From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <gentoo-commits+bounces-646077-garchives=archives.gentoo.org@lists.gentoo.org>
Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80])
	by finch.gentoo.org (Postfix) with ESMTP id 8264D138247
	for <garchives@archives.gentoo.org>; Fri,  6 Dec 2013 17:48:14 +0000 (UTC)
Received: from pigeon.gentoo.org (localhost [127.0.0.1])
	by pigeon.gentoo.org (Postfix) with SMTP id 0C878E0A9D;
	Fri,  6 Dec 2013 17:48:13 +0000 (UTC)
Received: from smtp.gentoo.org (smtp.gentoo.org [140.211.166.183])
	(using TLSv1 with cipher AECDH-AES256-SHA (256/256 bits))
	(No client certificate requested)
	by pigeon.gentoo.org (Postfix) with ESMTPS id 94D4DE0AAD
	for <gentoo-commits@lists.gentoo.org>; Fri,  6 Dec 2013 17:48:12 +0000 (UTC)
Received: from hornbill.gentoo.org (hornbill.gentoo.org [94.100.119.163])
	(using TLSv1 with cipher AECDH-AES256-SHA (256/256 bits))
	(No client certificate requested)
	by smtp.gentoo.org (Postfix) with ESMTPS id 6D65D33F451
	for <gentoo-commits@lists.gentoo.org>; Fri,  6 Dec 2013 17:48:11 +0000 (UTC)
Received: from localhost.localdomain (localhost [127.0.0.1])
	by hornbill.gentoo.org (Postfix) with ESMTP id 1E54BD0878
	for <gentoo-commits@lists.gentoo.org>; Fri,  6 Dec 2013 17:48:10 +0000 (UTC)
From: "Sven Vermeulen" <swift@gentoo.org>
To: gentoo-commits@lists.gentoo.org
Content-Transfer-Encoding: 8bit
Content-type: text/plain; charset=UTF-8
Reply-To: gentoo-dev@lists.gentoo.org, "Sven Vermeulen" <swift@gentoo.org>
Message-ID: <1386351937.c308e6f1f5a4cf7df16bc154da2d500dfa3703c9.swift@gentoo>
Subject: [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/
X-VCS-Repository: proj/hardened-refpolicy
X-VCS-Files: policy/modules/system/udev.te
X-VCS-Directories: policy/modules/system/
X-VCS-Committer: swift
X-VCS-Committer-Name: Sven Vermeulen
X-VCS-Revision: c308e6f1f5a4cf7df16bc154da2d500dfa3703c9
X-VCS-Branch: master
Date: Fri,  6 Dec 2013 17:48:10 +0000 (UTC)
Precedence: bulk
List-Post: <mailto:gentoo-commits@lists.gentoo.org>
List-Help: <mailto:gentoo-commits+help@lists.gentoo.org>
List-Unsubscribe: <mailto:gentoo-commits+unsubscribe@lists.gentoo.org>
List-Subscribe: <mailto:gentoo-commits+subscribe@lists.gentoo.org>
List-Id: Gentoo Linux mail <gentoo-commits.gentoo.org>
X-BeenThere: gentoo-commits@lists.gentoo.org
X-Archives-Salt: ca5ff0ee-2b4b-4e5d-b4f8-98810b741635
X-Archives-Hash: f0fe7c303b17058d9e92121b5f68f872

commit:     c308e6f1f5a4cf7df16bc154da2d500dfa3703c9
Author:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Fri Dec  6 17:45:37 2013 +0000
Commit:     Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Fri Dec  6 17:45:37 2013 +0000
URL:        http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=c308e6f1

Move gentoo specifics to lower part

---
 policy/modules/system/udev.te | 66 +++++++++++++++++++++++++++----------------
 1 file changed, 41 insertions(+), 25 deletions(-)

diff --git a/policy/modules/system/udev.te b/policy/modules/system/udev.te
index 2679c85..a7078c4 100644
--- a/policy/modules/system/udev.te
+++ b/policy/modules/system/udev.te
@@ -64,10 +64,7 @@ can_exec(udev_t, udev_helper_exec_t)
 # read udev config
 allow udev_t udev_etc_t:file read_file_perms;
 
-allow udev_t udev_tbl_t:dir relabelto;
-manage_dirs_pattern(udev_t, udev_tbl_t, udev_tbl_t)
-manage_files_pattern(udev_t, udev_tbl_t, udev_tbl_t)
-manage_lnk_files_pattern(udev_t, udev_tbl_t, udev_tbl_t)
+allow udev_t udev_tbl_t:file manage_file_perms;
 dev_filetrans(udev_t, udev_tbl_t, file)
 
 list_dirs_pattern(udev_t, udev_rules_t, udev_rules_t)
@@ -79,24 +76,24 @@ manage_lnk_files_pattern(udev_t, udev_var_run_t, udev_var_run_t)
 manage_sock_files_pattern(udev_t, udev_var_run_t, udev_var_run_t)
 files_pid_filetrans(udev_t, udev_var_run_t, dir, "udev")
 
-kernel_dgram_send(udev_t)
+kernel_read_system_state(udev_t)
+kernel_request_load_module(udev_t)
 kernel_getattr_core_if(udev_t)
-kernel_load_module(udev_t)
+kernel_use_fds(udev_t)
 kernel_read_device_sysctls(udev_t)
 kernel_read_hotplug_sysctls(udev_t)
-kernel_read_kernel_sysctls(udev_t)
 kernel_read_modprobe_sysctls(udev_t)
-kernel_read_network_state(udev_t)
-kernel_read_software_raid_state(udev_t)
-kernel_read_system_state(udev_t)
-kernel_request_load_module(udev_t)
+kernel_read_kernel_sysctls(udev_t)
 kernel_rw_hotplug_sysctls(udev_t)
-#https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=235182
-kernel_rw_net_sysctls(udev_t)
 kernel_rw_unix_dgram_sockets(udev_t)
-kernel_search_debugfs(udev_t)
+kernel_dgram_send(udev_t)
 kernel_signal(udev_t)
-kernel_use_fds(udev_t)
+kernel_search_debugfs(udev_t)
+
+#https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=235182
+kernel_rw_net_sysctls(udev_t)
+kernel_read_network_state(udev_t)
+kernel_read_software_raid_state(udev_t)
 
 corecmd_exec_all_executables(udev_t)
 
@@ -114,13 +111,12 @@ dev_manage_generic_symlinks(udev_t)
 domain_read_all_domains_state(udev_t)
 domain_dontaudit_ptrace_all_domains(udev_t) #pidof triggers these
 
-files_exec_etc_files(udev_t)
-files_getattr_generic_locks(udev_t)
-files_read_etc_files(udev_t)
-files_read_etc_runtime_files(udev_t)
-files_read_kernel_modules(udev_t)
 files_read_usr_files(udev_t)
+files_read_etc_runtime_files(udev_t)
+files_read_etc_files(udev_t)
+files_exec_etc_files(udev_t)
 files_dontaudit_search_isid_type_dirs(udev_t)
+files_getattr_generic_locks(udev_t)
 files_search_mnt(udev_t)
 
 fs_getattr_all_fs(udev_t)
@@ -178,8 +174,6 @@ sysnet_etc_filetrans_config(udev_t)
 
 userdom_dontaudit_search_user_home_content(udev_t)
 
-udev_pid_filetrans_db(udev_t, dir, "data")
-
 ifdef(`distro_debian',`
 	files_pid_filetrans(udev_t, udev_var_run_t, dir, "xen-hotplug")
 
@@ -197,12 +191,9 @@ ifdef(`distro_debian',`
 ')
 
 ifdef(`distro_gentoo',`
-	allow udev_t self:capability2 block_suspend;
-
 	# during boot, init scripts use /dev/.rcsysinit
 	# existance to determine if we are in early booting
 	init_getattr_script_status_files(udev_t)
-	init_domtrans_script(udev_t)
 ')
 
 ifdef(`distro_redhat',`
@@ -331,3 +322,28 @@ optional_policy(`
 optional_policy(`
 	xserver_read_xdm_pid(udev_t)
 ')
+
+ifdef(`distro_gentoo',`
+	#################################
+	#
+	# local udev_t policy
+	#
+	allow udev_t self:capability2 block_suspend;
+	allow udev_t udev_tbl_t:dir relabelto;
+
+	manage_dirs_pattern(udev_t, udev_tbl_t, udev_tbl_t)
+	manage_files_pattern(udev_t, udev_tbl_t, udev_tbl_t)
+	manage_lnk_files_pattern(udev_t, udev_tbl_t, udev_tbl_t)
+
+	kernel_load_module(udev_t)
+
+	files_read_etc_files(udev_t)
+	files_read_etc_runtime_files(udev_t)
+	files_read_kernel_modules(udev_t)
+	files_read_usr_files(udev_t)
+	files_dontaudit_search_isid_type_dirs(udev_t)
+
+	udev_pid_filetrans_db(udev_t, dir, "data")
+
+	init_domtrans_script(udev_t)
+')