* [gentoo-commits] proj/hardened-refpolicy:bitcoin commit in: policy/modules/system/
@ 2014-11-11 16:00 Sven Vermeulen
0 siblings, 0 replies; 7+ messages in thread
From: Sven Vermeulen @ 2014-11-11 16:00 UTC (permalink / raw
To: gentoo-commits
commit: 91b06086bea526e22411773d54c897ef06d85861
Author: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Tue Nov 11 15:58:55 2014 +0000
Commit: Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Tue Nov 11 15:59:06 2014 +0000
URL: http://sources.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=91b06086
Add support for init_script_readable
---
policy/modules/system/init.if | 18 ++++++++++++++++++
policy/modules/system/init.te | 5 +++++
2 files changed, 23 insertions(+)
diff --git a/policy/modules/system/init.if b/policy/modules/system/init.if
index 2b7793a..7cdf3a8 100644
--- a/policy/modules/system/init.if
+++ b/policy/modules/system/init.if
@@ -1906,3 +1906,21 @@ interface(`init_relabelto_script_state',`
relabelto_files_pattern($1, initrc_state_t, initrc_state_t)
relabelto_dirs_pattern($1, initrc_state_t, initrc_state_t)
')
+
+#########################################
+## <summary>
+## Mark as a readable type for the initrc_t domain
+## </summary>
+## <param name="type">
+## <summary>
+## Type that initrc_t needs read access to
+## </summary>
+## </param>
+#
+interface(`init_script_readable_type',`
+ gen_require(`
+ attribute init_script_readable;
+ ')
+
+ typeattribute $1 init_script_readable;
+')
diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
index cd2b0e4..cd3d18d 100644
--- a/policy/modules/system/init.te
+++ b/policy/modules/system/init.te
@@ -935,12 +935,17 @@ optional_policy(`
')
ifdef(`distro_gentoo',`
+ # Attribute to assign to types that the initrc_t domain needs read access to
+ attribute init_script_readable;
+
#####################################
#
# Local initrc_t policy
#
allow initrc_t self:capability sys_admin;
+ read_files_pattern(initrc_t, init_script_readable, init_script_readable)
+
manage_dirs_pattern(initrc_t, initrc_var_run_t, initrc_var_run_t)
files_pid_filetrans(initrc_t, initrc_var_run_t, dir)
^ permalink raw reply related [flat|nested] 7+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:bitcoin commit in: policy/modules/system/
@ 2014-11-11 16:09 Sven Vermeulen
0 siblings, 0 replies; 7+ messages in thread
From: Sven Vermeulen @ 2014-11-11 16:09 UTC (permalink / raw
To: gentoo-commits
commit: c4daf11c488d7feb4f15277f0583ea59be816164
Author: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Tue Nov 11 15:58:55 2014 +0000
Commit: Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Tue Nov 11 16:09:08 2014 +0000
URL: http://sources.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=c4daf11c
Add support for init_script_readable
---
policy/modules/system/init.if | 18 ++++++++++++++++++
policy/modules/system/init.te | 6 ++++++
2 files changed, 24 insertions(+)
diff --git a/policy/modules/system/init.if b/policy/modules/system/init.if
index 2b7793a..7cdf3a8 100644
--- a/policy/modules/system/init.if
+++ b/policy/modules/system/init.if
@@ -1906,3 +1906,21 @@ interface(`init_relabelto_script_state',`
relabelto_files_pattern($1, initrc_state_t, initrc_state_t)
relabelto_dirs_pattern($1, initrc_state_t, initrc_state_t)
')
+
+#########################################
+## <summary>
+## Mark as a readable type for the initrc_t domain
+## </summary>
+## <param name="type">
+## <summary>
+## Type that initrc_t needs read access to
+## </summary>
+## </param>
+#
+interface(`init_script_readable_type',`
+ gen_require(`
+ attribute init_script_readable;
+ ')
+
+ typeattribute $1 init_script_readable;
+')
diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
index cd2b0e4..6fd1d7f 100644
--- a/policy/modules/system/init.te
+++ b/policy/modules/system/init.te
@@ -935,12 +935,18 @@ optional_policy(`
')
ifdef(`distro_gentoo',`
+ # Attribute to assign to types that the initrc_t domain needs read access to
+ attribute init_script_readable;
+
#####################################
#
# Local initrc_t policy
#
allow initrc_t self:capability sys_admin;
+ read_files_pattern(initrc_t, init_script_readable, init_script_readable)
+ read_lnk_files_pattern(initrc_t, init_script_readable, init_script_readable)
+
manage_dirs_pattern(initrc_t, initrc_var_run_t, initrc_var_run_t)
files_pid_filetrans(initrc_t, initrc_var_run_t, dir)
^ permalink raw reply related [flat|nested] 7+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:bitcoin commit in: policy/modules/system/
@ 2014-11-23 14:06 Sven Vermeulen
0 siblings, 0 replies; 7+ messages in thread
From: Sven Vermeulen @ 2014-11-23 14:06 UTC (permalink / raw
To: gentoo-commits
commit: dee50b31c6dc717c65323de7df18f8a7a8d37400
Author: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Tue Nov 11 15:58:55 2014 +0000
Commit: Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Sun Nov 23 14:05:12 2014 +0000
URL: http://sources.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=dee50b31
Add support for init_script_readable
---
policy/modules/system/init.if | 18 ++++++++++++++++++
policy/modules/system/init.te | 6 ++++++
2 files changed, 24 insertions(+)
diff --git a/policy/modules/system/init.if b/policy/modules/system/init.if
index 99e42fc..4d923d6 100644
--- a/policy/modules/system/init.if
+++ b/policy/modules/system/init.if
@@ -1916,3 +1916,21 @@ interface(`init_relabelto_script_state',`
relabelto_files_pattern($1, initrc_state_t, initrc_state_t)
relabelto_dirs_pattern($1, initrc_state_t, initrc_state_t)
')
+
+#########################################
+## <summary>
+## Mark as a readable type for the initrc_t domain
+## </summary>
+## <param name="type">
+## <summary>
+## Type that initrc_t needs read access to
+## </summary>
+## </param>
+#
+interface(`init_script_readable_type',`
+ gen_require(`
+ attribute init_script_readable;
+ ')
+
+ typeattribute $1 init_script_readable;
+')
diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
index cd2b0e4..6fd1d7f 100644
--- a/policy/modules/system/init.te
+++ b/policy/modules/system/init.te
@@ -935,12 +935,18 @@ optional_policy(`
')
ifdef(`distro_gentoo',`
+ # Attribute to assign to types that the initrc_t domain needs read access to
+ attribute init_script_readable;
+
#####################################
#
# Local initrc_t policy
#
allow initrc_t self:capability sys_admin;
+ read_files_pattern(initrc_t, init_script_readable, init_script_readable)
+ read_lnk_files_pattern(initrc_t, init_script_readable, init_script_readable)
+
manage_dirs_pattern(initrc_t, initrc_var_run_t, initrc_var_run_t)
files_pid_filetrans(initrc_t, initrc_var_run_t, dir)
^ permalink raw reply related [flat|nested] 7+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:bitcoin commit in: policy/modules/system/
2014-11-28 10:04 [gentoo-commits] proj/hardened-refpolicy:next " Sven Vermeulen
@ 2014-11-23 14:06 ` Sven Vermeulen
0 siblings, 0 replies; 7+ messages in thread
From: Sven Vermeulen @ 2014-11-23 14:06 UTC (permalink / raw
To: gentoo-commits
commit: 5972047d8963d9fc145f34156e9078a40b7f3c1f
Author: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Sat Nov 22 18:35:21 2014 +0000
Commit: Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Sat Nov 22 18:35:21 2014 +0000
URL: http://sources.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=5972047d
Remove ifdef distro, pwd lock is now part of upstream
---
policy/modules/system/authlogin.fc | 2 --
1 file changed, 2 deletions(-)
diff --git a/policy/modules/system/authlogin.fc b/policy/modules/system/authlogin.fc
index bc3f7dc..2479587 100644
--- a/policy/modules/system/authlogin.fc
+++ b/policy/modules/system/authlogin.fc
@@ -1,9 +1,7 @@
/bin/login -- gen_context(system_u:object_r:login_exec_t,s0)
-ifndef(`distro_gentoo',`
/etc/\.pwd\.lock -- gen_context(system_u:object_r:shadow_t,s0)
-')
/etc/group\.lock -- gen_context(system_u:object_r:shadow_t,s0)
/etc/gshadow.* -- gen_context(system_u:object_r:shadow_t,s0)
/etc/passwd\.lock -- gen_context(system_u:object_r:shadow_t,s0)
^ permalink raw reply related [flat|nested] 7+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:bitcoin commit in: policy/modules/system/
2014-11-22 19:02 [gentoo-commits] proj/hardened-refpolicy:master " Sven Vermeulen
@ 2014-11-23 14:06 ` Sven Vermeulen
0 siblings, 0 replies; 7+ messages in thread
From: Sven Vermeulen @ 2014-11-23 14:06 UTC (permalink / raw
To: gentoo-commits
commit: fe62598f2fb87fe0dfca34f82311ffd29df37795
Author: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Sat Nov 22 18:46:23 2014 +0000
Commit: Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Sat Nov 22 18:46:23 2014 +0000
URL: http://sources.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=fe62598f
Reshuffle and update with upstream
---
policy/modules/system/init.if | 82 ++++++++++++++++++++++++-------------------
1 file changed, 46 insertions(+), 36 deletions(-)
diff --git a/policy/modules/system/init.if b/policy/modules/system/init.if
index 2b7793a..99e42fc 100644
--- a/policy/modules/system/init.if
+++ b/policy/modules/system/init.if
@@ -150,39 +150,6 @@ interface(`init_ranged_domain',`
########################################
## <summary>
-## Mark the file type as a daemon pid file, allowing initrc_t
-## to create it
-## </summary>
-## <param name="filetype">
-## <summary>
-## Type to mark as a daemon pid file
-## </summary>
-## </param>
-## <param name="class">
-## <summary>
-## Class on which the type is applied
-## </summary>
-## </param>
-## <param name="filename">
-## <summary>
-## Filename of the file that the init script creates
-## </summary>
-## </param>
-#
-interface(`init_daemon_pid_file',`
- gen_require(`
- attribute daemonpidfile;
- type initrc_t;
- ')
-
- typeattribute $1 daemonpidfile;
-
- files_pid_file($1)
- files_pid_filetrans(initrc_t, $1, $2, $3)
-')
-
-########################################
-## <summary>
## Create a domain for long running processes
## (daemons/services) which are started by init scripts.
## </summary>
@@ -421,16 +388,50 @@ interface(`init_ranged_system_domain',`
########################################
## <summary>
-## Mark the type as a daemon run dir
+## Mark the file type as a daemon pid file, allowing initrc_t
+## to create it
## </summary>
-## <param name="rundirtype">
+## <param name="filetype">
+## <summary>
+## Type to mark as a daemon pid file
+## </summary>
+## </param>
+## <param name="class">
+## <summary>
+## Class on which the type is applied
+## </summary>
+## </param>
+## <param name="filename">
+## <summary>
+## Filename of the file that the init script creates
+## </summary>
+## </param>
+#
+interface(`init_daemon_pid_file',`
+ gen_require(`
+ attribute daemonpidfile;
+ type initrc_t;
+ ')
+
+ typeattribute $1 daemonpidfile;
+
+ files_pid_file($1)
+ files_pid_filetrans(initrc_t, $1, $2, $3)
+')
+
+########################################
+## <summary>
+## Mark the file type as a daemon run dir, allowing initrc_t
+## to create it
+## </summary>
+## <param name="filetype">
## <summary>
## Type to mark as a daemon run dir
## </summary>
## </param>
## <param name="filename">
## <summary>
-## Name of the run dir directory
+## Filename of the directory that the init script creates
## </summary>
## </param>
#
@@ -843,6 +844,14 @@ interface(`init_spec_domtrans_script',`
files_list_etc($1)
spec_domtrans_pattern($1, initrc_exec_t, initrc_t)
+ ifdef(`distro_gentoo',`
+ gen_require(`
+ type rc_exec_t;
+ ')
+
+ domtrans_pattern($1, rc_exec_t, initrc_t)
+ ')
+
ifdef(`enable_mcs',`
range_transition $1 initrc_exec_t:process s0;
')
@@ -882,6 +891,7 @@ interface(`init_domtrans_script',`
gen_require(`
type rc_exec_t;
')
+
domtrans_pattern($1, rc_exec_t, initrc_t)
')
')
^ permalink raw reply related [flat|nested] 7+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:bitcoin commit in: policy/modules/system/
@ 2014-11-23 14:06 Sven Vermeulen
0 siblings, 0 replies; 7+ messages in thread
From: Sven Vermeulen @ 2014-11-23 14:06 UTC (permalink / raw
To: gentoo-commits
commit: d634f3732a6e8ce11f31f6cda00e2be5d48e8276
Author: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Sat Nov 22 18:34:23 2014 +0000
Commit: Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Sat Nov 22 18:34:23 2014 +0000
URL: http://sources.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=d634f373
Bad whitespace but matches upstream
---
policy/modules/system/authlogin.if | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/policy/modules/system/authlogin.if b/policy/modules/system/authlogin.if
index f20a6a6..03c567a 100644
--- a/policy/modules/system/authlogin.if
+++ b/policy/modules/system/authlogin.if
@@ -1767,9 +1767,9 @@ interface(`auth_relabel_login_records',`
## <infoflow type="both" weight="10"/>
#
interface(`auth_use_nsswitch',`
- gen_require(`
- attribute nsswitch_domain;
- ')
+ gen_require(`
+ attribute nsswitch_domain;
+ ')
typeattribute $1 nsswitch_domain;
')
^ permalink raw reply related [flat|nested] 7+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:bitcoin commit in: policy/modules/system/
2014-11-28 10:04 [gentoo-commits] proj/hardened-refpolicy:next " Sven Vermeulen
@ 2014-11-23 14:06 ` Sven Vermeulen
0 siblings, 0 replies; 7+ messages in thread
From: Sven Vermeulen @ 2014-11-23 14:06 UTC (permalink / raw
To: gentoo-commits
commit: 9d229675d7084facc9592f1ddab5f976337524f4
Author: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Sat Nov 22 18:47:27 2014 +0000
Commit: Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Sat Nov 22 18:47:27 2014 +0000
URL: http://sources.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=9d229675
Whitespace according to upstream
---
policy/modules/system/ipsec.fc | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/policy/modules/system/ipsec.fc b/policy/modules/system/ipsec.fc
index 46d232a..082ce47 100644
--- a/policy/modules/system/ipsec.fc
+++ b/policy/modules/system/ipsec.fc
@@ -14,9 +14,9 @@
/usr/lib/ipsec/_plutoload -- gen_context(system_u:object_r:ipsec_mgmt_exec_t,s0)
/usr/lib/ipsec/_plutorun -- gen_context(system_u:object_r:ipsec_mgmt_exec_t,s0)
-/usr/lib/ipsec/eroute -- gen_context(system_u:object_r:ipsec_exec_t,s0)
+/usr/lib/ipsec/eroute -- gen_context(system_u:object_r:ipsec_exec_t,s0)
/usr/lib/ipsec/klipsdebug -- gen_context(system_u:object_r:ipsec_exec_t,s0)
-/usr/lib/ipsec/pluto -- gen_context(system_u:object_r:ipsec_exec_t,s0)
+/usr/lib/ipsec/pluto -- gen_context(system_u:object_r:ipsec_exec_t,s0)
/usr/lib/ipsec/spi -- gen_context(system_u:object_r:ipsec_exec_t,s0)
/usr/libexec/ipsec/_plutoload -- gen_context(system_u:object_r:ipsec_mgmt_exec_t,s0)
^ permalink raw reply related [flat|nested] 7+ messages in thread
end of thread, other threads:[~2014-11-23 14:06 UTC | newest]
Thread overview: 7+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2014-11-23 14:06 [gentoo-commits] proj/hardened-refpolicy:bitcoin commit in: policy/modules/system/ Sven Vermeulen
-- strict thread matches above, loose matches on Subject: below --
2014-11-28 10:04 [gentoo-commits] proj/hardened-refpolicy:next " Sven Vermeulen
2014-11-23 14:06 ` [gentoo-commits] proj/hardened-refpolicy:bitcoin " Sven Vermeulen
2014-11-28 10:04 [gentoo-commits] proj/hardened-refpolicy:next " Sven Vermeulen
2014-11-23 14:06 ` [gentoo-commits] proj/hardened-refpolicy:bitcoin " Sven Vermeulen
2014-11-23 14:06 Sven Vermeulen
2014-11-22 19:02 [gentoo-commits] proj/hardened-refpolicy:master " Sven Vermeulen
2014-11-23 14:06 ` [gentoo-commits] proj/hardened-refpolicy:bitcoin " Sven Vermeulen
2014-11-11 16:09 Sven Vermeulen
2014-11-11 16:00 Sven Vermeulen
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox