From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from lists.gentoo.org (unknown [208.92.234.80]) by finch.gentoo.org (Postfix) with ESMTP id D0F501381FA for ; Sun, 18 May 2014 11:03:42 +0000 (UTC) Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id 494B0E0BF0; Sun, 18 May 2014 11:03:42 +0000 (UTC) Received: from smtp.gentoo.org (smtp.gentoo.org [140.211.166.183]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by pigeon.gentoo.org (Postfix) with ESMTPS id D22F4E0BF0 for ; Sun, 18 May 2014 11:03:41 +0000 (UTC) Received: from spoonbill.gentoo.org (unknown [81.93.255.5]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by smtp.gentoo.org (Postfix) with ESMTPS id F353D340215 for ; Sun, 18 May 2014 11:03:40 +0000 (UTC) Received: from localhost.localdomain (localhost [127.0.0.1]) by spoonbill.gentoo.org (Postfix) with ESMTP id 907721818D for ; Sun, 18 May 2014 11:03:39 +0000 (UTC) From: "Sven Vermeulen" To: gentoo-commits@lists.gentoo.org Content-Transfer-Encoding: 8bit Content-type: text/plain; charset=UTF-8 Reply-To: gentoo-dev@lists.gentoo.org, "Sven Vermeulen" Message-ID: <1400410914.e272b12c0e2345b698444b24675566a014e0ae75.swift@gentoo> Subject: [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/ X-VCS-Repository: proj/hardened-refpolicy X-VCS-Files: policy/modules/contrib/cachefilesd.te X-VCS-Directories: policy/modules/contrib/ X-VCS-Committer: swift X-VCS-Committer-Name: Sven Vermeulen X-VCS-Revision: e272b12c0e2345b698444b24675566a014e0ae75 X-VCS-Branch: master Date: Sun, 18 May 2014 11:03:39 +0000 (UTC) Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-commits@lists.gentoo.org X-Archives-Salt: 80c44160-ef58-494f-b556-0e31fde4d185 X-Archives-Hash: 25949544281bad44e3b126062314afb8 commit: e272b12c0e2345b698444b24675566a014e0ae75 Author: Sven Vermeulen siphos be> AuthorDate: Sun May 18 11:01:54 2014 +0000 Commit: Sven Vermeulen gentoo org> CommitDate: Sun May 18 11:01:54 2014 +0000 URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=e272b12c Introduce cachefilesd_kernel_t for cachefiles When the Linux kernel is acting for cachefilesd, it does so through the defined context. As the module is called cachefilesd, we call it cachefilesd_kernel_t (unlike fedora, which uses cachefiles_kernel_t). Port changes from fedora to use the kernel_service class into this module as well. --- policy/modules/contrib/cachefilesd.te | 31 +++++++++++++++++++++++++++++++ 1 file changed, 31 insertions(+) diff --git a/policy/modules/contrib/cachefilesd.te b/policy/modules/contrib/cachefilesd.te index a3760bc..353aa85 100644 --- a/policy/modules/contrib/cachefilesd.te +++ b/policy/modules/contrib/cachefilesd.te @@ -50,3 +50,34 @@ init_dontaudit_use_script_ptys(cachefilesd_t) optional_policy(` rpm_use_script_fds(cachefilesd_t) ') + +ifdef(`distro_gentoo',` + type cachefilesd_kernel_t; + domain_type(cachefilesd_kernel_t) + domain_obj_id_change_exemption(cachefilesd_kernel_t) + role system_r types cachefilesd_kernel_t; + + # CacheFiles tells the Linux kernel for which security context + # it should act to begin caching. + + # Allow cachefilesd_t to tell the kernel to use cachefilesd_kernel_t) + allow cachefilesd_t cachefilesd_kernel_t:kernel_service { use_as_override }; + + # Allow cachefilesd_t to tell the kernel to write files as cachefilesd_cache_t + allow cachefilesd_t cachefilesd_cache_t:kernel_service { create_files_as }; + + ########################################## + # + # cachefilesd_kernel_t policy + # + allow cachefilesd_kernel_t self:capability { dac_override dac_read_search }; + + manage_dirs_pattern(cachefilesd_kernel_t, cachefilesd_cache_t, cachefilesd_cache_t) + manage_files_pattern(cachefilesd_kernel_t, cachefilesd_cache_t, cachefilesd_cache_t) + + fs_getattr_xattr_fs(cachefilesd_kernel_t) + + dev_search_sysfs(cachefilesd_kernel_t) + + init_sigchld_script(cachefilesd_kernel_t) +')