From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80]) by finch.gentoo.org (Postfix) with ESMTP id D42A7138A1F for ; Thu, 7 Aug 2014 09:50:09 +0000 (UTC) Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id 7DE2CE0980; Thu, 7 Aug 2014 09:50:07 +0000 (UTC) Received: from smtp.gentoo.org (smtp.gentoo.org [140.211.166.183]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by pigeon.gentoo.org (Postfix) with ESMTPS id DBE36E0980 for ; Thu, 7 Aug 2014 09:50:06 +0000 (UTC) Received: from spoonbill.gentoo.org (spoonbill.gentoo.org [81.93.255.5]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by smtp.gentoo.org (Postfix) with ESMTPS id 6C170340289 for ; Thu, 7 Aug 2014 08:06:05 +0000 (UTC) Received: from localhost.localdomain (localhost [127.0.0.1]) by spoonbill.gentoo.org (Postfix) with ESMTP id 37B141881C for ; Thu, 7 Aug 2014 08:06:04 +0000 (UTC) From: "Sven Vermeulen" To: gentoo-commits@lists.gentoo.org Content-Transfer-Encoding: 8bit Content-type: text/plain; charset=UTF-8 Reply-To: gentoo-dev@lists.gentoo.org, "Sven Vermeulen" Message-ID: <1407348517.3b742fca07833a9b5f5f1d4f2566593f90f6b22f.swift@gentoo> Subject: [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/ X-VCS-Repository: proj/hardened-refpolicy X-VCS-Files: policy/modules/system/selinuxutil.te X-VCS-Directories: policy/modules/system/ X-VCS-Committer: swift X-VCS-Committer-Name: Sven Vermeulen X-VCS-Revision: 3b742fca07833a9b5f5f1d4f2566593f90f6b22f X-VCS-Branch: master Date: Thu, 7 Aug 2014 08:06:04 +0000 (UTC) Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-commits@lists.gentoo.org X-Archives-Salt: 4474f8c6-f260-4152-9a27-4d69457378f4 X-Archives-Hash: dc921c3776cff83febbc57c14b78d45b commit: 3b742fca07833a9b5f5f1d4f2566593f90f6b22f Author: Sven Vermeulen siphos be> AuthorDate: Wed Aug 6 09:17:15 2014 +0000 Commit: Sven Vermeulen gentoo org> CommitDate: Wed Aug 6 18:08:37 2014 +0000 URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=3b742fca Make SELinux configuration a security file type The SELinux configuration should be considered a security-sensitive configuration type and as such should not be made part of the system-wide accesses towards regular files (non_auth/non_security). --- policy/modules/system/selinuxutil.te | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/policy/modules/system/selinuxutil.te b/policy/modules/system/selinuxutil.te index 48566a4..4d6f5d9 100644 --- a/policy/modules/system/selinuxutil.te +++ b/policy/modules/system/selinuxutil.te @@ -28,7 +28,7 @@ roleattribute system_r semanage_roles; # in the domain_type interface # (fix dup decl) type selinux_config_t; -files_type(selinux_config_t) +files_security_file(selinux_config_t) type checkpolicy_t, can_write_binary_policy; type checkpolicy_exec_t; @@ -40,14 +40,14 @@ role system_r types checkpolicy_t; # /etc/selinux/*/contexts/* # type default_context_t; -files_type(default_context_t) +files_security_file(default_context_t) # # file_context_t is the type applied to # /etc/selinux/*/contexts/files # type file_context_t; -files_type(file_context_t) +files_security_file(file_context_t) type load_policy_t; type load_policy_exec_t; @@ -67,7 +67,7 @@ role newrole_roles types newrole_t; # the security server policy configuration. # type policy_config_t; -files_type(policy_config_t) +files_security_file(policy_config_t) neverallow ~can_relabelto_binary_policy policy_config_t:file relabelto; #neverallow ~can_write_binary_policy policy_config_t:file { write append }; From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80]) by finch.gentoo.org (Postfix) with ESMTP id F2A1313877A for ; Wed, 6 Aug 2014 18:13:17 +0000 (UTC) Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id 30248E08FE; Wed, 6 Aug 2014 18:13:16 +0000 (UTC) Received: from smtp.gentoo.org (smtp.gentoo.org [140.211.166.183]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by pigeon.gentoo.org (Postfix) with ESMTPS id 6FA0DE090F for ; Wed, 6 Aug 2014 18:13:15 +0000 (UTC) Received: from spoonbill.gentoo.org (spoonbill.gentoo.org [81.93.255.5]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by smtp.gentoo.org (Postfix) with ESMTPS id A10B034027D for ; Wed, 6 Aug 2014 18:13:14 +0000 (UTC) Received: from localhost.localdomain (localhost [127.0.0.1]) by spoonbill.gentoo.org (Postfix) with ESMTP id 68FBC1881D for ; Wed, 6 Aug 2014 18:13:13 +0000 (UTC) From: "Sven Vermeulen" To: gentoo-commits@lists.gentoo.org Content-Transfer-Encoding: 8bit Content-type: text/plain; charset=UTF-8 Reply-To: gentoo-dev@lists.gentoo.org, "Sven Vermeulen" Message-ID: <1407348517.3b742fca07833a9b5f5f1d4f2566593f90f6b22f.swift@gentoo> Subject: [gentoo-commits] proj/hardened-refpolicy:testing commit in: policy/modules/system/ X-VCS-Repository: proj/hardened-refpolicy X-VCS-Files: policy/modules/system/selinuxutil.te X-VCS-Directories: policy/modules/system/ X-VCS-Committer: swift X-VCS-Committer-Name: Sven Vermeulen X-VCS-Revision: 3b742fca07833a9b5f5f1d4f2566593f90f6b22f X-VCS-Branch: testing Date: Wed, 6 Aug 2014 18:13:13 +0000 (UTC) Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-commits@lists.gentoo.org X-Archives-Salt: 712cd2ea-6be7-4fa2-b406-f923ebff3fb8 X-Archives-Hash: 8c9d025a527bb8e17ddd685a4ec377d8 Message-ID: <20140806181313.RljqkXn9ELPLh1zRFmUMyHTaf3ZZo1IjX188XfI-UIg@z> commit: 3b742fca07833a9b5f5f1d4f2566593f90f6b22f Author: Sven Vermeulen siphos be> AuthorDate: Wed Aug 6 09:17:15 2014 +0000 Commit: Sven Vermeulen gentoo org> CommitDate: Wed Aug 6 18:08:37 2014 +0000 URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=3b742fca Make SELinux configuration a security file type The SELinux configuration should be considered a security-sensitive configuration type and as such should not be made part of the system-wide accesses towards regular files (non_auth/non_security). --- policy/modules/system/selinuxutil.te | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/policy/modules/system/selinuxutil.te b/policy/modules/system/selinuxutil.te index 48566a4..4d6f5d9 100644 --- a/policy/modules/system/selinuxutil.te +++ b/policy/modules/system/selinuxutil.te @@ -28,7 +28,7 @@ roleattribute system_r semanage_roles; # in the domain_type interface # (fix dup decl) type selinux_config_t; -files_type(selinux_config_t) +files_security_file(selinux_config_t) type checkpolicy_t, can_write_binary_policy; type checkpolicy_exec_t; @@ -40,14 +40,14 @@ role system_r types checkpolicy_t; # /etc/selinux/*/contexts/* # type default_context_t; -files_type(default_context_t) +files_security_file(default_context_t) # # file_context_t is the type applied to # /etc/selinux/*/contexts/files # type file_context_t; -files_type(file_context_t) +files_security_file(file_context_t) type load_policy_t; type load_policy_exec_t; @@ -67,7 +67,7 @@ role newrole_roles types newrole_t; # the security server policy configuration. # type policy_config_t; -files_type(policy_config_t) +files_security_file(policy_config_t) neverallow ~can_relabelto_binary_policy policy_config_t:file relabelto; #neverallow ~can_write_binary_policy policy_config_t:file { write append };