[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/, policy/modules/system/

public inbox for gentoo-commits@lists.gentoo.org
 help / color / mirror / Atom feed

* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/, policy/modules/system/
@ 2014-01-19 19:01 Sven Vermeulen
  0 siblings, 0 replies; 2+ messages in thread
From: Sven Vermeulen @ 2014-01-19 19:01 UTC (permalink / raw
  To: gentoo-commits

commit:     31c16ae39dcbe87ab68d96660e42f1bc3fd83cec
Author:     Dominick Grift <dominick.grift <AT> gmail <DOT> com>
AuthorDate: Wed Jan 15 15:13:18 2014 +0000
Commit:     Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Sun Jan 19 18:57:01 2014 +0000
URL:        http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=31c16ae3

Apply direct_initrc to unconfined_r:unconfined_t

Make it consistent with sysadm_r:sysadm_t.

If you build targeted policy then consider direct_initrc=y

If you build with direct_initrc=n then both unconfined_r:unconfined_t,
as well as sysadm_r:sysadm_t rely on run_init for running services on
behalf of the system.

Signed-off-by: Dominick Grift <dominick.grift <AT> gmail.com>

---
 policy/modules/system/unconfined.te | 14 +++++++++-----
 policy/users                        |  6 +++++-
 2 files changed, 14 insertions(+), 6 deletions(-)

diff --git a/policy/modules/system/unconfined.te b/policy/modules/system/unconfined.te
index d6dcf37..dade731 100644
--- a/policy/modules/system/unconfined.te
+++ b/policy/modules/system/unconfined.te
@@ -33,8 +33,6 @@ files_create_boot_flag(unconfined_t)
 mcs_killall(unconfined_t)
 mcs_ptrace_all(unconfined_t)
 
-init_run_daemon(unconfined_t, unconfined_r)
-
 libs_run_ldconfig(unconfined_t, unconfined_r)
 
 logging_send_syslog_msg(unconfined_t)
@@ -49,9 +47,15 @@ unconfined_domain(unconfined_t)
 
 userdom_user_home_dir_filetrans_user_home_content(unconfined_t, { dir file lnk_file fifo_file sock_file })
 
-ifdef(`distro_gentoo',`
-	seutil_run_runinit(unconfined_t, unconfined_r)
-	seutil_init_script_run_runinit(unconfined_t, unconfined_r)
+ifdef(`direct_sysadm_daemon',`
+        optional_policy(`
+                init_run_daemon(unconfined_t, unconfined_r)
+        ')
+',`
+        ifdef(`distro_gentoo',`
+                seutil_run_runinit(unconfined_t, unconfined_r)
+                seutil_init_script_run_runinit(unconfined_t, unconfined_r)
+        ')
 ')
 
 optional_policy(`

diff --git a/policy/users b/policy/users
index c4ebc7e..ca20375 100644
--- a/policy/users
+++ b/policy/users
@@ -29,7 +29,11 @@ gen_user(staff_u, staff, staff_r sysadm_r ifdef(`enable_mls',`secadm_r auditadm_
 gen_user(sysadm_u, sysadm, sysadm_r, s0, s0 - mls_systemhigh, mcs_allcats)
 
 # Until order dependence is fixed for users:
-gen_user(unconfined_u, unconfined, unconfined_r, s0, s0 - mls_systemhigh, mcs_allcats)
+ifdef(`direct_sysadm_daemon',`
+        gen_user(unconfined_u, unconfined, unconfined_r system_r, s0, s0 - mls_systemhigh, mcs_allcats)
+',`
+        gen_user(unconfined_u, unconfined, unconfined_r, s0, s0 - mls_systemhigh, mcs_allcats)
+')
 
 #
 # The following users correspond to Unix identities.


^ permalink raw reply related	[flat|nested] 2+ messages in thread

* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/, policy/modules/system/
@ 2016-08-13 18:32 Jason Zaman
  0 siblings, 0 replies; 2+ messages in thread
From: Jason Zaman @ 2016-08-13 18:32 UTC (permalink / raw
  To: gentoo-commits

commit:     15c72c7459aa4dbc7912543b85f5631677a2a957
Author:     Russell Coker <russell <AT> coker <DOT> com <DOT> au>
AuthorDate: Sun Jul 31 09:16:36 2016 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sat Aug 13 18:23:03 2016 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=15c72c74

user_udp_server tunable

The following patch adds a tunable user_udp_server for the user domains to
run UDP services.

 policy/global_tunables              | 8 ++++++++
 policy/modules/system/userdomain.if | 7 +++++++
 2 files changed, 15 insertions(+)

diff --git a/policy/global_tunables b/policy/global_tunables
index 4705ab6..affc020 100644
--- a/policy/global_tunables
+++ b/policy/global_tunables
@@ -111,3 +111,11 @@ gen_tunable(use_samba_home_dirs,false)
 ## </p>
 ## </desc>
 gen_tunable(user_tcp_server,false)
+
+## <desc>
+## <p>
+## Allow users to run UDP servers (bind to ports and accept connection from
+## the same domain and outside users)
+## </p>
+## </desc>
+gen_tunable(user_udp_server,false)

diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if
index b04d149..9c40ce1 100644
--- a/policy/modules/system/userdomain.if
+++ b/policy/modules/system/userdomain.if
@@ -1069,6 +1069,13 @@ template(`userdom_unpriv_user_template', `
 		corenet_tcp_bind_generic_port($1_t)
 	')
 
+	# Allow users to run UDP servers (bind to ports and accept connection from
+	# the same domain and outside users)
+	tunable_policy(`user_udp_server',`
+		corenet_udp_bind_generic_node($1_t)
+		corenet_udp_bind_generic_port($1_t)
+	')
+
 	optional_policy(`
 		netutils_run_ping_cond($1_t, $1_r)
 		netutils_run_traceroute_cond($1_t, $1_r)


^ permalink raw reply related	[flat|nested] 2+ messages in thread

end of thread, other threads:[~2016-08-13 18:32 UTC | newest]

Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2014-01-19 19:01 [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/, policy/modules/system/ Sven Vermeulen
  -- strict thread matches above, loose matches on Subject: below --
2016-08-13 18:32 Jason Zaman

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox