[gentoo-commits] proj/hardened-refpolicy:perfinion commit in: policy/modules/admin/

[gentoo-commits] proj/hardened-refpolicy:perfinion commit in: policy/modules/admin/

[Jason Zaman]

commit:     e28086742e431918f0a742b4a8bc458b83032f40
Author:     Chris PeBenito <cpebenito <AT> tresys <DOT> com>
AuthorDate: Mon Aug 18 14:30:28 2014 +0000
Commit:     Jason Zaman <gentoo <AT> perfinion <DOT> com>
CommitDate: Tue Aug 19 20:06:38 2014 +0000
URL:        http://sources.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=e2808674

Module version bump for ping rawip socket fix from Luis Ressel.

---
 policy/modules/admin/netutils.te | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/policy/modules/admin/netutils.te b/policy/modules/admin/netutils.te
index 570bf2c..cfd9700 100644
--- a/policy/modules/admin/netutils.te
+++ b/policy/modules/admin/netutils.te
@@ -1,4 +1,4 @@
-policy_module(netutils, 1.13.0)
+policy_module(netutils, 1.13.1)
 
 ########################################
 #

[gentoo-commits] proj/hardened-refpolicy:perfinion commit in: policy/modules/admin/

[Jason Zaman]

commit:     ed4c234f64e2e952f796563b8a7bb4a23b3210cc
Author:     Luis Ressel <aranea <AT> aixah <DOT> de>
AuthorDate: Thu Jun 26 21:22:07 2014 +0000
Commit:     Jason Zaman <gentoo <AT> perfinion <DOT> com>
CommitDate: Tue Aug 19 20:06:36 2014 +0000
URL:        http://sources.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=ed4c234f

Grant ping_t getattr on rawip_socket

If the (sadly nearly undocumented) Linux kernel feature which allows
specific user groups to send ICMP echos without CAP_NET_RAW
(configurable with the sysctl net.ipv4.ping_group_range, available since
3.0) is used, ping needs the getattr permission of the rawip_socket
class in order to work.

---
 policy/modules/admin/netutils.te | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/policy/modules/admin/netutils.te b/policy/modules/admin/netutils.te
index 7aa7384..570bf2c 100644
--- a/policy/modules/admin/netutils.te
+++ b/policy/modules/admin/netutils.te
@@ -110,7 +110,7 @@ allow ping_t self:capability { setuid net_raw };
 allow ping_t self:process { getcap setcap };
 dontaudit ping_t self:capability sys_tty_config;
 allow ping_t self:tcp_socket create_socket_perms;
-allow ping_t self:rawip_socket { create ioctl read write bind getopt setopt };
+allow ping_t self:rawip_socket { create ioctl read write bind getopt setopt getattr };
 allow ping_t self:packet_socket { create ioctl read write bind getopt setopt };
 allow ping_t self:netlink_route_socket create_netlink_socket_perms;
 

[gentoo-commits] proj/hardened-refpolicy:perfinion commit in: policy/modules/admin/

[Jason Zaman]

commit:     a2c27b5797c6d7420fe0bb36ee364406d260c960
Author:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Sun Aug 31 18:14:16 2014 +0000
Commit:     Jason Zaman <gentoo <AT> perfinion <DOT> com>
CommitDate: Sun Aug 31 18:14:16 2014 +0000
URL:        http://sources.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=a2c27b57

Mark mkconfig as bootloader executable too

---
 policy/modules/admin/bootloader.fc | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/policy/modules/admin/bootloader.fc b/policy/modules/admin/bootloader.fc
index d56f931..2503c58 100644
--- a/policy/modules/admin/bootloader.fc
+++ b/policy/modules/admin/bootloader.fc
@@ -10,3 +10,7 @@
 /usr/sbin/grub2?-bios-setup	--	gen_context(system_u:object_r:bootloader_exec_t,s0)
 /usr/sbin/grub2?-install	--	gen_context(system_u:object_r:bootloader_exec_t,s0)
 /usr/sbin/grub2?-probe	--	gen_context(system_u:object_r:bootloader_exec_t,s0)
+
+ifdef(`distro_gentoo',`
+/usr/sbin/grub2?-mkconfig	--	gen_context(system_u:object_r:bootloader_exec_t,s0)
+')

[gentoo-commits] proj/hardened-refpolicy:perfinion commit in: policy/modules/admin/

[Jason Zaman]

commit:     f591616e559675fd9ebec18575267d125d4eb135
Author:     Chris PeBenito <cpebenito <AT> tresys <DOT> com>
AuthorDate: Mon Oct  6 13:50:58 2014 +0000
Commit:     Jason Zaman <gentoo <AT> perfinion <DOT> com>
CommitDate: Sun Oct 12 08:24:40 2014 +0000
URL:        http://sources.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=f591616e

Module version bump for Debian arping fc entries from Laurent Bigonville.

---
 policy/modules/admin/netutils.te | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/policy/modules/admin/netutils.te b/policy/modules/admin/netutils.te
index cfd9700..5f4c84e 100644
--- a/policy/modules/admin/netutils.te
+++ b/policy/modules/admin/netutils.te
@@ -1,4 +1,4 @@
-policy_module(netutils, 1.13.1)
+policy_module(netutils, 1.13.2)
 
 ########################################
 #

[gentoo-commits] proj/hardened-refpolicy:perfinion commit in: policy/modules/admin/

[Jason Zaman]

commit:     d211e0e619833fd7743396651109e91eb09d620d
Author:     Laurent Bigonville <bigon <AT> bigon <DOT> be>
AuthorDate: Fri Oct  3 12:35:58 2014 +0000
Commit:     Jason Zaman <gentoo <AT> perfinion <DOT> com>
CommitDate: Sun Oct 12 08:24:33 2014 +0000
URL:        http://sources.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=d211e0e6

Debian also ship a different arping implementation

In addition to the iputils arping implementation, Debian also ships an
other implementation which is installed under /usr/sbin/arping

---
 policy/modules/admin/netutils.fc | 1 +
 1 file changed, 1 insertion(+)

diff --git a/policy/modules/admin/netutils.fc b/policy/modules/admin/netutils.fc
index 355714d..a4672ca 100644
--- a/policy/modules/admin/netutils.fc
+++ b/policy/modules/admin/netutils.fc
@@ -9,6 +9,7 @@
 /usr/bin/nmap		--	gen_context(system_u:object_r:traceroute_exec_t,s0)
 /usr/bin/traceroute.*	--	gen_context(system_u:object_r:traceroute_exec_t,s0)
 
+/usr/sbin/arping	--	gen_context(system_u:object_r:netutils_exec_t,s0)
 /usr/sbin/fping 	--	gen_context(system_u:object_r:ping_exec_t,s0)
 /usr/sbin/traceroute.*	--	gen_context(system_u:object_r:traceroute_exec_t,s0)
 /usr/sbin/hping2	--	gen_context(system_u:object_r:ping_exec_t,s0)

[gentoo-commits] proj/hardened-refpolicy:perfinion commit in: policy/modules/admin/

[Jason Zaman]

commit:     733eef5b0f9b79c0b8dd2b5a9ea4020cc0c765f7
Author:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Sun Oct 12 08:40:53 2014 +0000
Commit:     Jason Zaman <gentoo <AT> perfinion <DOT> com>
CommitDate: Sun Oct 12 08:40:53 2014 +0000
URL:        http://sources.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=733eef5b

Allow sudo to create /var/run/sudo if non-existing

When sudo is invoked and the /var/run/sudo directory (in which a ts/
subdirectory would be created and managed by sudo) is not available yet,
sudo will try to create it.

Grant it this privilege and have this directory be labeled as
pam_var_run_t.

Without this, we get:
sudo: unable to mkdir /var/run/sudo: Permission denied

---
 policy/modules/admin/sudo.if | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/policy/modules/admin/sudo.if b/policy/modules/admin/sudo.if
index d9114b3..b282877 100644
--- a/policy/modules/admin/sudo.if
+++ b/policy/modules/admin/sudo.if
@@ -160,6 +160,9 @@ template(`sudo_role_template',`
 		fprintd_dbus_chat($1_sudo_t)
 	')
 
+	ifdef(`distro_gentoo',`
+		auth_pid_filetrans_pam_var_run($1_sudo_t, dir, "sudo")
+	')
 ')
 
 ########################################

[gentoo-commits] proj/hardened-refpolicy:perfinion commit in: policy/modules/admin/

[Jason Zaman]

commit:     282116096675c76b306401b6dd93ee63e22e5931
Author:     Laurent Bigonville <bigon <AT> bigon <DOT> be>
AuthorDate: Fri Oct  3 12:29:05 2014 +0000
Commit:     Jason Zaman <gentoo <AT> perfinion <DOT> com>
CommitDate: Sun Oct 12 08:24:31 2014 +0000
URL:        http://sources.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=28211609

On Debian iputils-arping is installed in /usr/bin/arping

---
 policy/modules/admin/netutils.fc | 1 +
 1 file changed, 1 insertion(+)

diff --git a/policy/modules/admin/netutils.fc b/policy/modules/admin/netutils.fc
index 407078f..355714d 100644
--- a/policy/modules/admin/netutils.fc
+++ b/policy/modules/admin/netutils.fc
@@ -4,6 +4,7 @@
 
 /sbin/arping		--	gen_context(system_u:object_r:netutils_exec_t,s0)
 
+/usr/bin/arping		--	gen_context(system_u:object_r:netutils_exec_t,s0)
 /usr/bin/lft		--	gen_context(system_u:object_r:traceroute_exec_t,s0)
 /usr/bin/nmap		--	gen_context(system_u:object_r:traceroute_exec_t,s0)
 /usr/bin/traceroute.*	--	gen_context(system_u:object_r:traceroute_exec_t,s0)

[gentoo-commits] proj/hardened-refpolicy:perfinion commit in: policy/modules/admin/

[Jason Zaman]

commit:     67ee9d7026c6e3887eb590811aa1291682945840
Author:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Sun Oct 12 08:56:22 2014 +0000
Commit:     Jason Zaman <gentoo <AT> perfinion <DOT> com>
CommitDate: Sun Oct 12 08:56:22 2014 +0000
URL:        http://sources.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=67ee9d70

Allow setting ownership of ts/ directory

When creating the ts/ directory (in which sudo keeps timestamps), allow
the sudo application to set ownership.

No errors involved (only denial) but the end result is different (group
ownership is different, even though there is no group privilege).

---
 policy/modules/admin/sudo.if | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/policy/modules/admin/sudo.if b/policy/modules/admin/sudo.if
index b282877..58c456b 100644
--- a/policy/modules/admin/sudo.if
+++ b/policy/modules/admin/sudo.if
@@ -161,6 +161,9 @@ template(`sudo_role_template',`
 	')
 
 	ifdef(`distro_gentoo',`
+		# Set ownership of ts directory (timestamp keeping)
+		allow $1_sudo_t self:capability { chown };
+		# Create /var/run/sudo
 		auth_pid_filetrans_pam_var_run($1_sudo_t, dir, "sudo")
 	')
 ')