[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/roles/

[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/roles/

[Sven Vermeulen]

commit:     9bb7d10186faa77d1f4d9e9ac80f7b125294f6b6
Author:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Sat Aug 11 19:00:31 2012 +0000
Commit:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
CommitDate: Sat Aug 11 19:00:31 2012 +0000
URL:        http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=9bb7d101

Allow sysadm to be postfix admin

To allow administration of postfix, sysadm_t needs to be able to execute the
common administrative commands (like postfix or postqueue) and interact with the
postfix master daemon (through socket).

---
 policy/modules/roles/sysadm.te |    6 ++++++
 1 files changed, 6 insertions(+), 0 deletions(-)

diff --git a/policy/modules/roles/sysadm.te b/policy/modules/roles/sysadm.te
index aa562c0..c7f603e 100644
--- a/policy/modules/roles/sysadm.te
+++ b/policy/modules/roles/sysadm.te
@@ -286,6 +286,12 @@ optional_policy(`
 ')
 
 optional_policy(`
+	postfix_exec_master(sysadm_t)
+	postfix_exec_postqueue(sysadm_t)
+	postfix_stream_connect_master(sysadm_t)
+')
+
+optional_policy(`
 	pyzor_role(sysadm_r, sysadm_t)
 ')
 

[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/roles/

[Sven Vermeulen]

commit:     73792172a5c86da2b7ade9a16a575aee75a63677
Author:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Sat Aug 11 19:00:31 2012 +0000
Commit:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
CommitDate: Mon Aug 13 19:20:19 2012 +0000
URL:        http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=73792172

Allow sysadm to be postfix admin

To allow administration of postfix, sysadm_t needs to be able to execute the
common administrative commands (like postfix or postqueue) and interact with the
postfix master daemon (through socket).

---
 policy/modules/roles/sysadm.te |    6 ++++++
 1 files changed, 6 insertions(+), 0 deletions(-)

diff --git a/policy/modules/roles/sysadm.te b/policy/modules/roles/sysadm.te
index aa562c0..c7f603e 100644
--- a/policy/modules/roles/sysadm.te
+++ b/policy/modules/roles/sysadm.te
@@ -286,6 +286,12 @@ optional_policy(`
 ')
 
 optional_policy(`
+	postfix_exec_master(sysadm_t)
+	postfix_exec_postqueue(sysadm_t)
+	postfix_stream_connect_master(sysadm_t)
+')
+
+optional_policy(`
 	pyzor_role(sysadm_r, sysadm_t)
 ')
 

[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/roles/

[Sven Vermeulen]

commit:     dc2670d7031e6ad40beae2d6cd788796fb5536f0
Author:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Thu Aug 16 18:43:48 2012 +0000
Commit:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
CommitDate: Fri Aug 17 13:45:12 2012 +0000
URL:        http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=dc2670d7

Allow sysadm to manage asterisk service

Needed since the use of named init scripts

---
 policy/modules/roles/sysadm.te |    1 +
 1 files changed, 1 insertions(+), 0 deletions(-)

diff --git a/policy/modules/roles/sysadm.te b/policy/modules/roles/sysadm.te
index 810fbc6..9e9967f 100644
--- a/policy/modules/roles/sysadm.te
+++ b/policy/modules/roles/sysadm.te
@@ -86,6 +86,7 @@ optional_policy(`
 ')
 
 optional_policy(`
+	asterisk_admin(sysadm_t, sysadm_r)
 	asterisk_stream_connect(sysadm_t)
 ')
 

[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/roles/

[Sven Vermeulen]

commit:     83a680ef91510d7688db90671d59be63d01e98da
Author:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Thu Aug 16 18:20:53 2012 +0000
Commit:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
CommitDate: Fri Aug 17 13:45:09 2012 +0000
URL:        http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=83a680ef

Allow sysadm_t to administer postgresql service

Allow the sysadm_t domain to administer the postgresql service by executing the
postgresql init script (postgresql_initrc_exec_t) with the proper transition in
place.

---
 policy/modules/roles/sysadm.te |    5 +++++
 1 files changed, 5 insertions(+), 0 deletions(-)

diff --git a/policy/modules/roles/sysadm.te b/policy/modules/roles/sysadm.te
index c7f603e..810fbc6 100644
--- a/policy/modules/roles/sysadm.te
+++ b/policy/modules/roles/sysadm.te
@@ -292,6 +292,11 @@ optional_policy(`
 ')
 
 optional_policy(`
+	postgresql_admin(sysadm_t, sysadm_r)
+	postgresql_exec(sysadm_t)
+')
+
+optional_policy(`
 	pyzor_role(sysadm_r, sysadm_t)
 ')
 

[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/roles/

[Sven Vermeulen]

commit:     8244ab45e28841bf23a9bbea0381b6a784e289b5
Author:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Sat Aug 25 17:43:02 2012 +0000
Commit:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
CommitDate: Sat Aug 25 17:43:02 2012 +0000
URL:        http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=8244ab45

Allow sysadmin to manage openvpn

Since the openvpn init script is a named one (openvpn_initrc_exec_t) we need to
allow sysadmin to administer the openvpn domain. Otherwise he cannot (re)start
the init scripts easily.

---
 policy/modules/roles/sysadm.te |    4 ++++
 1 files changed, 4 insertions(+), 0 deletions(-)

diff --git a/policy/modules/roles/sysadm.te b/policy/modules/roles/sysadm.te
index 9e9967f..1b6274e 100644
--- a/policy/modules/roles/sysadm.te
+++ b/policy/modules/roles/sysadm.te
@@ -273,6 +273,10 @@ optional_policy(`
 ')
 
 optional_policy(`
+	openvpn_admin(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
 	pcmcia_run_cardctl(sysadm_t, sysadm_r)
 ')
 

[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/roles/

[Sven Vermeulen]

commit:     8968bc4b5c3e460081fa55ca0cc12d547d04ec68
Author:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Sat Aug 25 17:46:57 2012 +0000
Commit:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
CommitDate: Sat Aug 25 17:46:57 2012 +0000
URL:        http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=8968bc4b

Allow sysadm to manage ntp domain

Since the ntp init script is a named one, allow the sysadm to administer the ntp
domain so he can (re)start the init scripts (amongst other things).

---
 policy/modules/roles/sysadm.te |    4 ++++
 1 files changed, 4 insertions(+), 0 deletions(-)

diff --git a/policy/modules/roles/sysadm.te b/policy/modules/roles/sysadm.te
index 1b6274e..7f52e17 100644
--- a/policy/modules/roles/sysadm.te
+++ b/policy/modules/roles/sysadm.te
@@ -269,6 +269,10 @@ optional_policy(`
 ')
 
 optional_policy(`
+	ntp_admin(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
 	oav_run_update(sysadm_t, sysadm_r)
 ')
 

[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/roles/

[Sven Vermeulen]

commit:     f65119208d78eb926723db7eb0a37dac10d53481
Author:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Sat Aug 25 17:48:29 2012 +0000
Commit:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
CommitDate: Sat Aug 25 17:48:29 2012 +0000
URL:        http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=f6511920

Allow sysadm to manage bind (named) domain

Since the named daemon uses named init scripts, allow the sysadm to manage the
bind domain, allowing him to manipulate the init scripts properly.

---
 policy/modules/roles/sysadm.te |    1 +
 1 files changed, 1 insertions(+), 0 deletions(-)

diff --git a/policy/modules/roles/sysadm.te b/policy/modules/roles/sysadm.te
index 7f52e17..efba839 100644
--- a/policy/modules/roles/sysadm.te
+++ b/policy/modules/roles/sysadm.te
@@ -103,6 +103,7 @@ optional_policy(`
 ')
 
 optional_policy(`
+	bind_admin(sysadm_t, sysadm_r)
 	bind_run_ndc(sysadm_t, sysadm_r)
 ')
 

[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/roles/

[Sven Vermeulen]

commit:     c8d08446197bd9fc061eeb7f49d131a4a021f2be
Author:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Wed Oct 24 16:01:29 2012 +0000
Commit:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
CommitDate: Wed Oct 24 16:01:29 2012 +0000
URL:        http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=c8d08446

Use gnome_role_template instead of deprecated gnome_role

---
 policy/modules/roles/staff.te      |    2 +-
 policy/modules/roles/sysadm.te     |    2 +-
 policy/modules/roles/unprivuser.te |    2 +-
 3 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/policy/modules/roles/staff.te b/policy/modules/roles/staff.te
index 25807b6..9d2498e 100644
--- a/policy/modules/roles/staff.te
+++ b/policy/modules/roles/staff.te
@@ -97,7 +97,7 @@ ifndef(`distro_redhat',`
 	')
 
 	optional_policy(`
-		gnome_role(staff_r, staff_t)
+		gnome_role_template(staff, staff_r, staff_t)
 	')
 
 	optional_policy(`

diff --git a/policy/modules/roles/sysadm.te b/policy/modules/roles/sysadm.te
index 94350fc..cd49816 100644
--- a/policy/modules/roles/sysadm.te
+++ b/policy/modules/roles/sysadm.te
@@ -516,7 +516,7 @@ ifndef(`distro_redhat',`
 	')
 
 	optional_policy(`
-		gnome_role(sysadm_r, sysadm_t)
+		gnome_role_template(sysadm, sysadm_r, sysadm_t)
 	')
 
 	optional_policy(`

diff --git a/policy/modules/roles/unprivuser.te b/policy/modules/roles/unprivuser.te
index 17a987b..c787c95 100644
--- a/policy/modules/roles/unprivuser.te
+++ b/policy/modules/roles/unprivuser.te
@@ -70,7 +70,7 @@ ifndef(`distro_redhat',`
 	')
 
 	optional_policy(`
-		gnome_role(user_r, user_t)
+		gnome_role_template(user, user_r, user_t)
 	')
 
 	optional_policy(`

[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/roles/

[Sven Vermeulen]

commit:     e17b083270c37d0a0d4c8f9ffadd644d2783f05e
Author:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Wed Oct 24 17:45:38 2012 +0000
Commit:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
CommitDate: Wed Oct 24 17:45:38 2012 +0000
URL:        http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=e17b0832

Embracing gnome_role_template within dbus_role_template call

The gnome_role_template interface requires the dbus_role_template to be called
and available.

---
 policy/modules/roles/staff.te      |    8 ++++----
 policy/modules/roles/sysadm.te     |    8 ++++----
 policy/modules/roles/unprivuser.te |    8 ++++----
 3 files changed, 12 insertions(+), 12 deletions(-)

diff --git a/policy/modules/roles/staff.te b/policy/modules/roles/staff.te
index 9d2498e..f0d3c66 100644
--- a/policy/modules/roles/staff.te
+++ b/policy/modules/roles/staff.te
@@ -82,6 +82,10 @@ ifndef(`distro_redhat',`
 
 	optional_policy(`
 		dbus_role_template(staff, staff_r, staff_t)
+
+		optional_policy(`
+			gnome_role_template(staff, staff_r, staff_t)
+		')
 	')
 
 	optional_policy(`
@@ -97,10 +101,6 @@ ifndef(`distro_redhat',`
 	')
 
 	optional_policy(`
-		gnome_role_template(staff, staff_r, staff_t)
-	')
-
-	optional_policy(`
 		gorg_role(staff_r, staff_t)
 	')
 

diff --git a/policy/modules/roles/sysadm.te b/policy/modules/roles/sysadm.te
index cd49816..80e9aa1 100644
--- a/policy/modules/roles/sysadm.te
+++ b/policy/modules/roles/sysadm.te
@@ -501,6 +501,10 @@ ifndef(`distro_redhat',`
 
 	optional_policy(`
 		dbus_role_template(sysadm, sysadm_r, sysadm_t)
+
+		optional_policy(`
+			gnome_role_template(sysadm, sysadm_r, sysadm_t)
+		')
 	')
 
 	optional_policy(`
@@ -516,10 +520,6 @@ ifndef(`distro_redhat',`
 	')
 
 	optional_policy(`
-		gnome_role_template(sysadm, sysadm_r, sysadm_t)
-	')
-
-	optional_policy(`
 		gorg_role(sysadm_r, sysadm_t)
 	')
 

diff --git a/policy/modules/roles/unprivuser.te b/policy/modules/roles/unprivuser.te
index c787c95..12b0b32 100644
--- a/policy/modules/roles/unprivuser.te
+++ b/policy/modules/roles/unprivuser.te
@@ -55,6 +55,10 @@ ifndef(`distro_redhat',`
 
 	optional_policy(`
 		dbus_role_template(user, user_r, user_t)
+
+		optional_policy(`
+			gnome_role_template(user, user_r, user_t)
+		')
 	')
 
 	optional_policy(`
@@ -70,10 +74,6 @@ ifndef(`distro_redhat',`
 	')
 
 	optional_policy(`
-		gnome_role_template(user, user_r, user_t)
-	')
-
-	optional_policy(`
 		gorg_role(user_r, user_t)
 	')
 

[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/roles/

[Sven Vermeulen]

commit:     d81279d70b3b2ffeb584878e42ad227e81dca5cd
Author:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Sun Oct 28 17:55:24 2012 +0000
Commit:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
CommitDate: Sun Oct 28 17:55:24 2012 +0000
URL:        http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=d81279d7

Adding admin interfaces

Adding additional administrative interfaces to the sysadm role. Using the
"bottom" of the file (with an ifdef on our distribution), hopefully making it
easier to track upstream while still manipulating our own sets.

---
 policy/modules/roles/sysadm.te |    8 ++++++++
 1 files changed, 8 insertions(+), 0 deletions(-)

diff --git a/policy/modules/roles/sysadm.te b/policy/modules/roles/sysadm.te
index 56163f4..a1ac439 100644
--- a/policy/modules/roles/sysadm.te
+++ b/policy/modules/roles/sysadm.te
@@ -538,6 +538,14 @@ ifndef(`distro_redhat',`
 
 ifdef(`distro_gentoo',`
 	optional_policy(`
+		dovecot_admin(sysadm_t, sysadm_r)
+	')
+
+	optional_policy(`
+		fail2ban_run_client(sysadm_t, sysadm_r)
+	')
+
+	optional_policy(`
 		shorewall_admin(sysadm_t, sysadm_r)
 	')
 ')

[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/roles/

[Sven Vermeulen]

commit:     fdea808e6a74f9cbc4297581265c7486632ab9db
Author:     Dominick Grift <dominick.grift <AT> gmail <DOT> com>
AuthorDate: Fri Oct 26 10:05:55 2012 +0000
Commit:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
CommitDate: Tue Oct 30 20:21:06 2012 +0000
URL:        http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=fdea808e

Samhain_admin() now requires a role for the role_transition from $1 to initrc_t via samhain_initrc_exec_t

Signed-off-by: Dominick Grift <dominick.grift <AT> gmail.com>

---
 policy/modules/roles/sysadm.te |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

diff --git a/policy/modules/roles/sysadm.te b/policy/modules/roles/sysadm.te
index a1ac439..678be21 100644
--- a/policy/modules/roles/sysadm.te
+++ b/policy/modules/roles/sysadm.te
@@ -360,7 +360,7 @@ optional_policy(`
 ')
 
 optional_policy(`
-	samhain_admin(sysadm_t)
+	samhain_admin(sysadm_t, sysadm_r)
 ')
 
 optional_policy(`

[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/roles/

[Sven Vermeulen]

commit:     83bb653a3ab2130e491d281832c0ad400775be33
Author:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Sat Nov 17 17:41:28 2012 +0000
Commit:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
CommitDate: Sat Nov 17 17:41:28 2012 +0000
URL:        http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=83bb653a

Support mirrorselect / netselect

The mirrorselect application will, through netselect, open a rawip_socket to
find the fastest mirror to use. As there is no separate domain for netselect,
and this is the only requirement, allow it for sysadm role.

---
 policy/modules/roles/sysadm.te |    3 +++
 1 files changed, 3 insertions(+), 0 deletions(-)

diff --git a/policy/modules/roles/sysadm.te b/policy/modules/roles/sysadm.te
index 77233b9..8ecfdcb 100644
--- a/policy/modules/roles/sysadm.te
+++ b/policy/modules/roles/sysadm.te
@@ -52,6 +52,9 @@ ifdef(`direct_sysadm_daemon',`
 ')
 
 ifdef(`distro_gentoo',`
+	# To support mirrorselect / netselect
+	allow sysadm_t self:rawip_socket create_socket_perms;
+
 	init_exec_rc(sysadm_t)
 ')
 

[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/roles/

[Sven Vermeulen]

commit:     f990dd9d3b062bab42a51baf00500cdc2b48e63b
Author:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Wed Dec 19 12:48:12 2012 +0000
Commit:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
CommitDate: Wed Dec 19 12:48:12 2012 +0000
URL:        http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=f990dd9d

Allow sysadmin to call rpcinfo

When calling rpcinfo -p to find out the available RPC services, we got the
following error:

rpcinfo: can't contact portmapper: RPC: Remote system error - Permission denied

Adding the rpcbind_stream_connect to sysadm_t resolved this as the denial showed
the following:

Dec 19 13:45:59 hpl kernel: [18164.749818] type=1400 audit(1355921159.325:1387):
avc:  denied  { connectto } for  pid=30087 comm="rpcinfo"
path="/run/rpcbind.sock" scontext=staff_u:sysadm_r:sysadm_t
tcontext=system_u:system_r:rpcbind_t tclass=unix_stream_socket

---
 policy/modules/roles/sysadm.te |    4 ++++
 1 files changed, 4 insertions(+), 0 deletions(-)

diff --git a/policy/modules/roles/sysadm.te b/policy/modules/roles/sysadm.te
index 8ecfdcb..0d22033 100644
--- a/policy/modules/roles/sysadm.te
+++ b/policy/modules/roles/sysadm.te
@@ -547,6 +547,10 @@ ifdef(`distro_gentoo',`
 	')
 
 	optional_policy(`
+		rpcbind_stream_connect(sysadm_t)
+	')
+
+	optional_policy(`
 		shorewall_admin(sysadm_t, sysadm_r)
 	')
 ')

[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/roles/

[Sven Vermeulen]

commit:     1ff505084faff6cc7f48898906af03a0cf4c8b84
Author:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Wed Dec 19 13:47:36 2012 +0000
Commit:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
CommitDate: Wed Dec 19 13:47:36 2012 +0000
URL:        http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=1ff50508

Mark sysadm as rpc_admin

---
 policy/modules/roles/sysadm.te |    4 ++++
 1 files changed, 4 insertions(+), 0 deletions(-)

diff --git a/policy/modules/roles/sysadm.te b/policy/modules/roles/sysadm.te
index 0d22033..de82808 100644
--- a/policy/modules/roles/sysadm.te
+++ b/policy/modules/roles/sysadm.te
@@ -547,6 +547,10 @@ ifdef(`distro_gentoo',`
 	')
 
 	optional_policy(`
+		rpc_admin(sysadm_t, sysadm_r)
+	')
+
+	optional_policy(`
 		rpcbind_stream_connect(sysadm_t)
 	')
 

[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/roles/

[Sven Vermeulen]

commit:     775f39d4e02509604de2ba7903362de6b3347cfe
Author:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Mon Dec 31 22:59:54 2012 +0000
Commit:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
CommitDate: Mon Dec 31 23:02:42 2012 +0000
URL:        http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=775f39d4

Allow staff and regular user the googletalk plugin domains

---
 policy/modules/roles/staff.te      |    6 ++++++
 policy/modules/roles/unprivuser.te |    6 ++++++
 2 files changed, 12 insertions(+), 0 deletions(-)

diff --git a/policy/modules/roles/staff.te b/policy/modules/roles/staff.te
index c706804..2c46469 100644
--- a/policy/modules/roles/staff.te
+++ b/policy/modules/roles/staff.te
@@ -200,3 +200,9 @@ ifndef(`distro_redhat',`
 		wireshark_role(staff_r, staff_t)
 	')
 ')
+
+ifdef(`distro_gentoo',`
+	optional_policy(`
+		googletalk_run_plugin(staff_t, staff_r)
+	')
+')

diff --git a/policy/modules/roles/unprivuser.te b/policy/modules/roles/unprivuser.te
index 21fdae9..507c064 100644
--- a/policy/modules/roles/unprivuser.te
+++ b/policy/modules/roles/unprivuser.te
@@ -189,3 +189,9 @@ ifndef(`distro_redhat',`
 		wireshark_role(user_r, user_t)
 	')
 ')
+
+ifdef(`distro_gentoo',`
+	optional_policy(`
+		googletalk_run_plugin(user_t, user_r)
+	')
+')

[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/roles/

[Sven Vermeulen]

commit:     32b15e5ef7dfba00f844ead86cba3b6ce4cd96ec
Author:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Thu Apr 11 07:21:23 2013 +0000
Commit:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
CommitDate: Thu Apr 11 07:21:23 2013 +0000
URL:        http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=32b15e5e

Fix #459856 - Allow regular users to call pulseaudio

Allow regular user domains to use pulseaudio (unprivuser & staff).

---
 policy/modules/roles/staff.te      |    4 ++++
 policy/modules/roles/unprivuser.te |    4 ++++
 2 files changed, 8 insertions(+), 0 deletions(-)

diff --git a/policy/modules/roles/staff.te b/policy/modules/roles/staff.te
index 2c46469..236097d 100644
--- a/policy/modules/roles/staff.te
+++ b/policy/modules/roles/staff.te
@@ -205,4 +205,8 @@ ifdef(`distro_gentoo',`
 	optional_policy(`
 		googletalk_run_plugin(staff_t, staff_r)
 	')
+
+	optional_policy(`
+		pulseaudio_role(staff_r, staff_t)
+	')
 ')

diff --git a/policy/modules/roles/unprivuser.te b/policy/modules/roles/unprivuser.te
index 507c064..c64f441 100644
--- a/policy/modules/roles/unprivuser.te
+++ b/policy/modules/roles/unprivuser.te
@@ -194,4 +194,8 @@ ifdef(`distro_gentoo',`
 	optional_policy(`
 		googletalk_run_plugin(user_t, user_r)
 	')
+
+	optional_policy(`
+		pulseaudio_role(user_r, user_t)
+	')
 ')

[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/roles/

[Sven Vermeulen]

commit:     0174d192aac9d69d24fded5aee1a6a1040cd4a2c
Author:     Laurent Bigonville <bigon <AT> bigon <DOT> be>
AuthorDate: Sat Apr  5 18:01:21 2014 +0000
Commit:     Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Fri Apr 11 17:48:01 2014 +0000
URL:        http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=0174d192

Add telepathy role for user_r and staff_r

---
 policy/modules/roles/staff.te      | 4 ++++
 policy/modules/roles/unprivuser.te | 4 ++++
 2 files changed, 8 insertions(+)

diff --git a/policy/modules/roles/staff.te b/policy/modules/roles/staff.te
index abc38c0..247f898 100644
--- a/policy/modules/roles/staff.te
+++ b/policy/modules/roles/staff.te
@@ -90,6 +90,10 @@ ifndef(`distro_redhat',`
 		optional_policy(`
 			pulseaudio_role(staff_r, staff_t)
 		')
+
+		optional_policy(`
+			telepathy_role_template(staff, staff_r, staff_t)
+		')
 	')
 
 	optional_policy(`

diff --git a/policy/modules/roles/unprivuser.te b/policy/modules/roles/unprivuser.te
index e9319d0..c40c34c 100644
--- a/policy/modules/roles/unprivuser.te
+++ b/policy/modules/roles/unprivuser.te
@@ -63,6 +63,10 @@ ifndef(`distro_redhat',`
 		optional_policy(`
 			pulseaudio_role(user_r, user_t)
 		')
+
+		optional_policy(`
+			telepathy_role_template(user, user_r, user_t)
+		')
 	')
 
 	optional_policy(`

[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/roles/

[Sven Vermeulen]

commit:     c16ea5592a48b18414eea52965925345ac4e094a
Author:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Fri Apr 11 18:32:49 2014 +0000
Commit:     Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Fri Apr 11 18:32:49 2014 +0000
URL:        http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=c16ea559

Run audit2allow and sepolgen needs policy read access

---
 policy/modules/roles/sysadm.te | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/policy/modules/roles/sysadm.te b/policy/modules/roles/sysadm.te
index bdaf706..4acf417 100644
--- a/policy/modules/roles/sysadm.te
+++ b/policy/modules/roles/sysadm.te
@@ -551,6 +551,11 @@ ifdef(`distro_gentoo',`
 	')
 
 	optional_policy(`
+		# Support audit2allow, sepolgen and so on
+		selinux_read_policy(sysadm_t)
+	')
+
+	optional_policy(`
 		shorewall_admin(sysadm_t, sysadm_r)
 	')
 ')

[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/roles/

[Sven Vermeulen]

commit:     dc73e4822cf4fb2747a635d818337b0a2851c1a7
Author:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Sat Jun  7 19:35:54 2014 +0000
Commit:     Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Sat Jun  7 19:35:54 2014 +0000
URL:        http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=dc73e482

Add dropbox role for unprivileged user

---
 policy/modules/roles/unprivuser.te | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/policy/modules/roles/unprivuser.te b/policy/modules/roles/unprivuser.te
index 65600f4..27431c7 100644
--- a/policy/modules/roles/unprivuser.te
+++ b/policy/modules/roles/unprivuser.te
@@ -200,6 +200,10 @@ ifndef(`distro_redhat',`
 
 ifdef(`distro_gentoo',`
 	optional_policy(`
+		dropbox_role(user_r, user_t)
+	')
+
+	optional_policy(`
 		googletalk_run_plugin(user_t, user_r)
 	')
 

[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/roles/

[Sven Vermeulen]

commit:     b59466d0d951604cfdb9251a93a7daa76d648761
Author:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Wed Aug 13 19:12:57 2014 +0000
Commit:     Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Fri Aug 15 13:38:01 2014 +0000
URL:        http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=b59466d0

Allow sysadm_t to manage salt master and minion

---
 policy/modules/roles/sysadm.te | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/policy/modules/roles/sysadm.te b/policy/modules/roles/sysadm.te
index 4f85745..26591e9 100644
--- a/policy/modules/roles/sysadm.te
+++ b/policy/modules/roles/sysadm.te
@@ -551,6 +551,11 @@ ifdef(`distro_gentoo',`
 	')
 
 	optional_policy(`
+		salt_admin_master(sysadm_t, sysadm_r)
+		salt_admin_minion(sysadm_t, sysadm_r)
+	')
+
+	optional_policy(`
 		# Support audit2allow, sepolgen and so on
 		selinux_read_policy(sysadm_t)
 	')

[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/roles/

[Sven Vermeulen]

commit:     0f85a54a4c4eeb1111996c6ec1f3defa52a8a7b2
Author:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Sun Aug 17 11:34:32 2014 +0000
Commit:     Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Sun Aug 17 11:34:32 2014 +0000
URL:        http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=0f85a54a

Add dnsmasq_admin to sysadm

---
 policy/modules/roles/sysadm.te | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/policy/modules/roles/sysadm.te b/policy/modules/roles/sysadm.te
index 26591e9..fb6ec87 100644
--- a/policy/modules/roles/sysadm.te
+++ b/policy/modules/roles/sysadm.te
@@ -535,6 +535,10 @@ ifndef(`distro_redhat',`
 
 ifdef(`distro_gentoo',`
 	optional_policy(`
+		dnsmasq_admin(sysadm_t, sysadm_r)
+	')
+
+	optional_policy(`
 		dovecot_admin(sysadm_t, sysadm_r)
 	')
 

[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/roles/

[Jason Zaman]

commit:     b59466d0d951604cfdb9251a93a7daa76d648761
Author:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Wed Aug 13 19:12:57 2014 +0000
Commit:     Jason Zaman <gentoo <AT> perfinion <DOT> com>
CommitDate: Fri Aug 15 13:38:01 2014 +0000
URL:        http://sources.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=b59466d0

Allow sysadm_t to manage salt master and minion

---
 policy/modules/roles/sysadm.te | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/policy/modules/roles/sysadm.te b/policy/modules/roles/sysadm.te
index 4f85745..26591e9 100644
--- a/policy/modules/roles/sysadm.te
+++ b/policy/modules/roles/sysadm.te
@@ -551,6 +551,11 @@ ifdef(`distro_gentoo',`
 	')
 
 	optional_policy(`
+		salt_admin_master(sysadm_t, sysadm_r)
+		salt_admin_minion(sysadm_t, sysadm_r)
+	')
+
+	optional_policy(`
 		# Support audit2allow, sepolgen and so on
 		selinux_read_policy(sysadm_t)
 	')

[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/roles/

[Jason Zaman]

commit:     0f85a54a4c4eeb1111996c6ec1f3defa52a8a7b2
Author:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Sun Aug 17 11:34:32 2014 +0000
Commit:     Jason Zaman <gentoo <AT> perfinion <DOT> com>
CommitDate: Sun Aug 17 11:34:32 2014 +0000
URL:        http://sources.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=0f85a54a

Add dnsmasq_admin to sysadm

---
 policy/modules/roles/sysadm.te | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/policy/modules/roles/sysadm.te b/policy/modules/roles/sysadm.te
index 26591e9..fb6ec87 100644
--- a/policy/modules/roles/sysadm.te
+++ b/policy/modules/roles/sysadm.te
@@ -535,6 +535,10 @@ ifndef(`distro_redhat',`
 
 ifdef(`distro_gentoo',`
 	optional_policy(`
+		dnsmasq_admin(sysadm_t, sysadm_r)
+	')
+
+	optional_policy(`
 		dovecot_admin(sysadm_t, sysadm_r)
 	')
 

[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/roles/

[Sven Vermeulen]

commit:     913e235d5896f9bfb04dce44e3242d968afaf5b9
Author:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Fri Aug 29 17:32:35 2014 +0000
Commit:     Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Fri Aug 29 17:32:35 2014 +0000
URL:        http://sources.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=913e235d

Enable powertop support for system administrator

---
 policy/modules/roles/sysadm.te | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/policy/modules/roles/sysadm.te b/policy/modules/roles/sysadm.te
index fb6ec87..6265657 100644
--- a/policy/modules/roles/sysadm.te
+++ b/policy/modules/roles/sysadm.te
@@ -534,6 +534,9 @@ ifndef(`distro_redhat',`
 ')
 
 ifdef(`distro_gentoo',`
+	# powertop support
+	dev_read_cpuid(sysadm_t)
+
 	optional_policy(`
 		dnsmasq_admin(sysadm_t, sysadm_r)
 	')

[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/roles/

[Sven Vermeulen]

commit:     b189f4aee23f48a368b7a9478072181ef104c9b2
Author:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Sat Nov 22 18:23:36 2014 +0000
Commit:     Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Sat Nov 22 18:23:36 2014 +0000
URL:        http://sources.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=b189f4ae

Reshuffle to match upstream

---
 policy/modules/roles/unprivuser.te | 57 +++++++++++++++++++-------------------
 1 file changed, 29 insertions(+), 28 deletions(-)

diff --git a/policy/modules/roles/unprivuser.te b/policy/modules/roles/unprivuser.te
index c0d6204..c171833 100644
--- a/policy/modules/roles/unprivuser.te
+++ b/policy/modules/roles/unprivuser.te
@@ -17,10 +17,6 @@ optional_policy(`
 ')
 
 optional_policy(`
-	chromium_role(user_r, user_t)
-')
-
-optional_policy(`
 	git_role(user_r, user_t)
 ')
 
@@ -82,10 +78,6 @@ ifndef(`distro_redhat',`
 	')
 
 	optional_policy(`
-		gorg_role(user_r, user_t)
-	')
-
-	optional_policy(`
 		gpg_role(user_r, user_t)
 	')
 
@@ -102,10 +94,6 @@ ifndef(`distro_redhat',`
 	')
 
 	optional_policy(`
-		links_role(user_r, user_t)
-	')
-
-	optional_policy(`
 		lockdev_role(user_r, user_t)
 	')
 
@@ -126,14 +114,6 @@ ifndef(`distro_redhat',`
 	')
 
 	optional_policy(`
-		mutt_role(user_r, user_t)
-	')
-
-	optional_policy(`
-		pan_role(user_r, user_t)
-	')
-
-	optional_policy(`
 		postgresql_role(user_r, user_t)
 	')
 
@@ -150,14 +130,6 @@ ifndef(`distro_redhat',`
 	')
 
 	optional_policy(`
-		rtorrent_role(user_r, user_t)
-	')
-
-	optional_policy(`
-		skype_role(user_r, user_t)
-	')
-
-	optional_policy(`
 		spamassassin_role(user_r, user_t)
 	')
 
@@ -199,6 +171,11 @@ ifndef(`distro_redhat',`
 ')
 
 ifdef(`distro_gentoo',`
+
+	optional_policy(`
+		chromium_role(user_r, user_t)
+	')
+
 	optional_policy(`
 		dropbox_role(user_r, user_t)
 	')
@@ -208,6 +185,30 @@ ifdef(`distro_gentoo',`
 	')
 
 	optional_policy(`
+		gorg_role(user_r, user_t)
+	')
+
+	optional_policy(`
+		links_role(user_r, user_t)
+	')
+
+	optional_policy(`
+		mutt_role(user_r, user_t)
+	')
+
+	optional_policy(`
+		pan_role(user_r, user_t)
+	')
+
+	optional_policy(`
 		pulseaudio_role(user_r, user_t)
 	')
+
+	optional_policy(`
+		rtorrent_role(user_r, user_t)
+	')
+
+	optional_policy(`
+		skype_role(user_r, user_t)
+	')
 ')

[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/roles/

[Sven Vermeulen]

commit:     9f71ba76490a062fa097c64028e719a803971b79
Author:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Sat Nov 22 18:20:55 2014 +0000
Commit:     Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Sat Nov 22 18:20:55 2014 +0000
URL:        http://sources.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=9f71ba76

Reshuffle to match upstream better (for comparisons)

---
 policy/modules/roles/sysadm.te | 136 ++++++++++++++++++++++-------------------
 1 file changed, 74 insertions(+), 62 deletions(-)

diff --git a/policy/modules/roles/sysadm.te b/policy/modules/roles/sysadm.te
index af9d2cf..7e497b0 100644
--- a/policy/modules/roles/sysadm.te
+++ b/policy/modules/roles/sysadm.te
@@ -52,9 +52,6 @@ ifdef(`direct_sysadm_daemon',`
 ')
 
 ifdef(`distro_gentoo',`
-	# To support mirrorselect / netselect
-	allow sysadm_t self:rawip_socket create_socket_perms;
-
 	init_exec_rc(sysadm_t)
 ')
 
@@ -89,7 +86,6 @@ optional_policy(`
 ')
 
 optional_policy(`
-	asterisk_admin(sysadm_t, sysadm_r)
 	asterisk_stream_connect(sysadm_t)
 ')
 
@@ -106,7 +102,6 @@ optional_policy(`
 ')
 
 optional_policy(`
-	bind_admin(sysadm_t, sysadm_r)
 	bind_run_ndc(sysadm_t, sysadm_r)
 ')
 
@@ -157,10 +152,6 @@ optional_policy(`
 ')
 
 optional_policy(`
-	dracut_run(sysadm_t, sysadm_r)
-')
-
-optional_policy(`
 	firstboot_run(sysadm_t, sysadm_r)
 ')
 
@@ -242,45 +233,25 @@ optional_policy(`
 ')
 
 optional_policy(`
-	mutt_role(sysadm_r, sysadm_t)
-')
-
-optional_policy(`
 	mysql_stream_connect(sysadm_t)
 ')
 
 optional_policy(`
-	networkmanager_run_wpa_cli(sysadm_t, sysadm_r)
-')
-
-optional_policy(`
 	netutils_run(sysadm_t, sysadm_r)
 	netutils_run_ping(sysadm_t, sysadm_r)
 	netutils_run_traceroute(sysadm_t, sysadm_r)
 ')
 
 optional_policy(`
-	nginx_admin(sysadm_t, sysadm_r)
-')
-
-optional_policy(`
 	ntp_stub()
 	corenet_udp_bind_ntp_port(sysadm_t)
 ')
 
 optional_policy(`
-	ntp_admin(sysadm_t, sysadm_r)
-')
-
-optional_policy(`
 	oav_run_update(sysadm_t, sysadm_r)
 ')
 
 optional_policy(`
-	openvpn_admin(sysadm_t, sysadm_r)
-')
-
-optional_policy(`
 	pcmcia_run_cardctl(sysadm_t, sysadm_r)
 ')
 
@@ -295,31 +266,10 @@ optional_policy(`
 ')
 
 optional_policy(`
-	postfix_admin(sysadm_t, sysadm_r)
-')
-
-optional_policy(`
-	postgresql_admin(sysadm_t, sysadm_r)
-	postgresql_exec(sysadm_t)
-')
-
-optional_policy(`
-	puppet_admin(sysadm_t, sysadm_r)
-')
-
-optional_policy(`
 	pyzor_role(sysadm_r, sysadm_t)
 ')
 
 optional_policy(`
-	qemu_read_state(sysadm_t)
-	qemu_signal(sysadm_t)
-	qemu_kill(sysadm_t)
-	qemu_setsched(sysadm_t)
-	qemu_run(sysadm_t, sysadm_r)
-')
-
-optional_policy(`
 	quota_run(sysadm_t, sysadm_r)
 ')
 
@@ -348,10 +298,6 @@ optional_policy(`
 ')
 
 optional_policy(`
-	rtorrent_admin(sysadm_t, sysadm_r)
-')
-
-optional_policy(`
 	samba_run_net(sysadm_t, sysadm_r)
 	samba_run_winbind_helper(sysadm_t, sysadm_r)
 ')
@@ -444,10 +390,6 @@ optional_policy(`
 ')
 
 optional_policy(`
-	vde_role(sysadm_r, sysadm_t)
-')
-
-optional_policy(`
 	virt_stream_connect(sysadm_t)
 ')
 
@@ -517,10 +459,6 @@ ifndef(`distro_redhat',`
 	')
 
 	optional_policy(`
-		gorg_role(sysadm_r, sysadm_t)
-	')
-
-	optional_policy(`
 		gpg_role(sysadm_r, sysadm_t)
 	')
 
@@ -534,10 +472,27 @@ ifndef(`distro_redhat',`
 ')
 
 ifdef(`distro_gentoo',`
+	#########################################
+	#
+	# Local sysadm_t policy
+	#
+
+	# To support mirrorselect / netselect
+	allow sysadm_t self:rawip_socket create_socket_perms;
+
+
 	# powertop support
 	dev_read_cpuid(sysadm_t)
 
 	optional_policy(`
+		asterisk_admin(sysadm_t, sysadm_r)
+	')
+
+	optional_policy(`
+		bind_admin(sysadm_t, sysadm_r)
+	')
+
+	optional_policy(`
 		dnsmasq_admin(sysadm_t, sysadm_r)
 	')
 
@@ -546,10 +501,59 @@ ifdef(`distro_gentoo',`
 	')
 
 	optional_policy(`
+		dracut_run(sysadm_t, sysadm_r)
+	')
+
+	optional_policy(`
 		fail2ban_run_client(sysadm_t, sysadm_r)
 	')
 
 	optional_policy(`
+		gorg_role(sysadm_r, sysadm_t)
+	')
+
+	optional_policy(`
+		mutt_role(sysadm_r, sysadm_t)
+	')
+
+	optional_policy(`
+		networkmanager_run_wpa_cli(sysadm_t, sysadm_r)
+	')
+
+	optional_policy(`
+		nginx_admin(sysadm_t, sysadm_r)
+	')
+
+	optional_policy(`
+		ntp_admin(sysadm_t, sysadm_r)
+	')
+
+	optional_policy(`
+		openvpn_admin(sysadm_t, sysadm_r)
+	')
+
+	optional_policy(`
+		postfix_admin(sysadm_t, sysadm_r)
+	')
+
+	optional_policy(`
+		postgresql_admin(sysadm_t, sysadm_r)
+		postgresql_exec(sysadm_t)
+	')
+
+	optional_policy(`
+		puppet_admin(sysadm_t, sysadm_r)
+	')
+
+	optional_policy(`
+		qemu_read_state(sysadm_t)
+		qemu_signal(sysadm_t)
+		qemu_kill(sysadm_t)
+		qemu_setsched(sysadm_t)
+		qemu_run(sysadm_t, sysadm_r)
+	')
+
+	optional_policy(`
 		rpc_admin(sysadm_t, sysadm_r)
 	')
 
@@ -558,6 +562,10 @@ ifdef(`distro_gentoo',`
 	')
 
 	optional_policy(`
+		rtorrent_admin(sysadm_t, sysadm_r)
+	')
+
+	optional_policy(`
 		salt_admin_master(sysadm_t, sysadm_r)
 		salt_admin_minion(sysadm_t, sysadm_r)
 	')
@@ -570,4 +578,8 @@ ifdef(`distro_gentoo',`
 	optional_policy(`
 		shorewall_admin(sysadm_t, sysadm_r)
 	')
+
+	optional_policy(`
+		vde_role(sysadm_r, sysadm_t)
+	')
 ')

[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/roles/

[Sven Vermeulen]

commit:     52b4ccdb7120e7c8259741d0fd35deea08208414
Author:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Sat Nov 22 18:14:02 2014 +0000
Commit:     Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Sat Nov 22 18:14:02 2014 +0000
URL:        http://sources.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=52b4ccdb

Reshuffle to match upstream

---
 policy/modules/roles/staff.te | 49 ++++++++++++++++++++++---------------------
 1 file changed, 25 insertions(+), 24 deletions(-)

diff --git a/policy/modules/roles/staff.te b/policy/modules/roles/staff.te
index 8081d0b..14706de 100644
--- a/policy/modules/roles/staff.te
+++ b/policy/modules/roles/staff.te
@@ -23,10 +23,6 @@ optional_policy(`
 ')
 
 optional_policy(`
-	chromium_role(staff_r, staff_t)
-')
-
-optional_policy(`
 	dbadm_role_change(staff_r)
 ')
 
@@ -109,10 +105,6 @@ ifndef(`distro_redhat',`
 	')
 
 	optional_policy(`
-		gorg_role(staff_r, staff_t)
-	')
-
-	optional_policy(`
 		gpg_role(staff_r, staff_t)
 	')
 
@@ -125,10 +117,6 @@ ifndef(`distro_redhat',`
 	')
 
 	optional_policy(`
-		links_role(staff_r, staff_t)
-	')
-
-	optional_policy(`
 		lockdev_role(staff_r, staff_t)
 	')
 
@@ -149,14 +137,6 @@ ifndef(`distro_redhat',`
 	')
 
 	optional_policy(`
-		mutt_role(staff_r, staff_t)
-	')
-
-	optional_policy(`
-		pan_role(staff_r, staff_t)
-	')
-
-	optional_policy(`
 		pyzor_role(staff_r, staff_t)
 	')
 
@@ -169,10 +149,6 @@ ifndef(`distro_redhat',`
 	')
 
 	optional_policy(`
-		skype_role(staff_r, staff_t)
-	')
-
-	optional_policy(`
 		screen_role_template(staff, staff_r, staff_t)
 	')
 
@@ -210,11 +186,36 @@ ifndef(`distro_redhat',`
 ')
 
 ifdef(`distro_gentoo',`
+
+	optional_policy(`
+		chromium_role(staff_r, staff_t)
+	')
+
 	optional_policy(`
 		googletalk_run_plugin(staff_t, staff_r)
 	')
 
 	optional_policy(`
+		gorg_role(staff_r, staff_t)
+	')
+
+	optional_policy(`
+		links_role(staff_r, staff_t)
+	')
+
+	optional_policy(`
+		mutt_role(staff_r, staff_t)
+	')
+
+	optional_policy(`
+		pan_role(staff_r, staff_t)
+	')
+
+	optional_policy(`
 		pulseaudio_role(staff_r, staff_t)
 	')
+
+	optional_policy(`
+		skype_role(staff_r, staff_t)
+	')
 ')

[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/roles/

[Jason Zaman]

commit:     f774e2c1acf6fab64fad40f8e5234755c8bf39c3
Author:     Jason Zaman <jason <AT> perfinion <DOT> com>
AuthorDate: Tue Dec  2 08:15:17 2014 +0000
Commit:     Jason Zaman <gentoo <AT> perfinion <DOT> com>
CommitDate: Wed Dec  3 09:30:09 2014 +0000
URL:        http://sources.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=f774e2c1

Unify staff and user roles

user_r had a few things added which were not in staff_r. This adds them
to staff too so they are the same (apart from allowing staff to change
roles).

---
 policy/modules/roles/staff.te | 12 ++++++++++++
 1 file changed, 12 insertions(+)

diff --git a/policy/modules/roles/staff.te b/policy/modules/roles/staff.te
index 14706de..1d4b3e0 100644
--- a/policy/modules/roles/staff.te
+++ b/policy/modules/roles/staff.te
@@ -192,6 +192,10 @@ ifdef(`distro_gentoo',`
 	')
 
 	optional_policy(`
+		dropbox_role(staff_r, staff_t)
+	')
+
+	optional_policy(`
 		googletalk_run_plugin(staff_t, staff_r)
 	')
 
@@ -200,6 +204,10 @@ ifdef(`distro_gentoo',`
 	')
 
 	optional_policy(`
+		hadoop_role(staff_r, staff_t)
+	')
+
+	optional_policy(`
 		links_role(staff_r, staff_t)
 	')
 
@@ -216,6 +224,10 @@ ifdef(`distro_gentoo',`
 	')
 
 	optional_policy(`
+		rtorrent_role(staff_r, staff_t)
+	')
+
+	optional_policy(`
 		skype_role(staff_r, staff_t)
 	')
 ')

[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/roles/

[Jason Zaman]

commit:     5572b308499e54999df84759d522779d8e4cfd0a
Author:     Jason Zaman <jason <AT> perfinion <DOT> com>
AuthorDate: Tue Dec  2 11:14:38 2014 +0000
Commit:     Jason Zaman <gentoo <AT> perfinion <DOT> com>
CommitDate: Wed Dec  3 09:30:09 2014 +0000
URL:        http://sources.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=5572b308

Add missing roles interfaces

Some interfaces were missing from staff_r and user_r, this adds them in

---
 policy/modules/roles/staff.te      | 16 ++++++++++++++++
 policy/modules/roles/unprivuser.te | 16 ++++++++++++++++
 2 files changed, 32 insertions(+)

diff --git a/policy/modules/roles/staff.te b/policy/modules/roles/staff.te
index 1d4b3e0..1a867f0 100644
--- a/policy/modules/roles/staff.te
+++ b/policy/modules/roles/staff.te
@@ -188,6 +188,14 @@ ifndef(`distro_redhat',`
 ifdef(`distro_gentoo',`
 
 	optional_policy(`
+		android_role(staff_r, staff_t)
+	')
+
+	optional_policy(`
+		at_role(staff_r, staff_t)
+	')
+
+	optional_policy(`
 		chromium_role(staff_r, staff_t)
 	')
 
@@ -230,4 +238,12 @@ ifdef(`distro_gentoo',`
 	optional_policy(`
 		skype_role(staff_r, staff_t)
 	')
+
+	optional_policy(`
+		wine_role(staff_r, staff_t)
+	')
+
+	optional_policy(`
+		xscreensaver_role(staff_r, staff_t)
+	')
 ')

diff --git a/policy/modules/roles/unprivuser.te b/policy/modules/roles/unprivuser.te
index c171833..e349a03 100644
--- a/policy/modules/roles/unprivuser.te
+++ b/policy/modules/roles/unprivuser.te
@@ -173,6 +173,14 @@ ifndef(`distro_redhat',`
 ifdef(`distro_gentoo',`
 
 	optional_policy(`
+		android_role(user_r, user_t)
+	')
+
+	optional_policy(`
+		at_role(user_r, user_t)
+	')
+
+	optional_policy(`
 		chromium_role(user_r, user_t)
 	')
 
@@ -211,4 +219,12 @@ ifdef(`distro_gentoo',`
 	optional_policy(`
 		skype_role(user_r, user_t)
 	')
+
+	optional_policy(`
+		wine_role(user_r, user_t)
+	')
+
+	optional_policy(`
+		xscreensaver_role(user_r, user_t)
+	')
 ')

[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/roles/

[Jason Zaman]

commit:     504ccfdd5b8e902defb65a4f644e8c81829afaec
Author:     Jason Zaman <jason <AT> perfinion <DOT> com>
AuthorDate: Tue Dec  2 12:00:05 2014 +0000
Commit:     Jason Zaman <gentoo <AT> perfinion <DOT> com>
CommitDate: Sat Dec  6 09:01:48 2014 +0000
URL:        http://sources.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=504ccfdd

Allow users to talk to devicekit

Needed to read battery status and disk info and for suspend

Gentoo bug: 531784

type=USER_AVC msg=audit(1417367573.060:234): pid=3121 uid=101
auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t
msg='avc:  denied  { send_msg } for msgtype=signal
interface=org.freedesktop.UPower member=DeviceChanged
dest=org.freedesktop.DBus spid=3606 tpid=3858
scontext=system_u:system_r:devicekit_power_t
tcontext=staff_u:staff_r:staff_t tclass=dbus  exe="/usr/bin/dbus-daemon"
sauid=101 hostname=? addr=? terminal=?'

type=USER_AVC msg=audit(1417363447.011:103525): pid=3339 uid=101
auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t
msg='avc:  denied  { send_msg } for msgtype=signal
interface=org.freedesktop.DBus.Properties member=PropertiesChanged
dest=org.freedesktop.DBus spid=4094 tpid=4090
scontext=system_u:system_r:devicekit_disk_t
tcontext=staff_u:staff_r:staff_t tclass=dbus  exe="/usr/bin/dbus-daemon"
sauid=101 hostname=? addr=? terminal=?'

---
 policy/modules/roles/staff.te      | 6 ++++++
 policy/modules/roles/unprivuser.te | 5 +++++
 2 files changed, 11 insertions(+)

diff --git a/policy/modules/roles/staff.te b/policy/modules/roles/staff.te
index d98704d..13ecf4d 100644
--- a/policy/modules/roles/staff.te
+++ b/policy/modules/roles/staff.te
@@ -200,6 +200,12 @@ ifdef(`distro_gentoo',`
 	')
 
 	optional_policy(`
+		# bug 531784
+		devicekit_dbus_chat_disk(staff_t)
+		devicekit_dbus_chat_power(staff_t)
+	')
+
+	optional_policy(`
 		dropbox_role(staff_r, staff_t)
 	')
 

diff --git a/policy/modules/roles/unprivuser.te b/policy/modules/roles/unprivuser.te
index 5c12488..93e2d60 100644
--- a/policy/modules/roles/unprivuser.te
+++ b/policy/modules/roles/unprivuser.te
@@ -185,6 +185,11 @@ ifdef(`distro_gentoo',`
 	')
 
 	optional_policy(`
+		devicekit_dbus_chat_disk(user_t)
+		devicekit_dbus_chat_power(user_t)
+	')
+
+	optional_policy(`
 		dropbox_role(user_r, user_t)
 	')
 

[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/roles/

[Jason Zaman]

commit:     9d0def09397588bb9e752809b2a67d3889be0b97
Author:     Jason Zaman <jason <AT> perfinion <DOT> com>
AuthorDate: Sat Apr 11 08:13:25 2015 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sat Apr 11 10:06:37 2015 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=9d0def09

allow sysadmin to administrate uwsgi

 policy/modules/roles/sysadm.te | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/policy/modules/roles/sysadm.te b/policy/modules/roles/sysadm.te
index 91da175..4cfb014 100644
--- a/policy/modules/roles/sysadm.te
+++ b/policy/modules/roles/sysadm.te
@@ -585,6 +585,10 @@ ifdef(`distro_gentoo',`
 	')
 
 	optional_policy(`
+		uwsgi_admin(sysadm_t, sysadm_r)
+	')
+
+	optional_policy(`
 		vde_role(sysadm_r, sysadm_t)
 	')
 ')

[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/roles/

[Jason Zaman]

commit:     bfd35800dc901a938a2aef452538cf417e2861e5
Author:     Jason Zaman <jason <AT> perfinion <DOT> com>
AuthorDate: Sat May 30 15:54:07 2015 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sat May 30 16:00:29 2015 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=bfd35800

Add kdeconnect role entries

bug 536672

 policy/modules/roles/staff.te      | 5 +++++
 policy/modules/roles/unprivuser.te | 5 +++++
 2 files changed, 10 insertions(+)

diff --git a/policy/modules/roles/staff.te b/policy/modules/roles/staff.te
index 13ecf4d..30e13d2 100644
--- a/policy/modules/roles/staff.te
+++ b/policy/modules/roles/staff.te
@@ -222,6 +222,11 @@ ifdef(`distro_gentoo',`
 	')
 
 	optional_policy(`
+		kdeconnect_role(staff_r, staff_t)
+		kdeconnect_dbus_chat(staff_t)
+	')
+
+	optional_policy(`
 		links_role(staff_r, staff_t)
 	')
 

diff --git a/policy/modules/roles/unprivuser.te b/policy/modules/roles/unprivuser.te
index 93e2d60..eca14f1 100644
--- a/policy/modules/roles/unprivuser.te
+++ b/policy/modules/roles/unprivuser.te
@@ -202,6 +202,11 @@ ifdef(`distro_gentoo',`
 	')
 
 	optional_policy(`
+		kdeconnect_role(user_r, user_t)
+		kdeconnect_dbus_chat(user_t)
+	')
+
+	optional_policy(`
 		links_role(user_r, user_t)
 	')
 

[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/roles/

[Jason Zaman]

commit:     9af1d958667a91d353ce389ed5e4449750d54142
Author:     Jason Zaman <jason <AT> perfinion <DOT> com>
AuthorDate: Mon Jun  8 20:38:22 2015 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Tue Jun  9 13:06:34 2015 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=9af1d958

Add all the missing _admin interfaces to sysadm

Lots of the foo_admin() interfaces were not applied to sysadm. This
patch adds all the ones that were missing.

The tests pass for all combinations of distros, monolithic,
direct_initrc, standard/mcs/mls.

 policy/modules/roles/sysadm.te | 910 ++++++++++++++++++++++++++++++++++++++---
 1 file changed, 845 insertions(+), 65 deletions(-)

diff --git a/policy/modules/roles/sysadm.te b/policy/modules/roles/sysadm.te
index 9169215..4ece2da 100644
--- a/policy/modules/roles/sysadm.te
+++ b/policy/modules/roles/sysadm.te
@@ -66,216 +66,791 @@ tunable_policy(`allow_ptrace',`
 ')
 
 optional_policy(`
+	abrt_admin(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
+	accountsd_admin(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
+	acct_admin(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
+	afs_admin(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
+	aiccu_admin(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
+	aide_admin(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
+	aisexecd_admin(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
 	amanda_run_recover(sysadm_t, sysadm_r)
 ')
 
 optional_policy(`
-	apache_run_helper(sysadm_t, sysadm_r)
-	#apache_run_all_scripts(sysadm_t, sysadm_r)
-	#apache_domtrans_sys_script(sysadm_t)
-	apache_role(sysadm_r, sysadm_t)
+	amavis_admin(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
+	amtu_admin(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
+	apache_admin(sysadm_t, sysadm_r)
+	apache_run_helper(sysadm_t, sysadm_r)
+	#apache_run_all_scripts(sysadm_t, sysadm_r)
+	#apache_domtrans_sys_script(sysadm_t)
+	apache_role(sysadm_r, sysadm_t)
+')
+
+optional_policy(`
+	apcupsd_admin(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
+	apm_admin(sysadm_t, sysadm_r)
+	apm_run_client(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
+	apt_run(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
+	arpwatch_admin(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
+	asterisk_admin(sysadm_t, sysadm_r)
+	asterisk_stream_connect(sysadm_t)
+')
+
+optional_policy(`
+	auditadm_role_change(sysadm_r)
+')
+
+optional_policy(`
+	automount_admin(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
+	avahi_admin(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
+	backup_run(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
+	bacula_run_admin(sysadm_t, sysadm_r)
+	bacula_admin(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
+	bcfg2_admin(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
+	bind_admin(sysadm_t, sysadm_r)
+	bind_run_ndc(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
+	bird_admin(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
+	bitlbee_admin(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
+	boinc_admin(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
+	bootloader_run(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
+	bugzilla_admin(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
+	cachefilesd_admin(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
+	calamaris_admin(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
+	callweaver_admin(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
+	canna_admin(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
+	ccs_admin(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
+	certmaster_admin(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
+	certmonger_admin(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
+	certwatch_run(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
+	cfengine_admin(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
+	cgroup_admin(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
+	chronyd_admin(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
+	cipe_admin(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
+	clamav_admin(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
+	clock_run(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
+	clockspeed_run_cli(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
+	cmirrord_admin(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
+	cobbler_admin(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
+	collectd_admin(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
+	condor_admin(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
+	consoletype_run(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
+	corosync_admin(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
+	couchdb_admin(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
+	ctdb_admin(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
+	cups_admin(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
+	cvs_admin(sysadm_t, sysadm_r)
+	cvs_exec(sysadm_t)
+')
+
+optional_policy(`
+	cyphesis_admin(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
+	cyrus_admin(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
+	dante_admin(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
+	dcc_run_cdcc(sysadm_t, sysadm_r)
+	dcc_run_client(sysadm_t, sysadm_r)
+	dcc_run_dbclean(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
+	ddclient_admin(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
+	ddcprobe_run(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
+	denyhosts_admin(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
+	devicekit_admin(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
+	dhcpd_admin(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
+	dictd_admin(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
+	dirmngr_admin(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
+	distcc_admin(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
+	dkim_admin(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
+	dmesg_exec(sysadm_t)
+')
+
+optional_policy(`
+	dmidecode_run(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
+	dnsmasq_admin(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
+	dnssectrigger_admin(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
+	dovecot_admin(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
+	dpkg_run(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
+	drbd_admin(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
+	dspam_admin(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
+	entropyd_admin(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
+	exim_admin(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
+	fail2ban_admin(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
+	fcoe_admin(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
+	fetchmail_admin(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
+	firewalld_admin(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
+	firstboot_run(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
+	fstools_run(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
+	ftp_admin(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
+	gatekeeper_admin(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
+	gdomap_admin(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
+	glance_admin(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
+	glusterfs_admin(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
+	gpm_admin(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
+	gpsd_admin(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
+	hadoop_role(sysadm_r, sysadm_t)
+')
+
+optional_policy(`
+	hddtemp_admin(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
+	hostname_run(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
+	howl_admin(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
+	hypervkvp_admin(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
+	i18n_input_admin(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
+	icecast_admin(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
+	ifplugd_admin(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
+	inn_admin(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
+	iodine_admin(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
+	# allow system administrator to use the ipsec script to look
+	# at things (e.g., ipsec auto --status)
+	# probably should create an ipsec_admin role for this kind of thing
+	ipsec_exec_mgmt(sysadm_t)
+	ipsec_stream_connect(sysadm_t)
+	# for lsof
+	ipsec_getattr_key_sockets(sysadm_t)
+')
+
+optional_policy(`
+	iptables_admin(sysadm_t, sysadm_r)
+	iptables_run(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
+	irqbalance_admin(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
+	iscsi_admin(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
+	isnsd_admin(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
+	jabber_admin(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
+	kdump_admin(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
+	kerberos_admin(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
+	kerneloops_admin(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
+	keystone_admin(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
+	kismet_admin(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
+	ksmtuned_admin(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
+	kudzu_admin(sysadm_t, sysadm_r)
+	kudzu_run(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
+	l2tp_admin(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
+	ldap_admin(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
+	libs_run_ldconfig(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
+	lightsquid_admin(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
+	likewise_admin(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
+	lircd_admin(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
+	lldpad_admin(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
+	lockdev_role(sysadm_r, sysadm_t)
+')
+
+optional_policy(`
+	logrotate_run(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
+	lpd_run_checkpc(sysadm_t, sysadm_r)
+	lpd_role(sysadm_r, sysadm_t)
+')
+
+optional_policy(`
+	lsmd_admin(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
+	lvm_run(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
+	mandb_admin(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
+	mcelog_admin(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
+	memcached_admin(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
+	minidlna_admin(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
+	minissdpd_admin(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
+	modutils_run_depmod(sysadm_t, sysadm_r)
+	modutils_run_insmod(sysadm_t, sysadm_r)
+	modutils_run_update_mods(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
+	mongodb_admin(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
+	monop_admin(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
+	mount_run(sysadm_t, sysadm_r)
 ')
 
 optional_policy(`
-	# cjp: why is this not apm_run_client
-	apm_domtrans_client(sysadm_t)
+	mozilla_role(sysadm_r, sysadm_t)
 ')
 
 optional_policy(`
-	apt_run(sysadm_t, sysadm_r)
+	mpd_admin(sysadm_t, sysadm_r)
 ')
 
 optional_policy(`
-	asterisk_stream_connect(sysadm_t)
+	mplayer_role(sysadm_r, sysadm_t)
 ')
 
 optional_policy(`
-	auditadm_role_change(sysadm_r)
+	mrtg_admin(sysadm_t, sysadm_r)
 ')
 
 optional_policy(`
-	backup_run(sysadm_t, sysadm_r)
+	mscan_admin(sysadm_t, sysadm_r)
 ')
 
 optional_policy(`
-	bacula_run_admin(sysadm_t, sysadm_r)
+	mta_role(sysadm_r, sysadm_t)
 ')
 
 optional_policy(`
-	bind_run_ndc(sysadm_t, sysadm_r)
+	munin_stream_connect(sysadm_t)
 ')
 
 optional_policy(`
-	bootloader_run(sysadm_t, sysadm_r)
+	mysql_admin(sysadm_t, sysadm_r)
+	mysql_stream_connect(sysadm_t)
 ')
 
 optional_policy(`
-	certwatch_run(sysadm_t, sysadm_r)
+	nagios_admin(sysadm_t, sysadm_r)
 ')
 
 optional_policy(`
-	clock_run(sysadm_t, sysadm_r)
+	nessus_admin(sysadm_t, sysadm_r)
 ')
 
 optional_policy(`
-	clockspeed_run_cli(sysadm_t, sysadm_r)
+	netutils_run(sysadm_t, sysadm_r)
+	netutils_run_ping(sysadm_t, sysadm_r)
+	netutils_run_traceroute(sysadm_t, sysadm_r)
 ')
 
 optional_policy(`
-	consoletype_run(sysadm_t, sysadm_r)
+	networkmanager_admin(sysadm_t, sysadm_r)
 ')
 
 optional_policy(`
-	cvs_exec(sysadm_t)
+	nis_admin(sysadm_t, sysadm_r)
 ')
 
 optional_policy(`
-	dcc_run_cdcc(sysadm_t, sysadm_r)
-	dcc_run_client(sysadm_t, sysadm_r)
-	dcc_run_dbclean(sysadm_t, sysadm_r)
+	nscd_admin(sysadm_t, sysadm_r)
 ')
 
 optional_policy(`
-	ddcprobe_run(sysadm_t, sysadm_r)
+	nslcd_admin(sysadm_t, sysadm_r)
 ')
 
 optional_policy(`
-	dmesg_exec(sysadm_t)
+	ntop_admin(sysadm_t, sysadm_r)
 ')
 
 optional_policy(`
-	dmidecode_run(sysadm_t, sysadm_r)
+	ntp_admin(sysadm_t, sysadm_r)
+	corenet_udp_bind_ntp_port(sysadm_t)
 ')
 
 optional_policy(`
-	dpkg_run(sysadm_t, sysadm_r)
+	numad_admin(sysadm_t, sysadm_r)
 ')
 
 optional_policy(`
-	firstboot_run(sysadm_t, sysadm_r)
+	nut_admin(sysadm_t, sysadm_r)
 ')
 
 optional_policy(`
-	fstools_run(sysadm_t, sysadm_r)
+	oav_run_update(sysadm_t, sysadm_r)
 ')
 
 optional_policy(`
-	hostname_run(sysadm_t, sysadm_r)
+	oident_admin(sysadm_t, sysadm_r)
 ')
 
 optional_policy(`
-	hadoop_role(sysadm_r, sysadm_t)
+	openct_admin(sysadm_t, sysadm_r)
 ')
 
 optional_policy(`
-	# allow system administrator to use the ipsec script to look
-	# at things (e.g., ipsec auto --status)
-	# probably should create an ipsec_admin role for this kind of thing
-	ipsec_exec_mgmt(sysadm_t)
-	ipsec_stream_connect(sysadm_t)
-	# for lsof
-	ipsec_getattr_key_sockets(sysadm_t)
+	openhpi_admin(sysadm_t, sysadm_r)
 ')
 
 optional_policy(`
-	iptables_admin(sysadm_t, sysadm_r)
-	iptables_run(sysadm_t, sysadm_r)
+	openvpn_admin(sysadm_t, sysadm_r)
 ')
 
 optional_policy(`
-	kudzu_run(sysadm_t, sysadm_r)
+	openvswitch_admin(sysadm_t, sysadm_r)
 ')
 
 optional_policy(`
-	libs_run_ldconfig(sysadm_t, sysadm_r)
+	pacemaker_admin(sysadm_t, sysadm_r)
 ')
 
 optional_policy(`
-	lockdev_role(sysadm_r, sysadm_t)
+	pads_admin(sysadm_t, sysadm_r)
 ')
 
 optional_policy(`
-	logrotate_run(sysadm_t, sysadm_r)
+	pcmcia_run_cardctl(sysadm_t, sysadm_r)
 ')
 
 optional_policy(`
-	lpd_run_checkpc(sysadm_t, sysadm_r)
-	lpd_role(sysadm_r, sysadm_t)
+	pcscd_admin(sysadm_t, sysadm_r)
 ')
 
 optional_policy(`
-	lvm_run(sysadm_t, sysadm_r)
+	pegasus_admin(sysadm_t, sysadm_r)
 ')
 
 optional_policy(`
-	modutils_run_depmod(sysadm_t, sysadm_r)
-	modutils_run_insmod(sysadm_t, sysadm_r)
-	modutils_run_update_mods(sysadm_t, sysadm_r)
+	perdition_admin(sysadm_t, sysadm_r)
 ')
 
 optional_policy(`
-	mount_run(sysadm_t, sysadm_r)
+	pingd_admin(sysadm_t, sysadm_r)
 ')
 
 optional_policy(`
-	mozilla_role(sysadm_r, sysadm_t)
+	pkcs_admin_slotd(sysadm_t, sysadm_r)
 ')
 
 optional_policy(`
-	mplayer_role(sysadm_r, sysadm_t)
+	plymouthd_admin(sysadm_t, sysadm_r)
 ')
 
 optional_policy(`
-	mta_role(sysadm_r, sysadm_t)
+	polipo_admin(sysadm_t, sysadm_r)
 ')
 
 optional_policy(`
-	munin_stream_connect(sysadm_t)
+	portage_run(sysadm_t, sysadm_r)
+	portage_run_fetch(sysadm_t, sysadm_r)
+	portage_run_gcc_config(sysadm_t, sysadm_r)
 ')
 
 optional_policy(`
-	mysql_stream_connect(sysadm_t)
+	portmap_run_helper(sysadm_t, sysadm_r)
+	portmap_admin(sysadm_t, sysadm_r)
 ')
 
 optional_policy(`
-	netutils_run(sysadm_t, sysadm_r)
-	netutils_run_ping(sysadm_t, sysadm_r)
-	netutils_run_traceroute(sysadm_t, sysadm_r)
+	portreserve_admin(sysadm_t, sysadm_r)
 ')
 
 optional_policy(`
-	ntp_stub()
-	corenet_udp_bind_ntp_port(sysadm_t)
+	postfix_admin(sysadm_t, sysadm_r)
 ')
 
 optional_policy(`
-	oav_run_update(sysadm_t, sysadm_r)
+	postfixpolicyd_admin(sysadm_t, sysadm_r)
 ')
 
 optional_policy(`
-	pcmcia_run_cardctl(sysadm_t, sysadm_r)
+	postgrey_admin(sysadm_t, sysadm_r)
 ')
 
 optional_policy(`
-	portage_run(sysadm_t, sysadm_r)
-	portage_run_fetch(sysadm_t, sysadm_r)
-	portage_run_gcc_config(sysadm_t, sysadm_r)
+	ppp_admin(sysadm_t, sysadm_r)
 ')
 
 optional_policy(`
-	portmap_run_helper(sysadm_t, sysadm_r)
+	prelude_admin(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
+	privoxy_admin(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
+	psad_admin(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
+	puppet_admin(sysadm_t, sysadm_r)
 ')
 
 optional_policy(`
+	pxe_admin(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
+	pyicqt_admin(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
+	pyzor_admin(sysadm_t, sysadm_r)
 	pyzor_role(sysadm_r, sysadm_t)
 ')
 
 optional_policy(`
+	qpidd_admin(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
+	quantum_admin(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
 	quota_run(sysadm_t, sysadm_r)
+	quota_admin(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
+	rabbitmq_admin(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
+	radius_admin(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
+	radvd_admin(sysadm_t, sysadm_r)
 ')
 
 optional_policy(`
 	raid_run_mdadm(sysadm_r, sysadm_t)
+	raid_admin_mdadm(sysadm_t, sysadm_r)
 ')
 
 optional_policy(`
@@ -283,11 +858,49 @@ optional_policy(`
 ')
 
 optional_policy(`
+	redis_admin(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
+	resmgr_admin(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
+	rgmanager_admin(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
+	rhcs_admin(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
+	rhsmcertd_admin(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
+	ricci_admin(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
+	rngd_admin(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
+	roundup_admin(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
+	rpc_admin(sysadm_t, sysadm_r)
 	rpc_domtrans_nfsd(sysadm_t)
 ')
 
 optional_policy(`
+	rpcbind_admin(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
 	rpm_run(sysadm_t, sysadm_r)
+	rpm_admin(sysadm_t, sysadm_r)
 ')
 
 optional_policy(`
@@ -295,10 +908,22 @@ optional_policy(`
 ')
 
 optional_policy(`
+	rsync_admin(sysadm_t, sysadm_r)
 	rsync_exec(sysadm_t)
 ')
 
 optional_policy(`
+	rtkit_admin(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
+	rwho_admin(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
+	samba_admin(sysadm_t, sysadm_r)
+	samba_run_smbcontrol(sysadm_t, sysadm_r)
+	samba_run_smbmount(sysadm_t, sysadm_r)
 	samba_run_net(sysadm_t, sysadm_r)
 	samba_run_winbind_helper(sysadm_t, sysadm_r)
 ')
@@ -308,6 +933,18 @@ optional_policy(`
 ')
 
 optional_policy(`
+	sanlock_admin(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
+	sasl_admin(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
+	sblim_admin(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
 	screen_role_template(sysadm, sysadm_r, sysadm_t)
 ')
 
@@ -316,11 +953,52 @@ optional_policy(`
 ')
 
 optional_policy(`
+	sensord_admin(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
+	setroubleshoot_admin(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
 	seutil_run_setfiles(sysadm_t, sysadm_r)
 	seutil_run_runinit(sysadm_t, sysadm_r)
 ')
 
 optional_policy(`
+	shorewall_admin(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
+	slpd_admin(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
+	smartmon_admin(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
+	smokeping_admin(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
+	smstools_admin(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
+	snmp_admin(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
+	snort_admin(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
+	soundserver_admin(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
+	spamassassin_admin(sysadm_t, sysadm_r)
 	spamassassin_role(sysadm_r, sysadm_t)
 ')
 
@@ -329,10 +1007,18 @@ optional_policy(`
 ')
 
 optional_policy(`
+	sssd_admin(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
 	staff_role_change(sysadm_r)
 ')
 
 optional_policy(`
+	stapserver_admin(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
 	su_role_template(sysadm, sysadm_r, sysadm_t)
 ')
 
@@ -341,15 +1027,43 @@ optional_policy(`
 ')
 
 optional_policy(`
+	svnserve_admin(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
 	sysnet_run_ifconfig(sysadm_t, sysadm_r)
 	sysnet_run_dhcpc(sysadm_t, sysadm_r)
 ')
 
 optional_policy(`
+	sysstat_admin(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
+	tcsd_admin(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
+	tftp_admin(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
+	tgtd_admin(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
 	thunderbird_role(sysadm_r, sysadm_t)
 ')
 
 optional_policy(`
+	tor_admin(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
+	transproxy_admin(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
 	tripwire_run_siggen(sysadm_t, sysadm_r)
 	tripwire_run_tripwire(sysadm_t, sysadm_r)
 	tripwire_run_twadmin(sysadm_t, sysadm_r)
@@ -365,6 +1079,10 @@ optional_policy(`
 ')
 
 optional_policy(`
+	ulogd_admin(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
 	uml_role(sysadm_r, sysadm_t)
 ')
 
@@ -377,6 +1095,10 @@ optional_policy(`
 ')
 
 optional_policy(`
+	uptime_admin(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
 	usbmodules_run(sysadm_t, sysadm_r)
 ')
 
@@ -391,6 +1113,31 @@ optional_policy(`
 ')
 
 optional_policy(`
+	uucp_admin(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
+	uuidd_admin(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
+	varnishd_admin(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
+	varnishd_admin_varnishlog(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
+	vdagent_admin(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
+	vhostmd_admin(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
+	virt_admin(sysadm_t, sysadm_r)
 	virt_stream_connect(sysadm_t)
 ')
 
@@ -399,10 +1146,22 @@ optional_policy(`
 ')
 
 optional_policy(`
+	vnstatd_admin(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
 	vpn_run(sysadm_t, sysadm_r)
 ')
 
 optional_policy(`
+	watchdog_admin(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
+	wdmd_admin(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
 	webalizer_run(sysadm_t, sysadm_r)
 ')
 
@@ -419,15 +1178,32 @@ optional_policy(`
 ')
 
 optional_policy(`
+	xfs_admin(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
 	yam_run(sysadm_t, sysadm_r)
 ')
 
+optional_policy(`
+	zabbix_admin(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
+	zarafa_admin(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
+	zebra_admin(sysadm_t, sysadm_r)
+')
+
 ifndef(`distro_redhat',`
 	optional_policy(`
 		auth_role(sysadm_r, sysadm_t)
 	')
 
 	optional_policy(`
+		bluetooth_admin(sysadm_t, sysadm_r)
 		bluetooth_role(sysadm_r, sysadm_t)
 	')
 
@@ -468,6 +1244,10 @@ ifndef(`distro_redhat',`
 	')
 
 	optional_policy(`
+		ircd_admin(sysadm_t, sysadm_r)
+	')
+
+	optional_policy(`
 		java_role(sysadm_r, sysadm_t)
 	')
 ')

[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/roles/

[Jason Zaman]

commit:     ded2b53d98e2ce1066bb21aadf87432bf670321b
Author:     Jason Zaman <jason <AT> perfinion <DOT> com>
AuthorDate: Tue Jun  9 13:46:24 2015 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Tue Jun  9 14:36:29 2015 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=ded2b53d

Remove _admin interfaces from ifdef gentoo section

They are now upstream.

 policy/modules/roles/sysadm.te | 36 ------------------------------------
 1 file changed, 36 deletions(-)

diff --git a/policy/modules/roles/sysadm.te b/policy/modules/roles/sysadm.te
index 13b48c6..1963c88 100644
--- a/policy/modules/roles/sysadm.te
+++ b/policy/modules/roles/sysadm.te
@@ -1270,23 +1270,11 @@ ifdef(`distro_gentoo',`
 	')
 
 	optional_policy(`
-		bind_admin(sysadm_t, sysadm_r)
-	')
-
-	optional_policy(`
 		# Bug 529208
 		dmesg_run(sysadm_t, sysadm_r)
 	')
 
 	optional_policy(`
-		dnsmasq_admin(sysadm_t, sysadm_r)
-	')
-
-	optional_policy(`
-		dovecot_admin(sysadm_t, sysadm_r)
-	')
-
-	optional_policy(`
 		dracut_run(sysadm_t, sysadm_r)
 	')
 
@@ -1311,27 +1299,11 @@ ifdef(`distro_gentoo',`
 	')
 
 	optional_policy(`
-		ntp_admin(sysadm_t, sysadm_r)
-	')
-
-	optional_policy(`
-		openvpn_admin(sysadm_t, sysadm_r)
-	')
-
-	optional_policy(`
-		postfix_admin(sysadm_t, sysadm_r)
-	')
-
-	optional_policy(`
 		postgresql_admin(sysadm_t, sysadm_r)
 		postgresql_exec(sysadm_t)
 	')
 
 	optional_policy(`
-		puppet_admin(sysadm_t, sysadm_r)
-	')
-
-	optional_policy(`
 		qemu_read_state(sysadm_t)
 		qemu_signal(sysadm_t)
 		qemu_kill(sysadm_t)
@@ -1340,10 +1312,6 @@ ifdef(`distro_gentoo',`
 	')
 
 	optional_policy(`
-		rpc_admin(sysadm_t, sysadm_r)
-	')
-
-	optional_policy(`
 		rpcbind_stream_connect(sysadm_t)
 	')
 
@@ -1362,10 +1330,6 @@ ifdef(`distro_gentoo',`
 	')
 
 	optional_policy(`
-		shorewall_admin(sysadm_t, sysadm_r)
-	')
-
-	optional_policy(`
 		uwsgi_admin(sysadm_t, sysadm_r)
 	')
 

[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/roles/

[Jason Zaman]

commit:     d0fe826f850a149ba60f855049fb81c70804be23
Author:     Jason Zaman <jason <AT> perfinion <DOT> com>
AuthorDate: Tue Jun  9 14:01:58 2015 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Tue Jun  9 14:36:29 2015 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=d0fe826f

sysadm: add gentoo _admin interfaces to sysadm.te

 policy/modules/roles/sysadm.te | 12 ++++++++++++
 1 file changed, 12 insertions(+)

diff --git a/policy/modules/roles/sysadm.te b/policy/modules/roles/sysadm.te
index 1963c88..6a91344 100644
--- a/policy/modules/roles/sysadm.te
+++ b/policy/modules/roles/sysadm.te
@@ -1270,6 +1270,10 @@ ifdef(`distro_gentoo',`
 	')
 
 	optional_policy(`
+		bitcoin_admin(sysadm_t, sysadm_r)
+	')
+
+	optional_policy(`
 		# Bug 529208
 		dmesg_run(sysadm_t, sysadm_r)
 	')
@@ -1287,6 +1291,10 @@ ifdef(`distro_gentoo',`
 	')
 
 	optional_policy(`
+		logsentry_admin(sysadm_t, sysadm_r)
+	')
+
+	optional_policy(`
 		mutt_role(sysadm_r, sysadm_t)
 	')
 
@@ -1299,6 +1307,10 @@ ifdef(`distro_gentoo',`
 	')
 
 	optional_policy(`
+		phpfpm_admin(sysadm_t, sysadm_r)
+	')
+
+	optional_policy(`
 		postgresql_admin(sysadm_t, sysadm_r)
 		postgresql_exec(sysadm_t)
 	')

[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/roles/

[Sven Vermeulen]

commit:     bd0bd6698519ad08b0b6a6e92160c8d88fecd159
Author:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Mon Jul 13 17:42:01 2015 +0000
Commit:     Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Mon Jul 13 17:42:01 2015 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=bd0bd669

Add ceph_admin() to sysadm

 policy/modules/roles/sysadm.te | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/policy/modules/roles/sysadm.te b/policy/modules/roles/sysadm.te
index 6a91344..e0442db 100644
--- a/policy/modules/roles/sysadm.te
+++ b/policy/modules/roles/sysadm.te
@@ -1274,6 +1274,10 @@ ifdef(`distro_gentoo',`
 	')
 
 	optional_policy(`
+		ceph_admin(sysadm_t, sysadm_r)
+	')
+
+	optional_policy(`
 		# Bug 529208
 		dmesg_run(sysadm_t, sysadm_r)
 	')

[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/roles/

[Jason Zaman]

commit:     6c4a0602c48114388e3a94c979e16b1130018bd9
Author:     Jason Zaman <jason <AT> perfinion <DOT> com>
AuthorDate: Fri Jul 10 23:30:17 2015 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Thu Jul 30 16:41:28 2015 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=6c4a0602

add new cron_admin interface to sysadm

 policy/modules/roles/sysadm.te | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/policy/modules/roles/sysadm.te b/policy/modules/roles/sysadm.te
index b6cf594..e479d77 100644
--- a/policy/modules/roles/sysadm.te
+++ b/policy/modules/roles/sysadm.te
@@ -274,6 +274,10 @@ optional_policy(`
 ')
 
 optional_policy(`
+	cron_admin(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
 	ctdb_admin(sysadm_t, sysadm_r)
 ')
 

[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/roles/

[Jason Zaman]

commit:     a787ebb2610fa8e056cff06b97239a4493767ed6
Author:     Chris PeBenito <cpebenito <AT> tresys <DOT> com>
AuthorDate: Tue Oct 20 16:53:58 2015 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Mon Oct 26 03:53:43 2015 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=a787ebb2

Add rules for sysadm_r to manage the services.

 policy/modules/roles/sysadm.te | 9 +++++++++
 1 file changed, 9 insertions(+)

diff --git a/policy/modules/roles/sysadm.te b/policy/modules/roles/sysadm.te
index 40420c7..70fcf14 100644
--- a/policy/modules/roles/sysadm.te
+++ b/policy/modules/roles/sysadm.te
@@ -34,6 +34,15 @@ ubac_file_exempt(sysadm_t)
 ubac_fd_exempt(sysadm_t)
 
 init_exec(sysadm_t)
+init_get_system_status(sysadm_t)
+init_disable(sysadm_t)
+init_enable(sysadm_t)
+init_reload(sysadm_t)
+init_reboot_system(sysadm_t)
+init_shutdown_system(sysadm_t)
+init_start_generic_units(sysadm_t)
+init_stop_generic_units(sysadm_t)
+init_reload_generic_units(sysadm_t)
 
 # Add/remove user home directories
 userdom_manage_user_home_dirs(sysadm_t)

[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/roles/

[Jason Zaman]

commit:     3482c268ef9e1d51b447450b2188cfffe0ab3d71
Author:     Luis Ressel <aranea <AT> aixah <DOT> de>
AuthorDate: Mon Mar  7 15:33:08 2016 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Fri Mar 11 17:15:38 2016 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=3482c268

Allow sysadm to run txt-stat.

 policy/modules/roles/sysadm.te | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/policy/modules/roles/sysadm.te b/policy/modules/roles/sysadm.te
index 865b3c2..2426d84 100644
--- a/policy/modules/roles/sysadm.te
+++ b/policy/modules/roles/sysadm.te
@@ -1052,6 +1052,10 @@ optional_policy(`
 ')
 
 optional_policy(`
+	tboot_run_txtstat(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
 	tcsd_admin(sysadm_t, sysadm_r)
 ')
 

[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/roles/

[Jason Zaman]

commit:     9836d440ba09e3169d6c43c702bdf5fdd32e1222
Author:     Chris PeBenito <pebenito <AT> ieee <DOT> org>
AuthorDate: Wed Dec 21 19:29:44 2016 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sun Jan  1 16:26:28 2017 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=9836d440

Module version bump for xscreensaver patch from Guido Trentalancia.

 policy/modules/roles/staff.te      | 2 +-
 policy/modules/roles/sysadm.te     | 2 +-
 policy/modules/roles/unprivuser.te | 2 +-
 3 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/policy/modules/roles/staff.te b/policy/modules/roles/staff.te
index a528f99..d110235 100644
--- a/policy/modules/roles/staff.te
+++ b/policy/modules/roles/staff.te
@@ -1,4 +1,4 @@
-policy_module(staff, 2.7.2)
+policy_module(staff, 2.7.3)
 
 ########################################
 #

diff --git a/policy/modules/roles/sysadm.te b/policy/modules/roles/sysadm.te
index 286d088..f7b3518 100644
--- a/policy/modules/roles/sysadm.te
+++ b/policy/modules/roles/sysadm.te
@@ -1,4 +1,4 @@
-policy_module(sysadm, 2.10.2)
+policy_module(sysadm, 2.10.3)
 
 ########################################
 #

diff --git a/policy/modules/roles/unprivuser.te b/policy/modules/roles/unprivuser.te
index f0c990d..e18d24b 100644
--- a/policy/modules/roles/unprivuser.te
+++ b/policy/modules/roles/unprivuser.te
@@ -1,4 +1,4 @@
-policy_module(unprivuser, 2.7.2)
+policy_module(unprivuser, 2.7.3)
 
 # this module should be named user, but that is
 # a compile error since user is a keyword.

[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/roles/

[Jason Zaman]

commit:     1c05ab474a015637a094f5237c454b104acd531a
Author:     Guido Trentalancia <guido <AT> trentalancia <DOT> net>
AuthorDate: Mon Dec 19 23:48:46 2016 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sun Jan  1 16:26:28 2017 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=1c05ab47

base: enable the xscreensaver role

This patch enables the xscreensaver role so that the
xscreensaver module is used on those systems where the
corresponding application is installed.

Signed-off-by: Guido Trentalancia <guido <AT> trentalancia.net>

 policy/modules/roles/staff.te      | 4 ++++
 policy/modules/roles/sysadm.te     | 4 ++++
 policy/modules/roles/unprivuser.te | 4 ++++
 3 files changed, 12 insertions(+)

diff --git a/policy/modules/roles/staff.te b/policy/modules/roles/staff.te
index db93894..a528f99 100644
--- a/policy/modules/roles/staff.te
+++ b/policy/modules/roles/staff.te
@@ -60,6 +60,10 @@ optional_policy(`
 ')
 
 optional_policy(`
+	xscreensaver_role(staff_r, staff_t)
+')
+
+optional_policy(`
 	xserver_role(staff_r, staff_t)
 ')
 

diff --git a/policy/modules/roles/sysadm.te b/policy/modules/roles/sysadm.te
index 8b8a687..286d088 100644
--- a/policy/modules/roles/sysadm.te
+++ b/policy/modules/roles/sysadm.te
@@ -1199,6 +1199,10 @@ optional_policy(`
 ')
 
 optional_policy(`
+	xscreensaver_role(sysadm_r, sysadm_t)
+')
+
+optional_policy(`
 	xserver_role(sysadm_r, sysadm_t)
 ')
 

diff --git a/policy/modules/roles/unprivuser.te b/policy/modules/roles/unprivuser.te
index da8fbc7..f0c990d 100644
--- a/policy/modules/roles/unprivuser.te
+++ b/policy/modules/roles/unprivuser.te
@@ -29,6 +29,10 @@ optional_policy(`
 ')
 
 optional_policy(`
+	xscreensaver_role(user_r, user_t)
+')
+
+optional_policy(`
 	xserver_role(user_r, user_t)
 ')
 

[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/roles/

[Jason Zaman]

commit:     793b9316c684d5e8474cb9f520dfa86016c1e930
Author:     Guido Trentalancia via refpolicy <refpolicy <AT> oss <DOT> tresys <DOT> com>
AuthorDate: Thu Dec 29 22:07:36 2016 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sun Jan  1 16:31:26 2017 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=793b9316

sysadm: add the shutdown role

Add the shutdown role interface call to the sysadm role module.

Signed-off-by: Guido Trentalancia <guido <AT> trentalancia.net>

 policy/modules/roles/sysadm.te | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/policy/modules/roles/sysadm.te b/policy/modules/roles/sysadm.te
index f7b3518..2a129bd 100644
--- a/policy/modules/roles/sysadm.te
+++ b/policy/modules/roles/sysadm.te
@@ -991,6 +991,10 @@ optional_policy(`
 ')
 
 optional_policy(`
+	shutdown_role(sysadm_r, sysadm_t)
+')
+
+optional_policy(`
 	slpd_admin(sysadm_t, sysadm_r)
 ')
 

[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/roles/

[Jason Zaman]

commit:     a6327618acb0e35b2290809b402afc12685a35ea
Author:     Guido Trentalancia <guido <AT> trentalancia <DOT> net>
AuthorDate: Sat May 13 21:15:27 2017 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Thu May 25 16:32:29 2017 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=a6327618

base: role changes for the new libmtp module

This is the base part of the policy needed to support libmtp (an
Initiator implementation of the Media Transfer Protocol).

Signed-off-by: Guido Trentalancia <guido at trentalancia.net>

 policy/modules/roles/staff.te      | 4 ++++
 policy/modules/roles/sysadm.te     | 4 ++++
 policy/modules/roles/unprivuser.te | 4 ++++
 3 files changed, 12 insertions(+)

diff --git a/policy/modules/roles/staff.te b/policy/modules/roles/staff.te
index 8971a209..4614f3e6 100644
--- a/policy/modules/roles/staff.te
+++ b/policy/modules/roles/staff.te
@@ -125,6 +125,10 @@ ifndef(`distro_redhat',`
 	')
 
 	optional_policy(`
+		libmtp_role(staff_r, staff_t)
+	')
+
+	optional_policy(`
 		lockdev_role(staff_r, staff_t)
 	')
 

diff --git a/policy/modules/roles/sysadm.te b/policy/modules/roles/sysadm.te
index 13149a4c..bff6e59c 100644
--- a/policy/modules/roles/sysadm.te
+++ b/policy/modules/roles/sysadm.te
@@ -551,6 +551,10 @@ optional_policy(`
 ')
 
 optional_policy(`
+	libmtp_role(sysadm_r, sysadm_t)
+')
+
+optional_policy(`
 	libs_run_ldconfig(sysadm_t, sysadm_r)
 ')
 

diff --git a/policy/modules/roles/unprivuser.te b/policy/modules/roles/unprivuser.te
index b040b4ab..f6be7db2 100644
--- a/policy/modules/roles/unprivuser.te
+++ b/policy/modules/roles/unprivuser.te
@@ -98,6 +98,10 @@ ifndef(`distro_redhat',`
 	')
 
 	optional_policy(`
+		libmtp_role(user_r, user_t)
+	')
+
+	optional_policy(`
 		lockdev_role(user_r, user_t)
 	')
 

[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/roles/

[Jason Zaman]

commit:     6c13b5635c3567daac556cbaeffbcd40c0460204
Author:     Chris PeBenito <pebenito <AT> ieee <DOT> org>
AuthorDate: Tue May 23 00:20:47 2017 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Thu May 25 16:32:29 2017 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=6c13b563

Module version bump for libmtp from Guido Trentalancia.

 policy/modules/roles/staff.te      | 2 +-
 policy/modules/roles/sysadm.te     | 2 +-
 policy/modules/roles/unprivuser.te | 2 +-
 3 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/policy/modules/roles/staff.te b/policy/modules/roles/staff.te
index 4614f3e6..06e5087c 100644
--- a/policy/modules/roles/staff.te
+++ b/policy/modules/roles/staff.te
@@ -1,4 +1,4 @@
-policy_module(staff, 2.8.0)
+policy_module(staff, 2.8.1)
 
 ########################################
 #

diff --git a/policy/modules/roles/sysadm.te b/policy/modules/roles/sysadm.te
index bff6e59c..baebc901 100644
--- a/policy/modules/roles/sysadm.te
+++ b/policy/modules/roles/sysadm.te
@@ -1,4 +1,4 @@
-policy_module(sysadm, 2.11.6)
+policy_module(sysadm, 2.11.7)
 
 ########################################
 #

diff --git a/policy/modules/roles/unprivuser.te b/policy/modules/roles/unprivuser.te
index f6be7db2..557e5e63 100644
--- a/policy/modules/roles/unprivuser.te
+++ b/policy/modules/roles/unprivuser.te
@@ -1,4 +1,4 @@
-policy_module(unprivuser, 2.8.0)
+policy_module(unprivuser, 2.8.1)
 
 # this module should be named user, but that is
 # a compile error since user is a keyword.

[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/roles/

[Jason Zaman]

commit:     770a4d5409b9e3ad4f6a4c35ee3da18b94974d26
Author:     Jason Zaman <jason <AT> perfinion <DOT> com>
AuthorDate: Fri May 26 15:59:31 2017 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Mon Jun  5 17:16:18 2017 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=770a4d54

dirmngr: add to roles

 policy/modules/roles/staff.te      | 4 ++++
 policy/modules/roles/sysadm.te     | 4 ++++
 policy/modules/roles/unprivuser.te | 4 ++++
 3 files changed, 12 insertions(+)

diff --git a/policy/modules/roles/staff.te b/policy/modules/roles/staff.te
index 6cf73d28..ed383dc1 100644
--- a/policy/modules/roles/staff.te
+++ b/policy/modules/roles/staff.te
@@ -102,6 +102,10 @@ ifndef(`distro_redhat',`
 	')
 
 	optional_policy(`
+		dirmngr_role(staff_r, staff_t)
+	')
+
+	optional_policy(`
 		evolution_role(staff_r, staff_t)
 	')
 

diff --git a/policy/modules/roles/sysadm.te b/policy/modules/roles/sysadm.te
index a4fffc27..e2dcf56d 100644
--- a/policy/modules/roles/sysadm.te
+++ b/policy/modules/roles/sysadm.te
@@ -1268,6 +1268,10 @@ ifndef(`distro_redhat',`
 	')
 
 	optional_policy(`
+		dirmngr_role(sysadm_r, sysadm_t)
+	')
+
+	optional_policy(`
 		evolution_role(sysadm_r, sysadm_t)
 	')
 

diff --git a/policy/modules/roles/unprivuser.te b/policy/modules/roles/unprivuser.te
index 557e5e63..6095a87e 100644
--- a/policy/modules/roles/unprivuser.te
+++ b/policy/modules/roles/unprivuser.te
@@ -70,6 +70,10 @@ ifndef(`distro_redhat',`
 	')
 
 	optional_policy(`
+		dirmngr_role(user_r, user_t)
+	')
+
+	optional_policy(`
 		evolution_role(user_r, user_t)
 	')
 

[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/roles/

[Jason Zaman]

commit:     514c0d5079b3e1d725e60ba72c7d39a91c3c8512
Author:     Chris PeBenito <pebenito <AT> ieee <DOT> org>
AuthorDate: Thu Jun  1 01:09:50 2017 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Mon Jun  5 17:16:18 2017 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=514c0d50

Module version bumps for patches from Jason Zaman.

 policy/modules/roles/staff.te      | 2 +-
 policy/modules/roles/sysadm.te     | 2 +-
 policy/modules/roles/unprivuser.te | 2 +-
 3 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/policy/modules/roles/staff.te b/policy/modules/roles/staff.te
index ed383dc1..2906f52f 100644
--- a/policy/modules/roles/staff.te
+++ b/policy/modules/roles/staff.te
@@ -1,4 +1,4 @@
-policy_module(staff, 2.8.2)
+policy_module(staff, 2.8.3)
 
 ########################################
 #

diff --git a/policy/modules/roles/sysadm.te b/policy/modules/roles/sysadm.te
index e2dcf56d..8912fb6e 100644
--- a/policy/modules/roles/sysadm.te
+++ b/policy/modules/roles/sysadm.te
@@ -1,4 +1,4 @@
-policy_module(sysadm, 2.11.8)
+policy_module(sysadm, 2.11.9)
 
 ########################################
 #

diff --git a/policy/modules/roles/unprivuser.te b/policy/modules/roles/unprivuser.te
index 6095a87e..64d726c2 100644
--- a/policy/modules/roles/unprivuser.te
+++ b/policy/modules/roles/unprivuser.te
@@ -1,4 +1,4 @@
-policy_module(unprivuser, 2.8.1)
+policy_module(unprivuser, 2.8.2)
 
 # this module should be named user, but that is
 # a compile error since user is a keyword.

[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/roles/

[Jason Zaman]

commit:     1d87f26bb009966f7bc42131a972c15c911a2d1e
Author:     Jonathan Davies <jpds <AT> protonmail <DOT> com>
AuthorDate: Tue Jul  6 14:54:35 2021 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sun Sep  5 14:26:44 2021 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=1d87f26b

sysadm.te: Allow sysadm_t to read/write Xen character devices so userspace tooling works.

Signed-off-by: Jonathan Davies <jpds <AT> protonmail.com>
Signed-off-by: Jason Zaman <perfinion <AT> gentoo.org>

 policy/modules/roles/sysadm.te | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/policy/modules/roles/sysadm.te b/policy/modules/roles/sysadm.te
index fdf6b149..3aa6b9d5 100644
--- a/policy/modules/roles/sysadm.te
+++ b/policy/modules/roles/sysadm.te
@@ -323,6 +323,10 @@ optional_policy(`
 	devicekit_admin(sysadm_t, sysadm_r)
 ')
 
+optional_policy(`
+	dev_rw_xen(sysadm_t)
+')
+
 optional_policy(`
 	dhcpd_admin(sysadm_t, sysadm_r)
 ')

[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/roles/

[Jason Zaman]

commit:     0cc30b1089f75122a6263280eb41cf6ce34cb092
Author:     Kenton Groombridge <me <AT> concord <DOT> sh>
AuthorDate: Fri Nov 12 19:57:36 2021 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sat Nov 20 22:58:24 2021 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=0cc30b10

guest, xguest: remove apache role access

Signed-off-by: Kenton Groombridge <me <AT> concord.sh>
Signed-off-by: Jason Zaman <perfinion <AT> gentoo.org>

 policy/modules/roles/guest.te  | 4 ----
 policy/modules/roles/xguest.te | 4 ----
 2 files changed, 8 deletions(-)

diff --git a/policy/modules/roles/guest.te b/policy/modules/roles/guest.te
index 255e63cd..d3eb2584 100644
--- a/policy/modules/roles/guest.te
+++ b/policy/modules/roles/guest.te
@@ -16,10 +16,6 @@ kernel_read_system_state(guest_t)
 # Local policy
 #
 
-optional_policy(`
-	apache_role(guest, guest_t, guest_application_exec_domain, guest_r)
-')
-
 optional_policy(`
 	dbus_role_template(guest, guest_r, guest_t)
 ')

diff --git a/policy/modules/roles/xguest.te b/policy/modules/roles/xguest.te
index ae8e69f2..bd410fd2 100644
--- a/policy/modules/roles/xguest.te
+++ b/policy/modules/roles/xguest.te
@@ -85,10 +85,6 @@ optional_policy(`
 	')
 ')
 
-optional_policy(`
-	apache_role(xguest, xguest_t, xguest_application_exec_domain, xguest_r)
-')
-
 optional_policy(`
 	gnomeclock_dontaudit_dbus_chat(xguest_t)
 ')

[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/roles/

[Kenton Groombridge]

commit:     1c6edc939663629956dee0cfb6ed621dc7f34f03
Author:     Kenton Groombridge <me <AT> concord <DOT> sh>
AuthorDate: Sat Sep 24 16:36:39 2022 +0000
Commit:     Kenton Groombridge <concord <AT> gentoo <DOT> org>
CommitDate: Wed Nov  2 14:07:10 2022 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=1c6edc93

sysadm: allow opensm access

Signed-off-by: Kenton Groombridge <me <AT> concord.sh>
Signed-off-by: Kenton Groombridge <concord <AT> gentoo.org>

 policy/modules/roles/sysadm.te | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/policy/modules/roles/sysadm.te b/policy/modules/roles/sysadm.te
index 4677a9239..9df768776 100644
--- a/policy/modules/roles/sysadm.te
+++ b/policy/modules/roles/sysadm.te
@@ -736,6 +736,10 @@ optional_policy(`
 	openhpi_admin(sysadm_t, sysadm_r)
 ')
 
+optional_policy(`
+	opensm_admin(sysadm_t, sysadm_r)
+')
+
 optional_policy(`
 	openvpn_admin(sysadm_t, sysadm_r)
 ')