	allow $1 condor_domain:process { ptrace signal_perms };
@@ -71,6 +71,9 @@ interface(`condor_admin',`
 	role_transition $2 condor_initrc_exec_t system_r;
 	allow $2 system_r;
 
+	files_search_etc($1)
+	admin_pattern($1, condor_conf_t)
+
 	logging_search_logs($1)
 	admin_pattern($1, condor_log_t)
 

diff --git a/policy/modules/contrib/condor.te b/policy/modules/contrib/condor.te
index 7666be4..5fd1388 100644
--- a/policy/modules/contrib/condor.te
+++ b/policy/modules/contrib/condor.te
@@ -34,8 +34,8 @@ files_tmp_file(condor_startd_tmp_t)
 type condor_startd_tmpfs_t;
 files_tmpfs_file(condor_startd_tmpfs_t)
 
-type condor_etc_rw_t;
-files_config_file(condor_etc_rw_t)
+type condor_conf_t;
+files_config_file(condor_conf_t)
 
 type condor_log_t;
 logging_log_file(condor_log_t)
@@ -65,7 +65,7 @@ allow condor_domain self:fifo_file rw_fifo_file_perms;
 allow condor_domain self:tcp_socket { accept listen };
 allow condor_domain self:unix_stream_socket { accept listen };
 
-rw_files_pattern(condor_domain, condor_etc_rw_t, condor_etc_rw_t)
+rw_files_pattern(condor_domain, condor_conf_t, condor_conf_t)
 
 manage_dirs_pattern(condor_domain, condor_log_t, condor_log_t)
 append_files_pattern(condor_domain, condor_log_t, condor_log_t)


^ permalink raw reply related	[flat|nested] 20+ messages in thread

* [gentoo-commits] proj/hardened-refpolicy:merge commit in: policy/modules/contrib/
@ 2013-09-23  6:29 Sven Vermeulen
  0 siblings, 0 replies; 20+ messages in thread
From: Sven Vermeulen @ 2013-09-23  6:29 UTC (permalink / raw
  To: gentoo-commits

commit:     1e570633210d20c462a98fdfa0c3a23e9a2652ec
Author:     Dominick Grift <dominick.grift <AT> gmail <DOT> com>
AuthorDate: Fri Sep 20 07:28:45 2013 +0000
Commit:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
CommitDate: Mon Sep 23 06:28:39 2013 +0000
URL:        http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=1e570633

Clean up initial redis policy module

Need a redis port type

Signed-off-by: Dominick Grift <dominick.grift <AT> gmail.com>

---
 policy/modules/contrib/redis.fc |  10 +-
 policy/modules/contrib/redis.if | 243 ++--------------------------------------
 policy/modules/contrib/redis.te |  15 ++-
 3 files changed, 20 insertions(+), 248 deletions(-)

diff --git a/policy/modules/contrib/redis.fc b/policy/modules/contrib/redis.fc
index 638d6b4..e240ac9 100644
--- a/policy/modules/contrib/redis.fc
+++ b/policy/modules/contrib/redis.fc
@@ -1,11 +1,9 @@
 /etc/rc\.d/init\.d/redis	--	gen_context(system_u:object_r:redis_initrc_exec_t,s0)
 
-/usr/lib/systemd/system/redis.*		--	gen_context(system_u:object_r:redis_unit_file_t,s0)
+/usr/sbin/redis-server	--	gen_context(system_u:object_r:redis_exec_t,s0)
 
-/usr/sbin/redis-server		--	gen_context(system_u:object_r:redis_exec_t,s0)
+/var/lib/redis(/.*)?	gen_context(system_u:object_r:redis_var_lib_t,s0)
 
-/var/lib/redis(/.*)?		gen_context(system_u:object_r:redis_var_lib_t,s0)
+/var/log/redis(/.*)?	gen_context(system_u:object_r:redis_log_t,s0)
 
-/var/log/redis(/.*)?		gen_context(system_u:object_r:redis_log_t,s0)
-
-/var/run/redis(/.*)?		gen_context(system_u:object_r:redis_var_run_t,s0)
+/var/run/redis(/.*)?	gen_context(system_u:object_r:redis_var_run_t,s0)

diff --git a/policy/modules/contrib/redis.if b/policy/modules/contrib/redis.if
index e3efff0..16c8ecb 100644
--- a/policy/modules/contrib/redis.if
+++ b/policy/modules/contrib/redis.if
@@ -1,226 +1,9 @@
-
-## <summary>policy for redis</summary>
-
-########################################
-## <summary>
-##	Execute TEMPLATE in the redis domin.
-## </summary>
-## <param name="domain">
-## <summary>
-##	Domain allowed to transition.
-## </summary>
-## </param>
-#
-interface(`redis_domtrans',`
-	gen_require(`
-		type redis_t, redis_exec_t;
-	')
-
-	corecmd_search_bin($1)
-	domtrans_pattern($1, redis_exec_t, redis_t)
-')
-
-########################################
-## <summary>
-##	Execute redis server in the redis domain.
-## </summary>
-## <param name="domain">
-##	<summary>
-##	Domain allowed access.
-##	</summary>
-## </param>
-#
-interface(`redis_initrc_domtrans',`
-	gen_require(`
-		type redis_initrc_exec_t;
-	')
-
-	init_labeled_script_domtrans($1, redis_initrc_exec_t)
-')
-########################################
-## <summary>
-##	Read redis's log files.
-## </summary>
-## <param name="domain">
-##	<summary>
-##	Domain allowed access.
-##	</summary>
-## </param>
-## <rolecap/>
-#
-interface(`redis_read_log',`
-	gen_require(`
-		type redis_log_t;
-	')
-
-	logging_search_logs($1)
-	read_files_pattern($1, redis_log_t, redis_log_t)
-')
-
-########################################
-## <summary>
-##	Append to redis log files.
-## </summary>
-## <param name="domain">
-##	<summary>
-##	Domain allowed access.
-##	</summary>
-## </param>
-#
-interface(`redis_append_log',`
-	gen_require(`
-		type redis_log_t;
-	')
-
-	logging_search_logs($1)
-	append_files_pattern($1, redis_log_t, redis_log_t)
-')
-
-########################################
-## <summary>
-##	Manage redis log files
-## </summary>
-## <param name="domain">
-##	<summary>
-##	Domain allowed access.
-##	</summary>
-## </param>
-#
-interface(`redis_manage_log',`
-	gen_require(`
-		type redis_log_t;
-	')
-
-	logging_search_logs($1)
-	manage_dirs_pattern($1, redis_log_t, redis_log_t)
-	manage_files_pattern($1, redis_log_t, redis_log_t)
-	manage_lnk_files_pattern($1, redis_log_t, redis_log_t)
-')
-
-########################################
-## <summary>
-##	Search redis lib directories.
-## </summary>
-## <param name="domain">
-##	<summary>
-##	Domain allowed access.
-##	</summary>
-## </param>
-#
-interface(`redis_search_lib',`
-	gen_require(`
-		type redis_var_lib_t;
-	')
-
-	allow $1 redis_var_lib_t:dir search_dir_perms;
-	files_search_var_lib($1)
-')
-
-########################################
-## <summary>
-##	Read redis lib files.
-## </summary>
-## <param name="domain">
-##	<summary>
-##	Domain allowed access.
-##	</summary>
-## </param>
-#
-interface(`redis_read_lib_files',`
-	gen_require(`
-		type redis_var_lib_t;
-	')
-
-	files_search_var_lib($1)
-	read_files_pattern($1, redis_var_lib_t, redis_var_lib_t)
-')
-
-########################################
-## <summary>
-##	Manage redis lib files.
-## </summary>
-## <param name="domain">
-##	<summary>
-##	Domain allowed access.
-##	</summary>
-## </param>
-#
-interface(`redis_manage_lib_files',`
-	gen_require(`
-		type redis_var_lib_t;
-	')
-
-	files_search_var_lib($1)
-	manage_files_pattern($1, redis_var_lib_t, redis_var_lib_t)
-')
-
-########################################
-## <summary>
-##	Manage redis lib directories.
-## </summary>
-## <param name="domain">
-##	<summary>
-##	Domain allowed access.
-##	</summary>
-## </param>
-#
-interface(`redis_manage_lib_dirs',`
-	gen_require(`
-		type redis_var_lib_t;
-	')
-
-	files_search_var_lib($1)
-	manage_dirs_pattern($1, redis_var_lib_t, redis_var_lib_t)
-')
-
-########################################
-## <summary>
-##	Read redis PID files.
-## </summary>
-## <param name="domain">
-##	<summary>
-##	Domain allowed access.
-##	</summary>
-## </param>
-#
-interface(`redis_read_pid_files',`
-	gen_require(`
-		type redis_var_run_t;
-	')
-
-	files_search_pids($1)
-	read_files_pattern($1, redis_var_run_t, redis_var_run_t)
-')
+## <summary>Advanced key-value store.</summary>
 
 ########################################
 ## <summary>
-##	Execute redis server in the redis domain.
-## </summary>
-## <param name="domain">
-##	<summary>
-##	Domain allowed to transition.
-##	</summary>
-## </param>
-#
-interface(`redis_systemctl',`
-	gen_require(`
-		type redis_t;
-		type redis_unit_file_t;
-	')
-
-	systemd_exec_systemctl($1)
-        systemd_read_fifo_file_password_run($1)
-	allow $1 redis_unit_file_t:file read_file_perms;
-	allow $1 redis_unit_file_t:service manage_service_perms;
-
-	ps_process_pattern($1, redis_t)
-')
-
-
-########################################
-## <summary>
-##	All of the rules required to administrate
-##	an redis environment
+##	All of the rules required to
+##	administrate an redis environment.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -236,36 +19,24 @@ interface(`redis_systemctl',`
 #
 interface(`redis_admin',`
 	gen_require(`
-		type redis_t;
-		type redis_initrc_exec_t;
-		type redis_log_t;
-		type redis_var_lib_t;
-		type redis_var_run_t;
-	type redis_unit_file_t;
+		type redis_t, redis_initrc_exec_t, redis_var_lib_t;
+		type redis_log_t, redis_var_run_t;
 	')
 
 	allow $1 redis_t:process { ptrace signal_perms };
 	ps_process_pattern($1, redis_t)
 
-	redis_initrc_domtrans($1)
+	init_labeled_script_domtrans($1, redis_initrc_exec_t)
 	domain_system_change_exemption($1)
 	role_transition $2 redis_initrc_exec_t system_r;
 	allow $2 system_r;
 
 	logging_search_logs($1)
-	admin_pattern($1, redis_log_t)
+	admin_pattern($!, redis_log_t)
 
 	files_search_var_lib($1)
 	admin_pattern($1, redis_var_lib_t)
 
 	files_search_pids($1)
 	admin_pattern($1, redis_var_run_t)
-
-	redis_systemctl($1)
-	admin_pattern($1, redis_unit_file_t)
-	allow $1 redis_unit_file_t:service all_service_perms;
-	optional_policy(`
-		systemd_passwd_agent_exec($1)
-		systemd_read_fifo_file_passwd_run($1)
-	')
 ')

diff --git a/policy/modules/contrib/redis.te b/policy/modules/contrib/redis.te
index e5e9cf7..f98e40e 100644
--- a/policy/modules/contrib/redis.te
+++ b/policy/modules/contrib/redis.te
@@ -21,12 +21,9 @@ files_type(redis_var_lib_t)
 type redis_var_run_t;
 files_pid_file(redis_var_run_t)
 
-type redis_unit_file_t;
-systemd_unit_file(redis_unit_file_t)
-
 ########################################
 #
-# redis local policy
+# Local policy
 #
 
 allow redis_t self:process { setrlimit signal_perms };
@@ -48,8 +45,15 @@ manage_lnk_files_pattern(redis_t, redis_var_run_t, redis_var_run_t)
 
 kernel_read_system_state(redis_t)
 
+corenet_all_recvfrom_unlabeled(redis_t)
+corenet_all_recvfrom_netlabel(redis_t)
+corenet_tcp_sendrecv_generic_if(redis_t)
+corenet_tcp_sendrecv_generic_node(redis_t)
 corenet_tcp_bind_generic_node(redis_t)
-corenet_tcp_bind_redis_port(redis_t)
+
+# corenet_sendrecv_redis_server_packets(redis_t)
+# corenet_tcp_bind_redis_port(redis_t)
+# corenet_tcp_sendrecv_redis_port(redis_t)
 
 dev_read_sysfs(redis_t)
 dev_read_urand(redis_t)
@@ -59,4 +63,3 @@ logging_send_syslog_msg(redis_t)
 miscfiles_read_localization(redis_t)
 
 sysnet_dns_name_resolve(redis_t)
-


^ permalink raw reply related	[flat|nested] 20+ messages in thread

* [gentoo-commits] proj/hardened-refpolicy:merge commit in: policy/modules/contrib/
@ 2013-09-23  6:29 Sven Vermeulen
  0 siblings, 0 replies; 20+ messages in thread
From: Sven Vermeulen @ 2013-09-23  6:29 UTC (permalink / raw
  To: gentoo-commits

commit:     f32d2da8b2f3a4cbaf11f9eb0a1c27d1678ce4d5
Author:     Dominick Grift <dominick.grift <AT> gmail <DOT> com>
AuthorDate: Fri Sep 20 07:12:29 2013 +0000
Commit:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
CommitDate: Mon Sep 23 06:28:03 2013 +0000
URL:        http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=f32d2da8

Clean up hypervkvp policy module (seems incomplete)

Signed-off-by: Dominick Grift <dominick.grift <AT> gmail.com>

---
 policy/modules/contrib/hypervkvp.fc |  4 ++--
 policy/modules/contrib/hypervkvp.if | 31 +++++++++++++++++++++----------
 policy/modules/contrib/hypervkvp.te | 24 +++++++++++-------------
 3 files changed, 34 insertions(+), 25 deletions(-)

diff --git a/policy/modules/contrib/hypervkvp.fc b/policy/modules/contrib/hypervkvp.fc
index 2a69ee4..b46130e 100644
--- a/policy/modules/contrib/hypervkvp.fc
+++ b/policy/modules/contrib/hypervkvp.fc
@@ -1,3 +1,3 @@
-/etc/rc\.d/init\.d/hypervkvpd	--	gen_context(system_u:object_r:hypervkvp_initrc_exec_t,s0)
+/etc/rc\.d/init\.d/hypervkvpd	--	gen_context(system_u:object_r:hypervkvpd_initrc_exec_t,s0)
 
-/usr/sbin/hv_kvp_daemon		--	gen_context(system_u:object_r:hypervkvp_exec_t,s0)
+/usr/sbin/hv_kvp_daemon	--	gen_context(system_u:object_r:hypervkvpd_exec_t,s0)

diff --git a/policy/modules/contrib/hypervkvp.if b/policy/modules/contrib/hypervkvp.if
index 7743be5..6517fad 100644
--- a/policy/modules/contrib/hypervkvp.if
+++ b/policy/modules/contrib/hypervkvp.if
@@ -1,21 +1,32 @@
-
-## <summary>policy for hypervkvp</summary>
+## <summary>HyperV key value pair (KVP).</summary>
 
 ########################################
 ## <summary>
-##	Execute TEMPLATE in the hypervkvp domin.
+##	All of the rules required to
+##	administrate an hypervkvp environment.
 ## </summary>
 ## <param name="domain">
-## <summary>
-##	Domain allowed to transition.
-## </summary>
+##	<summary>
+##	Domain allowed access.
+##	</summary>
 ## </param>
+## <param name="role">
+##	<summary>
+##	Role allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
 #
-interface(`hypervkvp_domtrans',`
+interface(`hypervkvp_admin',`
 	gen_require(`
-		type hypervkvp_t, hypervkvp_exec_t;
+		type hypervkvpd_t, hypervkvpd_initrc_exec_t;
 	')
 
-	corecmd_search_bin($1)
-	domtrans_pattern($1, hypervkvp_exec_t, hypervkvp_t)
+	allow $1 hypervkvpd_t:process { ptrace signal_perms };
+	ps_process_pattern($1, hypervkvpd_t)
+
+	init_labeled_script_domtrans($1, hypervkvpd_initrc_exec_t)
+	domain_system_change_exemption($1)
+	role_transition $2 hypervkvpd_initrc_exec_t system_r;
+	allow $2 system_r;
 ')

diff --git a/policy/modules/contrib/hypervkvp.te b/policy/modules/contrib/hypervkvp.te
index 631ed79..4eb7041 100644
--- a/policy/modules/contrib/hypervkvp.te
+++ b/policy/modules/contrib/hypervkvp.te
@@ -5,26 +5,24 @@ policy_module(hypervkvp, 1.0.0)
 # Declarations
 #
 
-type hypervkvp_t;
-type hypervkvp_exec_t;
-init_daemon_domain(hypervkvp_t, hypervkvp_exec_t)
-
-type hypervkvp_initrc_exec_t;
-init_script_file(hypervkvp_initrc_exec_t)
+type hypervkvpd_t;
+type hypervkvpd_exec_t;
+init_daemon_domain(hypervkvpd_t, hypervkvpd_exec_t)
 
+type hypervkvpd_initrc_exec_t;
+init_script_file(hypervkvpd_initrc_exec_t)
 
 ########################################
 #
-# hypervkvp local policy
+# Local policy
 #
 #
-allow hypervkvp_t self:fifo_file rw_fifo_file_perms;
-allow hypervkvp_t self:unix_stream_socket create_stream_socket_perms;
 
-domain_use_interactive_fds(hypervkvp_t)
+allow hypervkvpd_t self:fifo_file rw_fifo_file_perms;
+allow hypervkvpd_t self:unix_stream_socket create_stream_socket_perms;
 
-logging_send_syslog_msg(hypervkvp_t)
+logging_send_syslog_msg(hypervkvpd_t)
 
-miscfiles_read_localization(hypervkvp_t)
+miscfiles_read_localization(hypervkvpd_t)
 
-sysnet_dns_name_resolve(hypervkvp_t)
+sysnet_dns_name_resolve(hypervkvpd_t)


^ permalink raw reply related	[flat|nested] 20+ messages in thread

* [gentoo-commits] proj/hardened-refpolicy:merge commit in: policy/modules/contrib/
  2013-09-23 13:31 Sven Vermeulen
@ 2013-09-23  6:29 ` Sven Vermeulen
  0 siblings, 0 replies; 20+ messages in thread
From: Sven Vermeulen @ 2013-09-23  6:29 UTC (permalink / raw
  To: gentoo-commits

commit:     1885a6b8dbea8123e438d8b17ceb6aaf80bca8f8
Author:     Miroslav Grepl <mgrepl <AT> redhat <DOT> com>
AuthorDate: Tue Aug 20 09:09:06 2013 +0000
Commit:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
CommitDate: Mon Sep 23 06:28:41 2013 +0000
URL:        http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=1885a6b8

Add openvpn_can_network_connect() boolean

---
 policy/modules/contrib/openvpn.te | 12 ++++++++++++
 1 file changed, 12 insertions(+)

diff --git a/policy/modules/contrib/openvpn.te b/policy/modules/contrib/openvpn.te
index 1c3599a..5816817 100644
--- a/policy/modules/contrib/openvpn.te
+++ b/policy/modules/contrib/openvpn.te
@@ -13,6 +13,14 @@ policy_module(openvpn, 1.12.1)
 ## </desc>
 gen_tunable(openvpn_enable_homedirs, false)
 
+## <desc>
+##  <p>
+##  Determine whether openvpn can
+##  connect to the TCP network.
+##  </p>
+## </desc>
+gen_tunable(openvpn_can_network_connect, false)
+
 attribute_role openvpn_roles;
 
 type openvpn_t;
@@ -149,6 +157,10 @@ tunable_policy(`openvpn_enable_homedirs && use_samba_home_dirs',`
 	fs_read_cifs_files(openvpn_t)
 ')
 
+tunable_policy(`openvpn_can_network_connect',`
+    corenet_tcp_connect_all_ports(openvpn_t)
+')
+
 optional_policy(`
 	daemontools_service_domain(openvpn_t, openvpn_exec_t)
 ')


^ permalink raw reply related	[flat|nested] 20+ messages in thread

* [gentoo-commits] proj/hardened-refpolicy:merge commit in: policy/modules/contrib/
  2013-09-23 13:31 [gentoo-commits] proj/hardened-refpolicy:master " Sven Vermeulen
@ 2013-09-23  6:29 ` Sven Vermeulen
  0 siblings, 0 replies; 20+ messages in thread
From: Sven Vermeulen @ 2013-09-23  6:29 UTC (permalink / raw
  To: gentoo-commits

commit:     0a54a711c81b74e91cc633b005b28cb71170d960
Author:     Dominick Grift <dominick.grift <AT> gmail <DOT> com>
AuthorDate: Thu Sep 19 12:45:01 2013 +0000
Commit:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
CommitDate: Mon Sep 23 06:27:38 2013 +0000
URL:        http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=0a54a711

Module version bump for changes to various policy modules by Miroslav Grepl

Signed-off-by: Dominick Grift <dominick.grift <AT> gmail.com>

---
 policy/modules/contrib/condor.te    | 2 +-
 policy/modules/contrib/glusterfs.te | 2 +-
 policy/modules/contrib/rhcs.te      | 2 +-
 policy/modules/contrib/virt.te      | 2 +-
 4 files changed, 4 insertions(+), 4 deletions(-)

diff --git a/policy/modules/contrib/condor.te b/policy/modules/contrib/condor.te
index 32b299a..ce9f040 100644
--- a/policy/modules/contrib/condor.te
+++ b/policy/modules/contrib/condor.te
@@ -1,4 +1,4 @@
-policy_module(condor, 1.0.0)
+policy_module(condor, 1.0.1)
 
 ########################################
 #

diff --git a/policy/modules/contrib/glusterfs.te b/policy/modules/contrib/glusterfs.te
index 0a8e91e..4e95c7e 100644
--- a/policy/modules/contrib/glusterfs.te
+++ b/policy/modules/contrib/glusterfs.te
@@ -1,4 +1,4 @@
-policy_module(glusterfs, 1.1.1)
+policy_module(glusterfs, 1.1.2)
 
 ########################################
 #

diff --git a/policy/modules/contrib/rhcs.te b/policy/modules/contrib/rhcs.te
index 7f87224..6cf79c4 100644
--- a/policy/modules/contrib/rhcs.te
+++ b/policy/modules/contrib/rhcs.te
@@ -1,4 +1,4 @@
-policy_module(rhcs, 1.2.0)
+policy_module(rhcs, 1.2.1)
 
 ########################################
 #

diff --git a/policy/modules/contrib/virt.te b/policy/modules/contrib/virt.te
index 3f48d7f..7afd03d 100644
--- a/policy/modules/contrib/virt.te
+++ b/policy/modules/contrib/virt.te
@@ -1,4 +1,4 @@
-policy_module(virt, 1.7.3)
+policy_module(virt, 1.7.4)
 
 ########################################
 #


^ permalink raw reply related	[flat|nested] 20+ messages in thread

* [gentoo-commits] proj/hardened-refpolicy:merge commit in: policy/modules/contrib/
  2013-09-23 13:31 [gentoo-commits] proj/hardened-refpolicy:master " Sven Vermeulen
@ 2013-09-23  6:29 ` Sven Vermeulen
  0 siblings, 0 replies; 20+ messages in thread
From: Sven Vermeulen @ 2013-09-23  6:29 UTC (permalink / raw
  To: gentoo-commits

commit:     8313772124285241a40d56a7030ba9c4dc5431b3
Author:     Dominick Grift <dominick.grift <AT> gmail <DOT> com>
AuthorDate: Fri Sep 20 07:41:07 2013 +0000
Commit:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
CommitDate: Mon Sep 23 06:28:43 2013 +0000
URL:        http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=83137721

Additional openvpn tcp networking rules

Signed-off-by: Dominick Grift <dominick.grift <AT> gmail.com>

---
 policy/modules/contrib/openvpn.te | 14 ++++++++------
 1 file changed, 8 insertions(+), 6 deletions(-)

diff --git a/policy/modules/contrib/openvpn.te b/policy/modules/contrib/openvpn.te
index 5816817..63957a3 100644
--- a/policy/modules/contrib/openvpn.te
+++ b/policy/modules/contrib/openvpn.te
@@ -1,4 +1,4 @@
-policy_module(openvpn, 1.12.1)
+policy_module(openvpn, 1.12.2)
 
 ########################################
 #
@@ -14,10 +14,10 @@ policy_module(openvpn, 1.12.1)
 gen_tunable(openvpn_enable_homedirs, false)
 
 ## <desc>
-##  <p>
-##  Determine whether openvpn can
-##  connect to the TCP network.
-##  </p>
+##	<p>
+##	Determine whether openvpn can
+##	connect to the TCP network.
+##	</p>
 ## </desc>
 gen_tunable(openvpn_can_network_connect, false)
 
@@ -158,7 +158,9 @@ tunable_policy(`openvpn_enable_homedirs && use_samba_home_dirs',`
 ')
 
 tunable_policy(`openvpn_can_network_connect',`
-    corenet_tcp_connect_all_ports(openvpn_t)
+	corenet_sendrecv_all_client_packets(openvpn_t)
+	corenet_tcp_connect_all_ports(openvpn_t)
+	corenet_tcp_sendrecv_all_ports(openvpn_t)
 ')
 
 optional_policy(`


^ permalink raw reply related	[flat|nested] 20+ messages in thread

* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
  2013-09-23  6:29 [gentoo-commits] proj/hardened-refpolicy:merge commit in: policy/modules/contrib/ Sven Vermeulen
@ 2013-09-23 13:31 ` Sven Vermeulen
  0 siblings, 0 replies; 20+ messages in thread
From: Sven Vermeulen @ 2013-09-23 13:31 UTC (permalink / raw
  To: gentoo-commits

commit:     d8ad674f9b897235cd243b9a37543bcfedb71d6e
Author:     Dominick Grift <dominick.grift <AT> gmail <DOT> com>
AuthorDate: Thu Sep 19 17:39:39 2013 +0000
Commit:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
CommitDate: Mon Sep 23 06:27:19 2013 +0000
URL:        http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=d8ad674f

Clean up libstoragemngmt policy module We do not yet support systemd

Signed-off-by: Dominick Grift <dominick.grift <AT> gmail.com>

---
 policy/modules/contrib/lsm.fc |  4 +--
 policy/modules/contrib/lsm.if | 79 ++-----------------------------------------
 policy/modules/contrib/lsm.te |  9 ++---
 3 files changed, 7 insertions(+), 85 deletions(-)

diff --git a/policy/modules/contrib/lsm.fc b/policy/modules/contrib/lsm.fc
index 711c04b..51777c1 100644
--- a/policy/modules/contrib/lsm.fc
+++ b/policy/modules/contrib/lsm.fc
@@ -1,5 +1,3 @@
-/usr/bin/lsmd		--	gen_context(system_u:object_r:lsmd_exec_t,s0)
-
-/usr/lib/systemd/system/libstoragemgmt.*		--	gen_context(system_u:object_r:lsmd_unit_file_t,s0)
+/usr/bin/lsmd	--	gen_context(system_u:object_r:lsmd_exec_t,s0)
 
 /var/run/lsm(/.*)?	--	gen_context(system_u:object_r:lsmd_var_run_t,s0)

diff --git a/policy/modules/contrib/lsm.if b/policy/modules/contrib/lsm.if
index f3e94d7..d314333 100644
--- a/policy/modules/contrib/lsm.if
+++ b/policy/modules/contrib/lsm.if
@@ -1,72 +1,9 @@
-
-## <summary>lsmd SELINUX policy </summary>
-
-########################################
-## <summary>
-##	Execute TEMPLATE in the lsmd domin.
-## </summary>
-## <param name="domain">
-## <summary>
-##	Domain allowed to transition.
-## </summary>
-## </param>
-#
-interface(`lsmd_domtrans',`
-	gen_require(`
-		type lsmd_t, lsmd_exec_t;
-	')
-
-	corecmd_search_bin($1)
-	domtrans_pattern($1, lsmd_exec_t, lsmd_t)
-')
-########################################
-## <summary>
-##	Read lsmd PID files.
-## </summary>
-## <param name="domain">
-##	<summary>
-##	Domain allowed access.
-##	</summary>
-## </param>
-#
-interface(`lsmd_read_pid_files',`
-	gen_require(`
-		type lsmd_var_run_t;
-	')
-
-	files_search_pids($1)
-	read_files_pattern($1, lsmd_var_run_t, lsmd_var_run_t)
-')
-
-########################################
-## <summary>
-##	Execute lsmd server in the lsmd domain.
-## </summary>
-## <param name="domain">
-##	<summary>
-##	Domain allowed to transition.
-##	</summary>
-## </param>
-#
-interface(`lsmd_systemctl',`
-	gen_require(`
-		type lsmd_t;
-		type lsmd_unit_file_t;
-	')
-
-	systemd_exec_systemctl($1)
-        systemd_read_fifo_file_password_run($1)
-	allow $1 lsmd_unit_file_t:file read_file_perms;
-	allow $1 lsmd_unit_file_t:service manage_service_perms;
-
-	ps_process_pattern($1, lsmd_t)
-')
-
+## <summary>Storage array management library.</summary>
 
 ########################################
 ## <summary>
 ##	All of the rules required to administrate
-##	an lsmd environment
+##	an lsmd environment.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -82,9 +19,7 @@ interface(`lsmd_systemctl',`
 #
 interface(`lsmd_admin',`
 	gen_require(`
-		type lsmd_t;
-		type lsmd_var_run_t;
-	type lsmd_unit_file_t;
+		type lsmd_t, type lsmd_var_run_t;
 	')
 
 	allow $1 lsmd_t:process { ptrace signal_perms };
@@ -92,12 +27,4 @@ interface(`lsmd_admin',`
 
 	files_search_pids($1)
 	admin_pattern($1, lsmd_var_run_t)
-
-	lsmd_systemctl($1)
-	admin_pattern($1, lsmd_unit_file_t)
-	allow $1 lsmd_unit_file_t:service all_service_perms;
-	optional_policy(`
-		systemd_passwd_agent_exec($1)
-		systemd_read_fifo_file_passwd_run($1)
-	')
 ')

diff --git a/policy/modules/contrib/lsm.te b/policy/modules/contrib/lsm.te
index 14fe4d7..7f0ca47 100644
--- a/policy/modules/contrib/lsm.te
+++ b/policy/modules/contrib/lsm.te
@@ -12,15 +12,12 @@ init_daemon_domain(lsmd_t, lsmd_exec_t)
 type lsmd_var_run_t;
 files_pid_file(lsmd_var_run_t)
 
-type lsmd_unit_file_t;
-systemd_unit_file(lsmd_unit_file_t)
-
 ########################################
 #
-# lsmd local policy
+# Local policy
 #
-allow lsmd_t self:capability { setgid  };
-allow lsmd_t self:process { fork };
+
+allow lsmd_t self:capability setgid;
 allow lsmd_t self:unix_stream_socket create_stream_socket_perms;
 
 manage_dirs_pattern(lsmd_t, lsmd_var_run_t, lsmd_var_run_t)


^ permalink raw reply related	[flat|nested] 20+ messages in thread

end of thread, other threads:[~2013-09-23 13:31 UTC | newest]

Thread overview: 20+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2013-09-23  6:29 [gentoo-commits] proj/hardened-refpolicy:merge commit in: policy/modules/contrib/ Sven Vermeulen
2013-09-23 13:31 ` [gentoo-commits] proj/hardened-refpolicy:master " Sven Vermeulen
  -- strict thread matches above, loose matches on Subject: below --
2013-09-23 13:31 Sven Vermeulen
2013-09-23  6:29 ` [gentoo-commits] proj/hardened-refpolicy:merge " Sven Vermeulen
2013-09-23 13:31 [gentoo-commits] proj/hardened-refpolicy:master " Sven Vermeulen
2013-09-23  6:29 ` [gentoo-commits] proj/hardened-refpolicy:merge " Sven Vermeulen
2013-09-23 13:31 [gentoo-commits] proj/hardened-refpolicy:master " Sven Vermeulen
2013-09-23  6:29 ` [gentoo-commits] proj/hardened-refpolicy:merge " Sven Vermeulen
2013-09-23 13:31 [gentoo-commits] proj/hardened-refpolicy:master " Sven Vermeulen
2013-09-23  6:29 ` [gentoo-commits] proj/hardened-refpolicy:merge " Sven Vermeulen
2013-09-23 13:31 [gentoo-commits] proj/hardened-refpolicy:master " Sven Vermeulen
2013-09-23  6:29 ` [gentoo-commits] proj/hardened-refpolicy:merge " Sven Vermeulen
2013-09-23 13:31 [gentoo-commits] proj/hardened-refpolicy:master " Sven Vermeulen
2013-09-23  6:29 ` [gentoo-commits] proj/hardened-refpolicy:merge " Sven Vermeulen
2013-09-23 13:31 [gentoo-commits] proj/hardened-refpolicy:master " Sven Vermeulen
2013-09-23  6:29 ` [gentoo-commits] proj/hardened-refpolicy:merge " Sven Vermeulen
2013-09-23 13:31 [gentoo-commits] proj/hardened-refpolicy:master " Sven Vermeulen
2013-09-23  6:29 ` [gentoo-commits] proj/hardened-refpolicy:merge " Sven Vermeulen
2013-09-23 13:31 [gentoo-commits] proj/hardened-refpolicy:master " Sven Vermeulen
2013-09-23  6:29 ` [gentoo-commits] proj/hardened-refpolicy:merge " Sven Vermeulen
2013-09-23  6:29 Sven Vermeulen
2013-09-23  6:29 Sven Vermeulen
2013-09-23  6:29 Sven Vermeulen
2013-09-23  6:29 Sven Vermeulen
2013-09-23  6:29 Sven Vermeulen
2013-09-23  6:29 Sven Vermeulen
2013-09-23  6:29 Sven Vermeulen
2013-09-23  6:29 Sven Vermeulen
2013-09-23  6:29 Sven Vermeulen

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox