From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80]) by finch.gentoo.org (Postfix) with ESMTP id 4DDEE138247 for ; Mon, 11 Nov 2013 13:46:04 +0000 (UTC) Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id 21407E0BB2; Mon, 11 Nov 2013 13:45:58 +0000 (UTC) Received: from smtp.gentoo.org (smtp.gentoo.org [140.211.166.183]) (using TLSv1 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by pigeon.gentoo.org (Postfix) with ESMTPS id BB1C3E0BAA for ; Mon, 11 Nov 2013 13:45:56 +0000 (UTC) Received: from hornbill.gentoo.org (hornbill.gentoo.org [94.100.119.163]) (using TLSv1 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by smtp.gentoo.org (Postfix) with ESMTPS id 16F3333F1DA for ; Mon, 11 Nov 2013 13:45:55 +0000 (UTC) Received: from localhost.localdomain (localhost [127.0.0.1]) by hornbill.gentoo.org (Postfix) with ESMTP id F3E5EE54CD for ; Mon, 11 Nov 2013 13:45:52 +0000 (UTC) From: "Sven Vermeulen" To: gentoo-commits@lists.gentoo.org Content-Transfer-Encoding: 8bit Content-type: text/plain; charset=UTF-8 Reply-To: gentoo-dev@lists.gentoo.org, "Sven Vermeulen" Message-ID: <1384177428.88bdb45627be10d49a73fc5bf56faf7a89352852.swift@gentoo> Subject: [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/ X-VCS-Repository: proj/hardened-refpolicy X-VCS-Files: policy/modules/contrib/colord.te policy/modules/contrib/cups.if X-VCS-Directories: policy/modules/contrib/ X-VCS-Committer: swift X-VCS-Committer-Name: Sven Vermeulen X-VCS-Revision: 88bdb45627be10d49a73fc5bf56faf7a89352852 X-VCS-Branch: master Date: Mon, 11 Nov 2013 13:45:52 +0000 (UTC) Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-commits@lists.gentoo.org X-Archives-Salt: 920ea919-04e1-4e5a-8f25-be4ffb34b7eb X-Archives-Hash: fb53b3a3af6025d9fff86d698734139d commit: 88bdb45627be10d49a73fc5bf56faf7a89352852 Author: Dominick Grift gmail com> AuthorDate: Sun Sep 29 17:06:26 2013 +0000 Commit: Sven Vermeulen gentoo org> CommitDate: Mon Nov 11 13:43:48 2013 +0000 URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=88bdb456 colord: colord reads /proc/3412/cmdline (cupsd state files) Signed-off-by: Dominick Grift gmail.com> --- policy/modules/contrib/colord.te | 1 + policy/modules/contrib/cups.if | 20 ++++++++++++++++++++ 2 files changed, 21 insertions(+) diff --git a/policy/modules/contrib/colord.te b/policy/modules/contrib/colord.te index 56e88b9..9f2dfb2 100644 --- a/policy/modules/contrib/colord.te +++ b/policy/modules/contrib/colord.te @@ -117,6 +117,7 @@ tunable_policy(`use_samba_home_dirs',` optional_policy(` cups_read_config(colord_t) cups_read_rw_config(colord_t) + cups_read_state(colord_t) cups_stream_connect(colord_t) cups_dbus_chat(colord_t) ') diff --git a/policy/modules/contrib/cups.if b/policy/modules/contrib/cups.if index 06da9a0..3023be7 100644 --- a/policy/modules/contrib/cups.if +++ b/policy/modules/contrib/cups.if @@ -306,6 +306,26 @@ interface(`cups_stream_connect_ptal',` ######################################## ## +## Read the process state (/proc/pid) of cupsd. +## +## +## +## Domain allowed access. +## +## +# +interface(`cups_read_state',` + gen_require(` + type cupsd_t; + ') + + allow $1 cupsd_t:dir search_dir_perms; + allow $1 cupsd_t:file read_file_perms; + allow $1 cupsd_t:lnk_file read_lnk_file_perms; +') + +######################################## +## ## All of the rules required to ## administrate an cups environment. ##