public inbox for gentoo-commits@lists.gentoo.org
 help / color / mirror / Atom feed
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/, policy/modules/roles/
@ 2013-12-06 17:33 Sven Vermeulen
  0 siblings, 0 replies; 9+ messages in thread
From: Sven Vermeulen @ 2013-12-06 17:33 UTC (permalink / raw
  To: gentoo-commits

commit:     00a438efc9971aa614dd7514b3c794e520ca692d
Author:     Dominick Grift <dominick.grift <AT> gmail <DOT> com>
AuthorDate: Sat Nov  9 09:45:16 2013 +0000
Commit:     Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Fri Dec  6 17:31:22 2013 +0000
URL:        http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=00a438ef

users: calls pulseaudio_role() for restricted xwindows users and staff_t/user_t

Signed-off-by: Dominick Grift <dominick.grift <AT> gmail.com>

---
 policy/modules/roles/staff.te       | 4 ++++
 policy/modules/roles/unprivuser.te  | 4 ++++
 policy/modules/system/userdomain.if | 4 ++++
 3 files changed, 12 insertions(+)

diff --git a/policy/modules/roles/staff.te b/policy/modules/roles/staff.te
index 29720e4..7cb50df 100644
--- a/policy/modules/roles/staff.te
+++ b/policy/modules/roles/staff.te
@@ -86,6 +86,10 @@ ifndef(`distro_redhat',`
 		optional_policy(`
 			gnome_role_template(staff, staff_r, staff_t)
 		')
+
+		optional_policy(`
+			pulseaudio_role(staff_r, staff_t)
+		')
 	')
 
 	optional_policy(`

diff --git a/policy/modules/roles/unprivuser.te b/policy/modules/roles/unprivuser.te
index 484faf4..df39f6e 100644
--- a/policy/modules/roles/unprivuser.te
+++ b/policy/modules/roles/unprivuser.te
@@ -59,6 +59,10 @@ ifndef(`distro_redhat',`
 		optional_policy(`
 			gnome_role_template(user, user_r, user_t)
 		')
+
+		optional_policy(`
+			pulseaudio_role(user_r, user_t)
+		')
 	')
 
 	optional_policy(`

diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if
index 027a04f..9aeac69 100644
--- a/policy/modules/system/userdomain.if
+++ b/policy/modules/system/userdomain.if
@@ -970,6 +970,10 @@ template(`userdom_restricted_xwindows_user_template',`
 			gnome_role_template($1, $1_r, $1_t)
 			wm_role_template($1, $1_r, $1_t)
 		')
+
+		optional_policy(`
+			pulseaudio_role($1_r, $1_t)
+		')
 	')
 
 	optional_policy(`


^ permalink raw reply related	[flat|nested] 9+ messages in thread

* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/, policy/modules/roles/
@ 2014-09-21 14:04 Sven Vermeulen
  0 siblings, 0 replies; 9+ messages in thread
From: Sven Vermeulen @ 2014-09-21 14:04 UTC (permalink / raw
  To: gentoo-commits

commit:     2e1248b773552252b513c39d806a4da0baf28a97
Author:     Chris PeBenito <cpebenito <AT> tresys <DOT> com>
AuthorDate: Wed Sep 17 18:00:08 2014 +0000
Commit:     Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Sun Sep 21 14:02:18 2014 +0000
URL:        http://sources.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=2e1248b7

Module version bump for CIL fixes from Yuli Khodorkovskiy.

---
 policy/modules/roles/auditadm.te    | 2 +-
 policy/modules/roles/staff.te       | 2 +-
 policy/modules/roles/sysadm.te      | 2 +-
 policy/modules/roles/unprivuser.te  | 2 +-
 policy/modules/system/userdomain.te | 2 +-
 5 files changed, 5 insertions(+), 5 deletions(-)

diff --git a/policy/modules/roles/auditadm.te b/policy/modules/roles/auditadm.te
index 9275a2d..cec5b2b 100644
--- a/policy/modules/roles/auditadm.te
+++ b/policy/modules/roles/auditadm.te
@@ -1,4 +1,4 @@
-policy_module(auditadm, 2.2.0)
+policy_module(auditadm, 2.2.1)
 
 ########################################
 #

diff --git a/policy/modules/roles/staff.te b/policy/modules/roles/staff.te
index 631c70b..8081d0b 100644
--- a/policy/modules/roles/staff.te
+++ b/policy/modules/roles/staff.te
@@ -1,4 +1,4 @@
-policy_module(staff, 2.5.1)
+policy_module(staff, 2.5.2)
 
 ########################################
 #

diff --git a/policy/modules/roles/sysadm.te b/policy/modules/roles/sysadm.te
index e4ae74e..af9d2cf 100644
--- a/policy/modules/roles/sysadm.te
+++ b/policy/modules/roles/sysadm.te
@@ -1,4 +1,4 @@
-policy_module(sysadm, 2.7.1)
+policy_module(sysadm, 2.7.2)
 
 ########################################
 #

diff --git a/policy/modules/roles/unprivuser.te b/policy/modules/roles/unprivuser.te
index 5d89d99..c0d6204 100644
--- a/policy/modules/roles/unprivuser.te
+++ b/policy/modules/roles/unprivuser.te
@@ -1,4 +1,4 @@
-policy_module(unprivuser, 2.5.1)
+policy_module(unprivuser, 2.5.2)
 
 # this module should be named user, but that is
 # a compile error since user is a keyword.

diff --git a/policy/modules/system/userdomain.te b/policy/modules/system/userdomain.te
index 912849c..2614b91 100644
--- a/policy/modules/system/userdomain.te
+++ b/policy/modules/system/userdomain.te
@@ -1,4 +1,4 @@
-policy_module(userdomain, 4.10.2)
+policy_module(userdomain, 4.10.3)
 
 ########################################
 #


^ permalink raw reply related	[flat|nested] 9+ messages in thread

* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/, policy/modules/roles/
@ 2014-09-21 14:04 Sven Vermeulen
  0 siblings, 0 replies; 9+ messages in thread
From: Sven Vermeulen @ 2014-09-21 14:04 UTC (permalink / raw
  To: gentoo-commits

commit:     40c1924391dda3a767afbd9c10d19183b5b2bb0e
Author:     Yuli Khodorkovskiy <ykhodorkovskiy <AT> tresys <DOT> com>
AuthorDate: Mon Sep 15 17:22:27 2014 +0000
Commit:     Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Sun Sep 21 14:02:16 2014 +0000
URL:        http://sources.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=40c19243

Remove duplicate role declarations

-This patch is needed since CIL does not allow duplicate
role declarations. The roles for system_r, staff_r, sysadm_r, and
user_r were already declared in kernel.te. Since the roles are
pulled in from require statements in the appropriate interfaces,
the duplicate role declarations could be deleted in modules for
auditadm, staff, sysadm, and userdomain.

-Move a role declaration that used an argument passed into the
userdom_base_user_template into a gen_require statement.

---
 policy/modules/roles/auditadm.te    | 1 -
 policy/modules/roles/staff.te       | 2 +-
 policy/modules/roles/sysadm.te      | 2 +-
 policy/modules/roles/unprivuser.te  | 2 +-
 policy/modules/system/userdomain.if | 2 +-
 5 files changed, 4 insertions(+), 5 deletions(-)

diff --git a/policy/modules/roles/auditadm.te b/policy/modules/roles/auditadm.te
index 834a065..9275a2d 100644
--- a/policy/modules/roles/auditadm.te
+++ b/policy/modules/roles/auditadm.te
@@ -6,7 +6,6 @@ policy_module(auditadm, 2.2.0)
 #
 
 role auditadm_r;
-role system_r;
 userdom_unpriv_user_template(auditadm)
 
 ########################################

diff --git a/policy/modules/roles/staff.te b/policy/modules/roles/staff.te
index 27b49b1..631c70b 100644
--- a/policy/modules/roles/staff.te
+++ b/policy/modules/roles/staff.te
@@ -5,7 +5,7 @@ policy_module(staff, 2.5.1)
 # Declarations
 #
 
-role staff_r;
+#role staff_r;
 
 userdom_unpriv_user_template(staff)
 

diff --git a/policy/modules/roles/sysadm.te b/policy/modules/roles/sysadm.te
index 6265657..e4ae74e 100644
--- a/policy/modules/roles/sysadm.te
+++ b/policy/modules/roles/sysadm.te
@@ -12,7 +12,7 @@ policy_module(sysadm, 2.7.1)
 ## </desc>
 gen_tunable(allow_ptrace, false)
 
-role sysadm_r;
+#role sysadm_r;
 
 userdom_admin_user_template(sysadm)
 

diff --git a/policy/modules/roles/unprivuser.te b/policy/modules/roles/unprivuser.te
index 27431c7..5d89d99 100644
--- a/policy/modules/roles/unprivuser.te
+++ b/policy/modules/roles/unprivuser.te
@@ -8,7 +8,7 @@ policy_module(unprivuser, 2.5.1)
 # Declarations
 #
 
-role user_r;
+#role user_r;
 
 userdom_unpriv_user_template(user)
 

diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if
index 08139d9..16a95cc 100644
--- a/policy/modules/system/userdomain.if
+++ b/policy/modules/system/userdomain.if
@@ -27,6 +27,7 @@ template(`userdom_base_user_template',`
 		attribute userdomain;
 		type user_devpts_t, user_tty_device_t;
 		class context contains;
+		role $1_r;
 	')
 
 	attribute $1_file_type;
@@ -37,7 +38,6 @@ template(`userdom_base_user_template',`
 	corecmd_bin_entry_type($1_t)
 	domain_user_exemption_target($1_t)
 	ubac_constrained($1_t)
-	role $1_r;
 	role $1_r types $1_t;
 	allow system_r $1_r;
 


^ permalink raw reply related	[flat|nested] 9+ messages in thread

* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/, policy/modules/roles/
@ 2015-06-09 13:33 Jason Zaman
  0 siblings, 0 replies; 9+ messages in thread
From: Jason Zaman @ 2015-06-09 13:33 UTC (permalink / raw
  To: gentoo-commits

commit:     8a2e9526fe60459f6ce9b81530da19d86bae4ca4
Author:     Jason Zaman <jason <AT> perfinion <DOT> com>
AuthorDate: Mon Jun  8 20:38:21 2015 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Tue Jun  9 13:06:34 2015 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=8a2e9526

Introduce iptables_admin

 policy/modules/roles/sysadm.te    |  1 +
 policy/modules/system/iptables.if | 39 +++++++++++++++++++++++++++++++++++++++
 2 files changed, 40 insertions(+)

diff --git a/policy/modules/roles/sysadm.te b/policy/modules/roles/sysadm.te
index 4cfb014..9169215 100644
--- a/policy/modules/roles/sysadm.te
+++ b/policy/modules/roles/sysadm.te
@@ -178,6 +178,7 @@ optional_policy(`
 ')
 
 optional_policy(`
+	iptables_admin(sysadm_t, sysadm_r)
 	iptables_run(sysadm_t, sysadm_r)
 ')
 

diff --git a/policy/modules/system/iptables.if b/policy/modules/system/iptables.if
index c42fbc3..26ce647 100644
--- a/policy/modules/system/iptables.if
+++ b/policy/modules/system/iptables.if
@@ -163,3 +163,42 @@ interface(`iptables_manage_config',`
 	files_search_etc($1)
 	manage_files_pattern($1, iptables_conf_t, iptables_conf_t)
 ')
+
+########################################
+## <summary>
+##	All of the rules required to
+##	administrate an iptables
+##	environment.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <param name="role">
+##	<summary>
+##	Role allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`iptables_admin',`
+	gen_require(`
+		type iptables_t, iptables_initrc_exec_t, iptables_conf_t;
+		type iptables_tmp_t, iptables_var_run_t;
+	')
+
+	allow $1 iptables_t:process { ptrace signal_perms };
+	ps_process_pattern($1, iptables_t)
+
+	init_startstop_service($1, $2, iptables_t, iptables_initrc_exec_t)
+
+	files_list_etc($1)
+	admin_pattern($1, iptables_conf_t)
+
+	files_list_tmp($1)
+	admin_pattern($1, iptables_tmp_t)
+
+	files_list_pids($1)
+	admin_pattern($1, iptables_var_run_t)
+')


^ permalink raw reply related	[flat|nested] 9+ messages in thread

* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/, policy/modules/roles/
  2015-08-02 19:06 [gentoo-commits] proj/hardened-refpolicy:next " Jason Zaman
@ 2015-07-31 14:15 ` Jason Zaman
  0 siblings, 0 replies; 9+ messages in thread
From: Jason Zaman @ 2015-07-31 14:15 UTC (permalink / raw
  To: gentoo-commits

commit:     c7833ecb2f3fe1c42ec15a2245803980bcb5109f
Author:     Jason Zaman <jason <AT> perfinion <DOT> com>
AuthorDate: Sat Jul 11 09:15:44 2015 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Thu Jul 30 16:41:27 2015 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=c7833ecb

Introduce lvm_admin interface

 policy/modules/roles/sysadm.te |  1 +
 policy/modules/system/lvm.if   | 44 ++++++++++++++++++++++++++++++++++++++++++
 2 files changed, 45 insertions(+)

diff --git a/policy/modules/roles/sysadm.te b/policy/modules/roles/sysadm.te
index e0442db..1ee88cd 100644
--- a/policy/modules/roles/sysadm.te
+++ b/policy/modules/roles/sysadm.te
@@ -578,6 +578,7 @@ optional_policy(`
 ')
 
 optional_policy(`
+	lvm_admin(sysadm_t, sysadm_r)
 	lvm_run(sysadm_t, sysadm_r)
 ')
 

diff --git a/policy/modules/system/lvm.if b/policy/modules/system/lvm.if
index 58bc27f..86b223c 100644
--- a/policy/modules/system/lvm.if
+++ b/policy/modules/system/lvm.if
@@ -123,3 +123,47 @@ interface(`lvm_domtrans_clvmd',`
 	corecmd_search_bin($1)
 	domtrans_pattern($1, clvmd_exec_t, clvmd_t)
 ')
+
+######################################
+## <summary>
+##	All of the rules required to
+##	administrate an lvm environment.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <param name="role">
+##	<summary>
+##	Role allowed access.
+##	</summary>
+## </param>
+#
+interface(`lvm_admin',`
+	gen_require(`
+		type clvmd_t, clvmd_exec_t, clvmd_initrc_exec_t;
+		type lvm_etc_t, lvm_lock_t, lvm_metadata_t;
+		type lvm_var_lib_t, lvm_var_run_t, clvmd_var_run_t, lvm_tmp_t;
+	')
+
+	allow $1 clvmd_t:process { ptrace signal_perms };
+	ps_process_pattern($1, clvmd_t)
+
+	init_startstop_service($1, $2, clvmd_t, clvmd_initrc_exec_t)
+
+	files_search_etc($1)
+	admin_pattern($1, lvm_etc_t)
+
+	files_search_locks($1)
+	admin_pattern($1, lvm_lock_t)
+
+	files_search_var_lib($1)
+	admin_pattern($1, lvm_var_lib_t)
+
+	files_search_pids($1)
+	admin_pattern($1, { lvm_var_run_t clvmd_var_run_t })
+
+	files_search_tmp($1)
+	admin_pattern($1, lvm_tmp_t)
+')


^ permalink raw reply related	[flat|nested] 9+ messages in thread

* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/, policy/modules/roles/
@ 2016-03-11 17:20 Jason Zaman
  0 siblings, 0 replies; 9+ messages in thread
From: Jason Zaman @ 2016-03-11 17:20 UTC (permalink / raw
  To: gentoo-commits

commit:     88e2b31ca43dca81887800346b3a66194f101815
Author:     Chris PeBenito <cpebenito <AT> tresys <DOT> com>
AuthorDate: Tue Mar  8 13:52:25 2016 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Fri Mar 11 17:15:38 2016 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=88e2b31c

Module version bump for tboot utils from Luis Ressel and systemd fix from Jason Zaman.

Update contrib.

 policy/modules/roles/sysadm.te | 2 +-
 policy/modules/system/init.te  | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/policy/modules/roles/sysadm.te b/policy/modules/roles/sysadm.te
index 2426d84..6c46905 100644
--- a/policy/modules/roles/sysadm.te
+++ b/policy/modules/roles/sysadm.te
@@ -1,4 +1,4 @@
-policy_module(sysadm, 2.9.0)
+policy_module(sysadm, 2.9.1)
 
 ########################################
 #

diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
index 1f59e2a..8e8c163 100644
--- a/policy/modules/system/init.te
+++ b/policy/modules/system/init.te
@@ -1,4 +1,4 @@
-policy_module(init, 2.0.2)
+policy_module(init, 2.0.3)
 
 gen_require(`
 	class passwd rootok;


^ permalink raw reply related	[flat|nested] 9+ messages in thread

* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/, policy/modules/roles/
@ 2016-05-13  5:37 Jason Zaman
  0 siblings, 0 replies; 9+ messages in thread
From: Jason Zaman @ 2016-05-13  5:37 UTC (permalink / raw
  To: gentoo-commits

commit:     8e0eff5279a8f7dc13708530d047efbd29d5f52b
Author:     Chris PeBenito <cpebenito <AT> tresys <DOT> com>
AuthorDate: Mon May  2 12:32:42 2016 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Fri May 13 05:08:43 2016 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=8e0eff52

Module version bump for hwloc-dump-hwdata from Dominick Grift and Grzegorz Andrejczuk.

 policy/modules/roles/sysadm.te      | 2 +-
 policy/modules/system/userdomain.te | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/policy/modules/roles/sysadm.te b/policy/modules/roles/sysadm.te
index e9e3e43..aa85384 100644
--- a/policy/modules/roles/sysadm.te
+++ b/policy/modules/roles/sysadm.te
@@ -1,4 +1,4 @@
-policy_module(sysadm, 2.9.1)
+policy_module(sysadm, 2.9.2)
 
 ########################################
 #

diff --git a/policy/modules/system/userdomain.te b/policy/modules/system/userdomain.te
index c6b9fc3..2a36851 100644
--- a/policy/modules/system/userdomain.te
+++ b/policy/modules/system/userdomain.te
@@ -1,4 +1,4 @@
-policy_module(userdomain, 4.11.0)
+policy_module(userdomain, 4.11.1)
 
 ########################################
 #


^ permalink raw reply related	[flat|nested] 9+ messages in thread

* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/, policy/modules/roles/
@ 2017-09-17  4:21 Jason Zaman
  0 siblings, 0 replies; 9+ messages in thread
From: Jason Zaman @ 2017-09-17  4:21 UTC (permalink / raw
  To: gentoo-commits

commit:     49d93dd3845f17a8e9bd86c6f17697abedd0c000
Author:     Chris PeBenito <pebenito <AT> ieee <DOT> org>
AuthorDate: Thu Sep 14 21:21:56 2017 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sun Sep 17 03:17:39 2017 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=49d93dd3

sysadm,fstools: Module version bump.

 policy/modules/roles/sysadm.te   | 2 +-
 policy/modules/system/fstools.te | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/policy/modules/roles/sysadm.te b/policy/modules/roles/sysadm.te
index a6e7ba61..47179088 100644
--- a/policy/modules/roles/sysadm.te
+++ b/policy/modules/roles/sysadm.te
@@ -1,4 +1,4 @@
-policy_module(sysadm, 2.12.0)
+policy_module(sysadm, 2.12.1)
 
 ########################################
 #

diff --git a/policy/modules/system/fstools.te b/policy/modules/system/fstools.te
index e0f72464..6459f17d 100644
--- a/policy/modules/system/fstools.te
+++ b/policy/modules/system/fstools.te
@@ -1,4 +1,4 @@
-policy_module(fstools, 1.21.0)
+policy_module(fstools, 1.21.1)
 
 ########################################
 #


^ permalink raw reply related	[flat|nested] 9+ messages in thread

* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/, policy/modules/roles/
@ 2019-03-26 10:17 Jason Zaman
  0 siblings, 0 replies; 9+ messages in thread
From: Jason Zaman @ 2019-03-26 10:17 UTC (permalink / raw
  To: gentoo-commits

commit:     a7ec244c351f1fcccd2547b2b94554b29b69c07a
Author:     Sugar, David <dsugar <AT> tresys <DOT> com>
AuthorDate: Fri Mar 15 02:27:10 2019 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Mon Mar 25 10:05:25 2019 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=a7ec244c

Separate out udevadm into a new domain

This is the update I have made based on suggestions for the previous
patches to add a udev_run interface.  This adds the new domain udevadm_t
which is entered from /usr/bin/udevadm.

It seems to meet the needs that I have, but there are some things to
note that are probably important.
1) There are a few systemd services that use udevadm during startup.
   I have granted the permisssions that I need based on denials I was
   seeing during startup (the machine would fail to start without the
   permisions).
2) In the udev.fc file there are other binaries that I don't have on a
   RHEL7 box that maybe should also be labeled udevadm_exec_t.
   e.g. /usr/bin/udevinfo and /usr/bin/udevsend
   But as I don't have those binaries to test, I have not updated the
   type of that binary.
3) There are some places that call udev_domtrans that maybe should now
   be using udevadm_domtrans - rpm.te, hal.te, hotplug.te.  Again,
   these are not things that I am using in my current situation and am
   unable to test the interactions to know if the change is correct.

Other than that, I think this was a good suggestion to split udevadm
into a different domain.

Only change for v4 is to use stream_connect_pattern as suggested.

Signed-off-by: Dave Sugar <dsugar <AT> tresys.com>
Signed-off-by: Jason Zaman <jason <AT> perfinion.com>

 policy/modules/roles/sysadm.te |  4 +++
 policy/modules/system/udev.fc  |  4 +--
 policy/modules/system/udev.if  | 62 ++++++++++++++++++++++++++++++++++++++++++
 policy/modules/system/udev.te  | 40 ++++++++++++++++++++++++++-
 4 files changed, 107 insertions(+), 3 deletions(-)

diff --git a/policy/modules/roles/sysadm.te b/policy/modules/roles/sysadm.te
index b600e379..6827561f 100644
--- a/policy/modules/roles/sysadm.te
+++ b/policy/modules/roles/sysadm.te
@@ -1140,6 +1140,10 @@ optional_policy(`
 	tzdata_domtrans(sysadm_t)
 ')
 
+optional_policy(`
+	udevadm_run(sysadm_t, sysadm_r)
+')
+
 optional_policy(`
 	ulogd_admin(sysadm_t, sysadm_r)
 ')

diff --git a/policy/modules/system/udev.fc b/policy/modules/system/udev.fc
index 84705e32..7e27287e 100644
--- a/policy/modules/system/udev.fc
+++ b/policy/modules/system/udev.fc
@@ -10,7 +10,7 @@
 /etc/udev/scripts/.+ --	gen_context(system_u:object_r:udev_helper_exec_t,s0)
 
 /usr/bin/udev		--	gen_context(system_u:object_r:udev_exec_t,s0)
-/usr/bin/udevadm	--	gen_context(system_u:object_r:udev_exec_t,s0)
+/usr/bin/udevadm	--	gen_context(system_u:object_r:udevadm_exec_t,s0)
 /usr/bin/udevd		--	gen_context(system_u:object_r:udev_exec_t,s0)
 /usr/bin/udevinfo	--	gen_context(system_u:object_r:udev_exec_t,s0)
 /usr/bin/udevsend	--	gen_context(system_u:object_r:udev_exec_t,s0)
@@ -22,7 +22,7 @@ ifdef(`distro_debian',`
 ')
 
 /usr/sbin/udev		--	gen_context(system_u:object_r:udev_exec_t,s0)
-/usr/sbin/udevadm	--	gen_context(system_u:object_r:udev_exec_t,s0)
+/usr/sbin/udevadm	--	gen_context(system_u:object_r:udevadm_exec_t,s0)
 /usr/sbin/udevd		--	gen_context(system_u:object_r:udev_exec_t,s0)
 /usr/sbin/udevsend	--	gen_context(system_u:object_r:udev_exec_t,s0)
 /usr/sbin/udevstart	--	gen_context(system_u:object_r:udev_exec_t,s0)

diff --git a/policy/modules/system/udev.if b/policy/modules/system/udev.if
index 2ecdf5f0..fc8577bd 100644
--- a/policy/modules/system/udev.if
+++ b/policy/modules/system/udev.if
@@ -518,6 +518,68 @@ interface(`udev_generic_pid_filetrans_run_dirs',`
 	refpolicywarn(`$0($*) has been deprecated.')
 ')
 
+########################################
+## <summary>
+##	Execute udev admin in the udevadm domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to transition.
+##	</summary>
+## </param>
+#
+interface(`udevadm_domtrans',`
+	gen_require(`
+		type udevadm_t, udevadm_exec_t;
+	')
+
+	domtrans_pattern($1, udevadm_exec_t, udevadm_t)
+')
+
+########################################
+## <summary>
+##	Execute udevadm in the udevadm domain, and
+##	allow the specified role the udevadm domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to transition.
+##	</summary>
+## </param>
+## <param name="role">
+##	<summary>
+##	Role allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`udevadm_run',`
+	gen_require(`
+		attribute_role udevadm_roles;
+	')
+
+	udevadm_domtrans($1)
+	roleattribute $2 udevadm_roles;
+')
+
+########################################
+## <summary>
+##	Execute udevadm in the caller domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`udevadm_exec',`
+	gen_require(`
+		type udevadm_exec_t;
+	')
+
+	can_exec($1, udevadm_exec_t)
+')
+
 # Gentoo specific but cannot add it within an ifdef distro_gentoo
 
 #########################################

diff --git a/policy/modules/system/udev.te b/policy/modules/system/udev.te
index 8149ea9a..77503764 100644
--- a/policy/modules/system/udev.te
+++ b/policy/modules/system/udev.te
@@ -4,6 +4,7 @@ policy_module(udev, 1.25.1)
 #
 # Declarations
 #
+attribute_role udevadm_roles;
 
 type udev_t;
 type udev_exec_t;
@@ -15,6 +16,12 @@ domain_interactive_fd(udev_t)
 init_daemon_domain(udev_t, udev_exec_t)
 init_named_socket_activation(udev_t, udev_var_run_t)
 
+type udevadm_t;
+type udevadm_exec_t;
+init_system_domain(udevadm_t, udevadm_exec_t)
+application_domain(udevadm_t, udevadm_exec_t)
+role udevadm_roles types udevadm_t;
+
 type udev_etc_t alias etc_udev_t;
 files_config_file(udev_etc_t)
 
@@ -35,7 +42,7 @@ ifdef(`enable_mcs',`
 
 ########################################
 #
-# Local policy
+# udev Local policy
 #
 
 allow udev_t self:capability { chown dac_override dac_read_search fowner fsetid mknod net_admin net_raw setgid setuid sys_admin sys_nice sys_nice sys_ptrace sys_rawio sys_resource };
@@ -404,3 +411,34 @@ ifdef(`distro_gentoo',`
 
 	init_domtrans_script(udev_t)
 ')
+
+
+########################################
+#
+# udevadm Local policy
+#
+
+allow udevadm_t self:netlink_kobject_uevent_socket create_socket_perms;
+allow udevadm_t self:unix_stream_socket create_socket_perms;
+
+delete_dirs_pattern(udevadm_t, udev_var_run_t, udev_var_run_t)
+delete_files_pattern(udevadm_t, udev_var_run_t, udev_var_run_t)
+delete_lnk_files_pattern(udevadm_t, udev_var_run_t, udev_var_run_t)
+list_dirs_pattern(udevadm_t, udev_var_run_t, udev_var_run_t)
+stream_connect_pattern(udevadm_t, udev_var_run_t, udev_var_run_t, udev_t)
+
+dev_rw_sysfs(udevadm_t)
+dev_read_urand(udevadm_t)
+
+files_read_etc_files(udevadm_t)
+files_read_usr_files(udevadm_t)
+
+init_list_pids(udevadm_t)
+init_read_state(udevadm_t)
+
+kernel_read_system_state(udevadm_t)
+
+libs_use_ld_so(udevadm_t)
+
+seutil_read_file_contexts(udevadm_t)
+


^ permalink raw reply related	[flat|nested] 9+ messages in thread

end of thread, other threads:[~2019-03-26 10:17 UTC | newest]

Thread overview: 9+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2013-12-06 17:33 [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/, policy/modules/roles/ Sven Vermeulen
  -- strict thread matches above, loose matches on Subject: below --
2014-09-21 14:04 Sven Vermeulen
2014-09-21 14:04 Sven Vermeulen
2015-06-09 13:33 Jason Zaman
2015-08-02 19:06 [gentoo-commits] proj/hardened-refpolicy:next " Jason Zaman
2015-07-31 14:15 ` [gentoo-commits] proj/hardened-refpolicy:master " Jason Zaman
2016-03-11 17:20 Jason Zaman
2016-05-13  5:37 Jason Zaman
2017-09-17  4:21 Jason Zaman
2019-03-26 10:17 Jason Zaman

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox