* [gentoo-commits] proj/hardened-refpolicy:perfinion commit in: policy/modules/system/
@ 2014-10-12 9:51 Jason Zaman
0 siblings, 0 replies; 12+ messages in thread
From: Jason Zaman @ 2014-10-12 9:51 UTC (permalink / raw
To: gentoo-commits
commit: eaef7e0bc37c62511400aaf136f8bb6e4e63241a
Author: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Sun Oct 12 08:38:37 2014 +0000
Commit: Jason Zaman <gentoo <AT> perfinion <DOT> com>
CommitDate: Sun Oct 12 08:38:37 2014 +0000
URL: http://sources.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=eaef7e0b
Add auth_pid_filetrans_pam_var_run
This interface allows a domain to create resources inside the generic
pid location (/var/run) and have them created with the pam_var_run_t
type.
---
policy/modules/system/authlogin.if | 34 ++++++++++++++++++++++++++++++++++
1 file changed, 34 insertions(+)
diff --git a/policy/modules/system/authlogin.if b/policy/modules/system/authlogin.if
index 8225390..f20a6a6 100644
--- a/policy/modules/system/authlogin.if
+++ b/policy/modules/system/authlogin.if
@@ -1805,3 +1805,37 @@ interface(`auth_unconfined',`
typeattribute $1 can_write_shadow_passwords;
typeattribute $1 can_relabelto_shadow_passwords;
')
+
+# Should be in an ifdef distro_gentoo but that is not supported in the global if file
+
+########################################
+## <summary>
+## Create specified objects in
+## pid directories with the pam var
+## run file type using a
+## file type transition.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <param name="object_class">
+## <summary>
+## Class of the object being created.
+## </summary>
+## </param>
+## <param name="name" optional="true">
+## <summary>
+## The name of the object being created.
+## </summary>
+## </param>
+#
+interface(`auth_pid_filetrans_pam_var_run',`
+ gen_require(`
+ type pam_var_run_t;
+ ')
+
+ files_pid_filetrans($1, pam_var_run_t, $2, $3)
+')
+
^ permalink raw reply related [flat|nested] 12+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:perfinion commit in: policy/modules/system/
@ 2014-10-12 9:51 Jason Zaman
0 siblings, 0 replies; 12+ messages in thread
From: Jason Zaman @ 2014-10-12 9:51 UTC (permalink / raw
To: gentoo-commits
commit: 206d478257fb5d42e7fe6f6808c7d7d349a282a9
Author: Nicolas Iooss <nicolas.iooss <AT> m4x <DOT> org>
AuthorDate: Sat Aug 23 13:11:05 2014 +0000
Commit: Jason Zaman <gentoo <AT> perfinion <DOT> com>
CommitDate: Sun Oct 12 08:24:37 2014 +0000
URL: http://sources.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=206d4782
Fix minor typo in init.if
---
policy/modules/system/init.if | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/policy/modules/system/init.if b/policy/modules/system/init.if
index 36eb078..2b7793a 100644
--- a/policy/modules/system/init.if
+++ b/policy/modules/system/init.if
@@ -789,7 +789,7 @@ interface(`init_rw_initctl',`
## </summary>
## <param name="domain">
## <summary>
-## Domain allowed access.
+## Domain to not audit.
## </summary>
## </param>
#
^ permalink raw reply related [flat|nested] 12+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:perfinion commit in: policy/modules/system/
@ 2014-08-25 17:16 Jason Zaman
0 siblings, 0 replies; 12+ messages in thread
From: Jason Zaman @ 2014-08-25 17:16 UTC (permalink / raw
To: gentoo-commits
commit: 1df21420237c54a402798d9cff437c32017c714e
Author: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Fri Aug 22 19:05:19 2014 +0000
Commit: Jason Zaman <gentoo <AT> perfinion <DOT> com>
CommitDate: Fri Aug 22 19:05:19 2014 +0000
URL: http://sources.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=1df21420
Allow sysadmins to interact with kernel (for instance for lsusb command)
---
policy/modules/system/userdomain.if | 2 ++
1 file changed, 2 insertions(+)
diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if
index 5b26aef..78cb3ad 100644
--- a/policy/modules/system/userdomain.if
+++ b/policy/modules/system/userdomain.if
@@ -1245,6 +1245,8 @@ template(`userdom_admin_user_template',`
ifdef(`distro_gentoo',`
# Grant block_suspend capability2 to administrators, this annoys the heck out of me
allow $1_t self:capability2 { block_suspend };
+ # Allow admins to interact with kernel, for instance using lsusb command
+ allow $1 self:netlink_kobject_uevent_socket create_socket_perms;
# Moved out of files_relabel_non_auth_files as it cannot be used in tunable_policy otherwise
seutil_relabelto_bin_policy($1_t)
')
^ permalink raw reply related [flat|nested] 12+ messages in thread* [gentoo-commits] proj/hardened-refpolicy:perfinion commit in: policy/modules/system/
@ 2014-08-25 17:16 Jason Zaman
0 siblings, 0 replies; 12+ messages in thread
From: Jason Zaman @ 2014-08-25 17:16 UTC (permalink / raw
To: gentoo-commits
commit: fe1414d1fa7a4453a871dd3587384d1c6d432ce2
Author: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Fri Aug 22 18:07:09 2014 +0000
Commit: Jason Zaman <gentoo <AT> perfinion <DOT> com>
CommitDate: Fri Aug 22 18:07:09 2014 +0000
URL: http://sources.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=fe1414d1
insmod deletes obsolete module deps (make modules_install)
---
policy/modules/system/modutils.te | 2 ++
1 file changed, 2 insertions(+)
diff --git a/policy/modules/system/modutils.te b/policy/modules/system/modutils.te
index 419b826..b17ad6c 100644
--- a/policy/modules/system/modutils.te
+++ b/policy/modules/system/modutils.te
@@ -337,6 +337,8 @@ ifdef(`distro_gentoo',`
# insmod_t
#
+ # During "make modules_install" insmod removes old/previous deps
+ delete_files_pattern(insmod_t, modules_object_t, modules_dep_t)
# During "make modules_install" temp files created by admin
# that invoked the command are later used by kmod.
userdom_manage_user_tmp_files(insmod_t)
^ permalink raw reply related [flat|nested] 12+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:perfinion commit in: policy/modules/system/
@ 2014-08-25 17:16 Jason Zaman
0 siblings, 0 replies; 12+ messages in thread
From: Jason Zaman @ 2014-08-25 17:16 UTC (permalink / raw
To: gentoo-commits
commit: 482dc188fa0709641e76778f2c22f0b248cb4f82
Author: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Fri Aug 22 19:12:15 2014 +0000
Commit: Jason Zaman <gentoo <AT> perfinion <DOT> com>
CommitDate: Fri Aug 22 19:12:15 2014 +0000
URL: http://sources.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=482dc188
It is a template, so use _t (compile issue otherwise)
---
policy/modules/system/userdomain.if | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if
index 78cb3ad..08139d9 100644
--- a/policy/modules/system/userdomain.if
+++ b/policy/modules/system/userdomain.if
@@ -1246,7 +1246,7 @@ template(`userdom_admin_user_template',`
# Grant block_suspend capability2 to administrators, this annoys the heck out of me
allow $1_t self:capability2 { block_suspend };
# Allow admins to interact with kernel, for instance using lsusb command
- allow $1 self:netlink_kobject_uevent_socket create_socket_perms;
+ allow $1_t self:netlink_kobject_uevent_socket create_socket_perms;
# Moved out of files_relabel_non_auth_files as it cannot be used in tunable_policy otherwise
seutil_relabelto_bin_policy($1_t)
')
^ permalink raw reply related [flat|nested] 12+ messages in thread* [gentoo-commits] proj/hardened-refpolicy:perfinion commit in: policy/modules/system/
@ 2014-08-22 12:27 Jason Zaman
0 siblings, 0 replies; 12+ messages in thread
From: Jason Zaman @ 2014-08-22 12:27 UTC (permalink / raw
To: gentoo-commits
commit: d9b301bb1c15d5f50bffccc58667d7f0dce316c5
Author: Luis Ressel <aranea <AT> aixah <DOT> de>
AuthorDate: Mon Aug 11 13:52:56 2014 +0000
Commit: Jason Zaman <gentoo <AT> perfinion <DOT> com>
CommitDate: Thu Aug 21 17:29:43 2014 +0000
URL: http://sources.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=d9b301bb
Grant mount permission to access /dev/fuse
This is needed for mounting FUSE-based filesystems like ntfs-3g.
---
policy/modules/system/mount.te | 1 +
1 file changed, 1 insertion(+)
diff --git a/policy/modules/system/mount.te b/policy/modules/system/mount.te
index 83854fd..7db4a9a 100644
--- a/policy/modules/system/mount.te
+++ b/policy/modules/system/mount.te
@@ -121,6 +121,7 @@ storage_raw_read_fixed_disk(mount_t)
storage_raw_write_fixed_disk(mount_t)
storage_raw_read_removable_device(mount_t)
storage_raw_write_removable_device(mount_t)
+storage_rw_fuse(mount_t)
term_use_all_terms(mount_t)
term_dontaudit_manage_pty_dirs(mount_t)
^ permalink raw reply related [flat|nested] 12+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:perfinion commit in: policy/modules/system/
@ 2014-08-22 12:27 Jason Zaman
0 siblings, 0 replies; 12+ messages in thread
From: Jason Zaman @ 2014-08-22 12:27 UTC (permalink / raw
To: gentoo-commits
commit: c0519a41863a832f15e1617b50e457b73bcc3c7a
Author: Chris PeBenito <cpebenito <AT> tresys <DOT> com>
AuthorDate: Thu Aug 21 13:53:51 2014 +0000
Commit: Jason Zaman <gentoo <AT> perfinion <DOT> com>
CommitDate: Thu Aug 21 17:29:47 2014 +0000
URL: http://sources.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=c0519a41
Module version bump for FUSE fix for mount from Luis Ressel.
---
policy/modules/system/mount.te | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/policy/modules/system/mount.te b/policy/modules/system/mount.te
index 7db4a9a..9b46a76 100644
--- a/policy/modules/system/mount.te
+++ b/policy/modules/system/mount.te
@@ -1,4 +1,4 @@
-policy_module(mount, 1.17.1)
+policy_module(mount, 1.17.2)
########################################
#
^ permalink raw reply related [flat|nested] 12+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/system/
@ 2014-08-20 17:10 Jason Zaman
2014-08-20 17:13 ` [gentoo-commits] proj/hardened-refpolicy:perfinion " Jason Zaman
0 siblings, 1 reply; 12+ messages in thread
From: Jason Zaman @ 2014-08-20 17:10 UTC (permalink / raw
To: gentoo-commits
commit: 9660ec3c7e65d654770832d9011cce2eb7bc1134
Author: Jason Zaman <jason <AT> perfinion <DOT> com>
AuthorDate: Wed Aug 20 16:26:29 2014 +0000
Commit: Jason Zaman <gentoo <AT> perfinion <DOT> com>
CommitDate: Wed Aug 20 17:10:23 2014 +0000
URL: http://sources.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=9660ec3c
Allow udev udev to set predictable ifnames
Udev sets the interface names predictably, it uses a
netlink_route_socket to do so.
more info at:
http://www.freedesktop.org/wiki/Software/systemd/PredictableNetworkInterfaceNames/
---
policy/modules/system/udev.te | 3 +++
1 file changed, 3 insertions(+)
diff --git a/policy/modules/system/udev.te b/policy/modules/system/udev.te
index 83a8b11..737e854 100644
--- a/policy/modules/system/udev.te
+++ b/policy/modules/system/udev.te
@@ -332,6 +332,9 @@ ifdef(`distro_gentoo',`
allow udev_t self:capability2 block_suspend;
allow udev_t udev_tbl_t:dir relabelto;
+ # needed for predictable network interfaces naming
+ allow udev_t self:netlink_route_socket rw_netlink_socket_perms;
+
manage_dirs_pattern(udev_t, udev_tbl_t, udev_tbl_t)
manage_files_pattern(udev_t, udev_tbl_t, udev_tbl_t)
manage_lnk_files_pattern(udev_t, udev_tbl_t, udev_tbl_t)
^ permalink raw reply related [flat|nested] 12+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:perfinion commit in: policy/modules/system/
2014-08-20 17:10 [gentoo-commits] proj/hardened-refpolicy:next " Jason Zaman
@ 2014-08-20 17:13 ` Jason Zaman
0 siblings, 0 replies; 12+ messages in thread
From: Jason Zaman @ 2014-08-20 17:13 UTC (permalink / raw
To: gentoo-commits
commit: 9660ec3c7e65d654770832d9011cce2eb7bc1134
Author: Jason Zaman <jason <AT> perfinion <DOT> com>
AuthorDate: Wed Aug 20 16:26:29 2014 +0000
Commit: Jason Zaman <gentoo <AT> perfinion <DOT> com>
CommitDate: Wed Aug 20 17:10:23 2014 +0000
URL: http://sources.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=9660ec3c
Allow udev udev to set predictable ifnames
Udev sets the interface names predictably, it uses a
netlink_route_socket to do so.
more info at:
http://www.freedesktop.org/wiki/Software/systemd/PredictableNetworkInterfaceNames/
---
policy/modules/system/udev.te | 3 +++
1 file changed, 3 insertions(+)
diff --git a/policy/modules/system/udev.te b/policy/modules/system/udev.te
index 83a8b11..737e854 100644
--- a/policy/modules/system/udev.te
+++ b/policy/modules/system/udev.te
@@ -332,6 +332,9 @@ ifdef(`distro_gentoo',`
allow udev_t self:capability2 block_suspend;
allow udev_t udev_tbl_t:dir relabelto;
+ # needed for predictable network interfaces naming
+ allow udev_t self:netlink_route_socket rw_netlink_socket_perms;
+
manage_dirs_pattern(udev_t, udev_tbl_t, udev_tbl_t)
manage_files_pattern(udev_t, udev_tbl_t, udev_tbl_t)
manage_lnk_files_pattern(udev_t, udev_tbl_t, udev_tbl_t)
^ permalink raw reply related [flat|nested] 12+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:perfinion commit in: policy/modules/system/
@ 2014-08-20 17:07 Jason Zaman
0 siblings, 0 replies; 12+ messages in thread
From: Jason Zaman @ 2014-08-20 17:07 UTC (permalink / raw
To: gentoo-commits
commit: d797c3eae29994e49f35aeb52d15926561172347
Author: Jason Zaman <jason <AT> perfinion <DOT> com>
AuthorDate: Wed Aug 20 16:26:29 2014 +0000
Commit: Jason Zaman <gentoo <AT> perfinion <DOT> com>
CommitDate: Wed Aug 20 16:26:29 2014 +0000
URL: http://sources.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=d797c3ea
Allow udev udev to set predictable ifnames
Udev sets the interface names predictably, it uses a
netlink_route_socket to do so.
more info at:
http://www.freedesktop.org/wiki/Software/systemd/PredictableNetworkInterfaceNames/
---
policy/modules/system/udev.te | 1 +
1 file changed, 1 insertion(+)
diff --git a/policy/modules/system/udev.te b/policy/modules/system/udev.te
index 83a8b11..94adb3b 100644
--- a/policy/modules/system/udev.te
+++ b/policy/modules/system/udev.te
@@ -331,6 +331,7 @@ ifdef(`distro_gentoo',`
#
allow udev_t self:capability2 block_suspend;
allow udev_t udev_tbl_t:dir relabelto;
+ allow udev_t self:netlink_route_socket rw_netlink_socket_perms;
manage_dirs_pattern(udev_t, udev_tbl_t, udev_tbl_t)
manage_files_pattern(udev_t, udev_tbl_t, udev_tbl_t)
^ permalink raw reply related [flat|nested] 12+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:perfinion commit in: policy/modules/system/
@ 2014-08-19 20:18 Jason Zaman
0 siblings, 0 replies; 12+ messages in thread
From: Jason Zaman @ 2014-08-19 20:18 UTC (permalink / raw
To: gentoo-commits
commit: 5a4304143a9dcf5980eefbfdaa78b5d1416fa884
Author: Chris PeBenito <cpebenito <AT> tresys <DOT> com>
AuthorDate: Tue Aug 19 12:44:57 2014 +0000
Commit: Jason Zaman <gentoo <AT> perfinion <DOT> com>
CommitDate: Tue Aug 19 20:06:49 2014 +0000
URL: http://sources.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=5a430414
Move losetup addition in fstools.
---
policy/modules/system/fstools.te | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/policy/modules/system/fstools.te b/policy/modules/system/fstools.te
index 7ce8171..a2a12c4 100644
--- a/policy/modules/system/fstools.te
+++ b/policy/modules/system/fstools.te
@@ -127,9 +127,6 @@ files_search_all(fsadm_t)
mls_file_read_all_levels(fsadm_t)
mls_file_write_all_levels(fsadm_t)
-# losetup: bind mount_loopback_t files to loop devices
-mount_rw_loopback_files(fsadm_t)
-
storage_raw_read_fixed_disk(fsadm_t)
storage_raw_write_fixed_disk(fsadm_t)
storage_raw_read_removable_device(fsadm_t)
@@ -147,6 +144,9 @@ logging_send_syslog_msg(fsadm_t)
miscfiles_read_localization(fsadm_t)
+# losetup: bind mount_loopback_t files to loop devices
+mount_rw_loopback_files(fsadm_t)
+
seutil_read_config(fsadm_t)
userdom_use_user_terminals(fsadm_t)
^ permalink raw reply related [flat|nested] 12+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:perfinion commit in: policy/modules/system/
@ 2014-08-19 20:18 Jason Zaman
0 siblings, 0 replies; 12+ messages in thread
From: Jason Zaman @ 2014-08-19 20:18 UTC (permalink / raw
To: gentoo-commits
commit: ff1afbaf2e0f1d8fd0b381167d735606024f29bc
Author: Luis Ressel <aranea <AT> aixah <DOT> de>
AuthorDate: Mon Aug 11 13:33:17 2014 +0000
Commit: Jason Zaman <gentoo <AT> perfinion <DOT> com>
CommitDate: Tue Aug 19 20:06:45 2014 +0000
URL: http://sources.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=ff1afbaf
system/fstools.if: Add fstools_use_fds interface
---
policy/modules/system/fstools.if | 18 ++++++++++++++++++
1 file changed, 18 insertions(+)
diff --git a/policy/modules/system/fstools.if b/policy/modules/system/fstools.if
index 016a770..c4bbd88 100644
--- a/policy/modules/system/fstools.if
+++ b/policy/modules/system/fstools.if
@@ -83,6 +83,24 @@ interface(`fstools_signal',`
########################################
## <summary>
+## Inherit fstools file descriptors.
+## </summary>
+## <param name="domain">
+## <summary>
+## The type of the process performing this action.
+## </summary>
+## </param>
+#
+interface(`fstools_use_fds',`
+ gen_require(`
+ type fsadm_t;
+ ')
+
+ allow $1 fsadm_t:fd use;
+')
+
+########################################
+## <summary>
## Read fstools unnamed pipes.
## </summary>
## <param name="domain">
^ permalink raw reply related [flat|nested] 12+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:perfinion commit in: policy/modules/system/
@ 2014-08-19 20:18 Jason Zaman
0 siblings, 0 replies; 12+ messages in thread
From: Jason Zaman @ 2014-08-19 20:18 UTC (permalink / raw
To: gentoo-commits
commit: ce7ff0c908740a95edf2dcd6ac2910b3161eb569
Author: Luis Ressel <aranea <AT> aixah <DOT> de>
AuthorDate: Mon Aug 11 13:33:16 2014 +0000
Commit: Jason Zaman <gentoo <AT> perfinion <DOT> com>
CommitDate: Tue Aug 19 20:06:42 2014 +0000
URL: http://sources.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=ce7ff0c9
system/mount.if: Add mount_rw_loopback_files interface
---
policy/modules/system/mount.if | 18 ++++++++++++++++++
1 file changed, 18 insertions(+)
diff --git a/policy/modules/system/mount.if b/policy/modules/system/mount.if
index fe24186..8a2105b 100644
--- a/policy/modules/system/mount.if
+++ b/policy/modules/system/mount.if
@@ -191,3 +191,21 @@ interface(`mount_read_loopback_files',`
allow $1 mount_loopback_t:file read_file_perms;
')
+
+########################################
+## <summary>
+## Read and write loopback filesystem image files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`mount_rw_loopback_files',`
+ gen_require(`
+ type mount_loopback_t;
+ ')
+
+ allow $1 mount_loopback_t:file rw_file_perms;
+')
^ permalink raw reply related [flat|nested] 12+ messages in thread
end of thread, other threads:[~2014-10-12 9:51 UTC | newest]
Thread overview: 12+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2014-10-12 9:51 [gentoo-commits] proj/hardened-refpolicy:perfinion commit in: policy/modules/system/ Jason Zaman
-- strict thread matches above, loose matches on Subject: below --
2014-10-12 9:51 Jason Zaman
2014-08-25 17:16 Jason Zaman
2014-08-25 17:16 Jason Zaman
2014-08-25 17:16 Jason Zaman
2014-08-22 12:27 Jason Zaman
2014-08-22 12:27 Jason Zaman
2014-08-20 17:10 [gentoo-commits] proj/hardened-refpolicy:next " Jason Zaman
2014-08-20 17:13 ` [gentoo-commits] proj/hardened-refpolicy:perfinion " Jason Zaman
2014-08-20 17:07 Jason Zaman
2014-08-19 20:18 Jason Zaman
2014-08-19 20:18 Jason Zaman
2014-08-19 20:18 Jason Zaman
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox