[gentoo-commits] proj/hardened-refpolicy:testing commit in: policy/modules/kernel/

[gentoo-commits] proj/hardened-refpolicy:testing commit in: policy/modules/kernel/

[Sven Vermeulen]

commit:     5ab608b73df8c4d2c57522515de0f67c9a09dc9c
Author:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Wed Aug  6 08:55:58 2014 +0000
Commit:     Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Wed Aug  6 08:55:58 2014 +0000
URL:        http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=5ab608b7

Comment out seutil_relabelto_bin_policy

We comment out the use of the seutil_relabelto_bin_policy call in the
files_relabel_non_auth_files interface. This allows us to set this
interface in a tunable statement, like so:

  seutil_relabelto_bin_policy(foo_t)

  tunable_policy(`foo_relabel_non_auth_files',`
    files_relabel_non_auth_files(foo_t)
  ')

In larger entries, this allows us to have a minimalistic policy (a
domain only allowed to manage and relabel a certain set of file types)
and, through a boolean, enable it to manage and relabel a larger set of
types.

---
 policy/modules/kernel/files.if | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if
index 3f20525..ca278d5 100644
--- a/policy/modules/kernel/files.if
+++ b/policy/modules/kernel/files.if
@@ -1445,7 +1445,9 @@ interface(`files_relabel_non_auth_files',`
 	relabelfrom_chr_files_pattern($1, non_auth_file_type, non_auth_file_type)
 
 	# satisfy the assertions:
-	seutil_relabelto_bin_policy($1)
+	# seutil_relabelto_bin_policy($1)
+	# Gentoo: this is removed as we do not want to set attributes in this phase, we want
+	# to allow files_relabel_non_auth_files to be an optional setting (tunable).
 ')
 
 

[gentoo-commits] proj/hardened-refpolicy:testing commit in: policy/modules/kernel/

[Sven Vermeulen]

commit:     da03441669c38c959a7a8657383097fcfabf3fbf
Author:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Wed Aug  6 09:03:57 2014 +0000
Commit:     Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Wed Aug  6 09:03:57 2014 +0000
URL:        http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=da034416

Introduce files_manage_non_security_file_type interface

This interface, similar to files_manage_non_auth_files, allows the
domain to manage and work on non-security related file types. No type
attributes are set so this can be used in a tunable_policy statement if
necessary.

Naming based on the attribute used (non_security_file_type).

---
 policy/modules/kernel/files.if | 24 ++++++++++++++++++++++++
 1 file changed, 24 insertions(+)

diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if
index ca278d5..5d53aa4 100644
--- a/policy/modules/kernel/files.if
+++ b/policy/modules/kernel/files.if
@@ -6728,3 +6728,27 @@ interface(`files_read_etc_runtime',`
 	read_files_pattern($1, { etc_t etc_runtime_t }, etc_runtime_t)
 	read_lnk_files_pattern($1, { etc_t etc_runtime_t }, etc_runtime_t)
 ')
+
+########################################
+## <summary>
+##	Manage non-security related resources.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`files_manage_non_security_file_type',`
+	gen_require(`
+		attribute non_security_file_type;
+	')
+
+	manage_dirs_pattern($1, non_security_file_type, non_security_file_type)
+	manage_files_pattern($1, non_security_file_type, non_security_file_type)
+	manage_lnk_files_pattern($1, non_security_file_type, non_security_file_type)
+	manage_fifo_files_pattern($1, non_security_file_type, non_security_file_type)
+	manage_sock_files_pattern($1, non_security_file_type, non_security_file_type)
+')
+

[gentoo-commits] proj/hardened-refpolicy:testing commit in: policy/modules/kernel/

[Sven Vermeulen]

commit:     a3557731110822effbdd433dffe24c3fbacdc9d8
Author:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Wed Aug  6 08:55:58 2014 +0000
Commit:     Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Wed Aug  6 18:08:37 2014 +0000
URL:        http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=a3557731

Comment out seutil_relabelto_bin_policy

We comment out the use of the seutil_relabelto_bin_policy call in the
files_relabel_non_auth_files interface. This allows us to set this
interface in a tunable statement, like so:

  seutil_relabelto_bin_policy(foo_t)

  tunable_policy(`foo_relabel_non_auth_files',`
    files_relabel_non_auth_files(foo_t)
  ')

In larger entries, this allows us to have a minimalistic policy (a
domain only allowed to manage and relabel a certain set of file types)
and, through a boolean, enable it to manage and relabel a larger set of
types.

---
 policy/modules/kernel/files.if | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if
index 3f20525..ca278d5 100644
--- a/policy/modules/kernel/files.if
+++ b/policy/modules/kernel/files.if
@@ -1445,7 +1445,9 @@ interface(`files_relabel_non_auth_files',`
 	relabelfrom_chr_files_pattern($1, non_auth_file_type, non_auth_file_type)
 
 	# satisfy the assertions:
-	seutil_relabelto_bin_policy($1)
+	# seutil_relabelto_bin_policy($1)
+	# Gentoo: this is removed as we do not want to set attributes in this phase, we want
+	# to allow files_relabel_non_auth_files to be an optional setting (tunable).
 ')
 
 

[gentoo-commits] proj/hardened-refpolicy:testing commit in: policy/modules/kernel/

[Sven Vermeulen]

commit:     c59fbdcd0347acb36cb72b2da4e60f553121113b
Author:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Wed Aug  6 09:03:57 2014 +0000
Commit:     Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Wed Aug  6 18:08:37 2014 +0000
URL:        http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=c59fbdcd

Introduce files_manage_non_security_file_type interface

This interface, similar to files_manage_non_auth_files, allows the
domain to manage and work on non-security related file types. No type
attributes are set so this can be used in a tunable_policy statement if
necessary.

Naming based on the attribute used (non_security_file_type).

---
 policy/modules/kernel/files.if | 24 ++++++++++++++++++++++++
 1 file changed, 24 insertions(+)

diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if
index ca278d5..5d53aa4 100644
--- a/policy/modules/kernel/files.if
+++ b/policy/modules/kernel/files.if
@@ -6728,3 +6728,27 @@ interface(`files_read_etc_runtime',`
 	read_files_pattern($1, { etc_t etc_runtime_t }, etc_runtime_t)
 	read_lnk_files_pattern($1, { etc_t etc_runtime_t }, etc_runtime_t)
 ')
+
+########################################
+## <summary>
+##	Manage non-security related resources.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`files_manage_non_security_file_type',`
+	gen_require(`
+		attribute non_security_file_type;
+	')
+
+	manage_dirs_pattern($1, non_security_file_type, non_security_file_type)
+	manage_files_pattern($1, non_security_file_type, non_security_file_type)
+	manage_lnk_files_pattern($1, non_security_file_type, non_security_file_type)
+	manage_fifo_files_pattern($1, non_security_file_type, non_security_file_type)
+	manage_sock_files_pattern($1, non_security_file_type, non_security_file_type)
+')
+

[gentoo-commits] proj/hardened-refpolicy:testing commit in: policy/modules/kernel/

[Sven Vermeulen]

commit:     5fd609058ca8eec44bac6baf0a510511a79c6bce
Author:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Thu Aug  7 12:28:11 2014 +0000
Commit:     Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Thu Aug  7 12:28:11 2014 +0000
URL:        http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=5fd60905

Introduce files_relabel_all_pids

The files_relabel_all_pids allows for relabelfrom/relabelto privileges
on files, symbolic links and directories (for now) of the types
associated with the pidfile attribute, which basically is *_var_run_t
and var_run_t.

---
 policy/modules/kernel/files.if | 21 +++++++++++++++++++++
 1 file changed, 21 insertions(+)

diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if
index 5d53aa4..609de1f 100644
--- a/policy/modules/kernel/files.if
+++ b/policy/modules/kernel/files.if
@@ -6752,3 +6752,24 @@ interface(`files_manage_non_security_file_type',`
 	manage_sock_files_pattern($1, non_security_file_type, non_security_file_type)
 ')
 
+########################################
+## <summary>
+##	Relabel all pidfile resources.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`files_relabel_all_pids',`
+	gen_require(`
+		attribute pidfile;
+	')
+
+	allow $1 pidfile:dir list_dir_perms;
+	relabel_dirs_pattern($1, pidfile, pidfile)
+	relabel_files_pattern($1, pidfile, pidfile)
+	relabel_lnk_files_pattern($1, pidfile, pidfile)
+')

[gentoo-commits] proj/hardened-refpolicy:testing commit in: policy/modules/kernel/

[Sven Vermeulen]

commit:     9c22729b7ff8064c52b59c5dbe78dfd632a1bf87
Author:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Thu Aug  7 09:39:37 2014 +0000
Commit:     Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Thu Aug  7 09:47:45 2014 +0000
URL:        http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=9c22729b

Add files_relabel_non_security_file_type

This interface allows for relabel operations against all resources with
a type associated with the non_security_file_type attribute.

---
 policy/modules/kernel/files.if | 29 +++++++++++++++++++++++++++++
 1 file changed, 29 insertions(+)

diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if
index 5d53aa4..105c7c2 100644
--- a/policy/modules/kernel/files.if
+++ b/policy/modules/kernel/files.if
@@ -6731,6 +6731,35 @@ interface(`files_read_etc_runtime',`
 
 ########################################
 ## <summary>
+##	Relabel all non-security related
+##	files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`files_relabel_non_security_file_type',`
+	gen_require(`
+		attribute non_security_file_type;
+	')
+
+	allow $1 non_security_file_type:dir list_dir_perms;
+	relabel_dirs_pattern($1, non_security_file_type, non_security_file_type)
+	relabel_files_pattern($1, non_security_file_type, non_security_file_type)
+	relabel_lnk_files_pattern($1, non_security_file_type, non_security_file_type)
+	relabel_fifo_files_pattern($1, non_security_file_type, non_security_file_type)
+	relabel_sock_files_pattern($1, non_security_file_type, non_security_file_type)
+	# this is only relabelfrom since there should be no
+	# device nodes with file types.
+	relabelfrom_blk_files_pattern($1, non_security_file_type, non_security_file_type)
+	relabelfrom_chr_files_pattern($1, non_security_file_type, non_security_file_type)
+')
+
+########################################
+## <summary>
 ##	Manage non-security related resources.
 ## </summary>
 ## <param name="domain">

[gentoo-commits] proj/hardened-refpolicy:testing commit in: policy/modules/kernel/

[Sven Vermeulen]

commit:     3b8d61235fe8f516700617bf6b8750c0c734a66b
Author:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Thu Aug  7 12:28:11 2014 +0000
Commit:     Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Thu Aug  7 12:33:43 2014 +0000
URL:        http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=3b8d6123

Introduce files_relabel_all_pids

The files_relabel_all_pids allows for relabelfrom/relabelto privileges
on files, symbolic links and directories (for now) of the types
associated with the pidfile attribute, which basically is *_var_run_t
and var_run_t.

---
 policy/modules/kernel/files.if | 21 +++++++++++++++++++++
 1 file changed, 21 insertions(+)

diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if
index 105c7c2..9f260ab 100644
--- a/policy/modules/kernel/files.if
+++ b/policy/modules/kernel/files.if
@@ -6781,3 +6781,24 @@ interface(`files_manage_non_security_file_type',`
 	manage_sock_files_pattern($1, non_security_file_type, non_security_file_type)
 ')
 
+########################################
+## <summary>
+##	Relabel all pidfile resources.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`files_relabel_all_pids',`
+	gen_require(`
+		attribute pidfile;
+	')
+
+	allow $1 pidfile:dir list_dir_perms;
+	relabel_dirs_pattern($1, pidfile, pidfile)
+	relabel_files_pattern($1, pidfile, pidfile)
+	relabel_lnk_files_pattern($1, pidfile, pidfile)
+')

[gentoo-commits] proj/hardened-refpolicy:testing commit in: policy/modules/kernel/

[Sven Vermeulen]

commit:     a6a300d4692eb06f7de55d413099b844e142a7b2
Author:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Fri Aug  8 08:44:15 2014 +0000
Commit:     Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Fri Aug  8 08:44:15 2014 +0000
URL:        http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=a6a300d4

Introduce files_relabel_all_pidfiles

This interface can be used by domains needing wide relabel privileges
towards the *_var_run_t and var_run_t types.

---
 policy/modules/kernel/files.if | 21 +++++++++++++++++++++
 1 file changed, 21 insertions(+)

diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if
index efd7836..33076ed 100644
--- a/policy/modules/kernel/files.if
+++ b/policy/modules/kernel/files.if
@@ -6781,3 +6781,24 @@ interface(`files_manage_all_non_security_file_types',`
 	manage_sock_files_pattern($1, non_security_file_type, non_security_file_type)
 ')
 
+#########################################
+## <summary>
+##	Allow relabeling from and to any pidfile associated type
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`files_relabel_all_pidfiles',`
+	gen_require(`
+		attribute pidfile;
+	')
+
+	allow $1 pidfile:dir list_dir_perms;
+
+	relabel_dirs_pattern($1, pidfile, pidfile)
+	relabel_files_pattern($1, pidfile, pidfile)
+	relabel_lnk_files_pattern($1, pidfile, pidfile)
+')

[gentoo-commits] proj/hardened-refpolicy:testing commit in: policy/modules/kernel/

[Sven Vermeulen]

commit:     712145986e7c34ed256362a0a81dfe2a4b50639e
Author:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Fri Aug  8 08:46:27 2014 +0000
Commit:     Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Fri Aug  8 08:46:27 2014 +0000
URL:        http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=71214598

Use files_relabel_all_non_security_file_types

Use the naming convention "_all_" + <attribute-name> + "s" (plural)

---
 policy/modules/kernel/files.if | 7 ++++---
 1 file changed, 4 insertions(+), 3 deletions(-)

diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if
index 33076ed..fd1f8e9 100644
--- a/policy/modules/kernel/files.if
+++ b/policy/modules/kernel/files.if
@@ -6731,8 +6731,7 @@ interface(`files_read_etc_runtime',`
 
 ########################################
 ## <summary>
-##	Relabel all non-security related
-##	files.
+##	Allow relabel from and to non-security types
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -6741,17 +6740,19 @@ interface(`files_read_etc_runtime',`
 ## </param>
 ## <rolecap/>
 #
-interface(`files_relabel_non_security_file_type',`
+interface(`files_relabel_all_non_security_file_types',`
 	gen_require(`
 		attribute non_security_file_type;
 	')
 
 	allow $1 non_security_file_type:dir list_dir_perms;
+
 	relabel_dirs_pattern($1, non_security_file_type, non_security_file_type)
 	relabel_files_pattern($1, non_security_file_type, non_security_file_type)
 	relabel_lnk_files_pattern($1, non_security_file_type, non_security_file_type)
 	relabel_fifo_files_pattern($1, non_security_file_type, non_security_file_type)
 	relabel_sock_files_pattern($1, non_security_file_type, non_security_file_type)
+
 	# this is only relabelfrom since there should be no
 	# device nodes with file types.
 	relabelfrom_blk_files_pattern($1, non_security_file_type, non_security_file_type)

[gentoo-commits] proj/hardened-refpolicy:testing commit in: policy/modules/kernel/

[Sven Vermeulen]

commit:     efbdcdbe1e713bdf62e3ad054d0b950e29b6b605
Author:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Thu Aug  7 09:39:37 2014 +0000
Commit:     Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Thu Aug  7 09:39:37 2014 +0000
URL:        http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=efbdcdbe

Add files_relabel_non_security_file_type

This interface allows for relabel operations against all resources with
a type associated with the non_security_file_type attribute.

---
 policy/modules/kernel/files.if | 29 +++++++++++++++++++++++++++++
 1 file changed, 29 insertions(+)

diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if
index 5d53aa4..105c7c2 100644
--- a/policy/modules/kernel/files.if
+++ b/policy/modules/kernel/files.if
@@ -6731,6 +6731,35 @@ interface(`files_read_etc_runtime',`
 
 ########################################
 ## <summary>
+##	Relabel all non-security related
+##	files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`files_relabel_non_security_file_type',`
+	gen_require(`
+		attribute non_security_file_type;
+	')
+
+	allow $1 non_security_file_type:dir list_dir_perms;
+	relabel_dirs_pattern($1, non_security_file_type, non_security_file_type)
+	relabel_files_pattern($1, non_security_file_type, non_security_file_type)
+	relabel_lnk_files_pattern($1, non_security_file_type, non_security_file_type)
+	relabel_fifo_files_pattern($1, non_security_file_type, non_security_file_type)
+	relabel_sock_files_pattern($1, non_security_file_type, non_security_file_type)
+	# this is only relabelfrom since there should be no
+	# device nodes with file types.
+	relabelfrom_blk_files_pattern($1, non_security_file_type, non_security_file_type)
+	relabelfrom_chr_files_pattern($1, non_security_file_type, non_security_file_type)
+')
+
+########################################
+## <summary>
 ##	Manage non-security related resources.
 ## </summary>
 ## <param name="domain">

[gentoo-commits] proj/hardened-refpolicy:testing commit in: policy/modules/kernel/

[Sven Vermeulen]

commit:     105008a744011a7cb78546338fe90c55772dbab4
Author:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Fri Aug  8 08:40:03 2014 +0000
Commit:     Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Fri Aug  8 08:40:03 2014 +0000
URL:        http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=105008a7

Apply different naming

The idea is that an interface that manages a whole set of types contains
the _all_ inside the name. When it does, then the next block should
contain the attribute name in its entirety, but plural.

So for non_security_file_type, this becomes
_all_non_security_file_types.

---
 policy/modules/kernel/files.if | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if
index 105c7c2..efd7836 100644
--- a/policy/modules/kernel/files.if
+++ b/policy/modules/kernel/files.if
@@ -6760,7 +6760,7 @@ interface(`files_relabel_non_security_file_type',`
 
 ########################################
 ## <summary>
-##	Manage non-security related resources.
+##	Manage non-security-sensitive resource types
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -6769,7 +6769,7 @@ interface(`files_relabel_non_security_file_type',`
 ## </param>
 ## <rolecap/>
 #
-interface(`files_manage_non_security_file_type',`
+interface(`files_manage_all_non_security_file_types',`
 	gen_require(`
 		attribute non_security_file_type;
 	')