* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/roles/, policy/modules/admin/
2014-11-28 10:04 [gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/roles/, policy/modules/admin/ Sven Vermeulen
@ 2014-11-27 22:18 ` Sven Vermeulen
0 siblings, 0 replies; 2+ messages in thread
From: Sven Vermeulen @ 2014-11-27 22:18 UTC (permalink / raw
To: gentoo-commits
commit: 9d002b3d54f8278c9856d71a828cb59816384376
Author: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Thu Nov 27 22:15:40 2014 +0000
Commit: Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Thu Nov 27 22:15:40 2014 +0000
URL: http://sources.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=9d002b3d
Fix bug #529208 - Grant dmesg access to /dev/kmsg and allow dmesg for sysadm_t
---
policy/modules/admin/dmesg.if | 28 ++++++++++++++++++++++++++++
policy/modules/admin/dmesg.te | 3 +++
policy/modules/roles/sysadm.te | 5 +++++
3 files changed, 36 insertions(+)
diff --git a/policy/modules/admin/dmesg.if b/policy/modules/admin/dmesg.if
index e1973c7..1b6e1b2 100644
--- a/policy/modules/admin/dmesg.if
+++ b/policy/modules/admin/dmesg.if
@@ -38,3 +38,31 @@ interface(`dmesg_exec',`
corecmd_search_bin($1)
can_exec($1, dmesg_exec_t)
')
+
+# This should be in an ifdef distro_gentoo but that is not allowed in an if file
+
+########################################
+## <summary>
+## Execute dmesg in the dmesg_t domain, and allow the calling role
+## the dmesg_t domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <param name="role">
+## <summary>
+## Role allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`dmesg_run,`
+ gen_require(`
+ type dmesg_t;
+ ')
+
+ dmesg_domtrans($1)
+ role $2 types dmesg_t;
+')
diff --git a/policy/modules/admin/dmesg.te b/policy/modules/admin/dmesg.te
index ee07743..544a430 100644
--- a/policy/modules/admin/dmesg.te
+++ b/policy/modules/admin/dmesg.te
@@ -63,4 +63,7 @@ ifdef(`distro_gentoo',`
# dmesg_t policy
#
dev_dontaudit_rw_generic_chr_files(dmesg_t) # early access when /dev/console is not relabeled by udev yet
+
+ # Bug 529208
+ dev_read_kmsg(dmesg_t)
')
diff --git a/policy/modules/roles/sysadm.te b/policy/modules/roles/sysadm.te
index 7e497b0..76da241 100644
--- a/policy/modules/roles/sysadm.te
+++ b/policy/modules/roles/sysadm.te
@@ -493,6 +493,11 @@ ifdef(`distro_gentoo',`
')
optional_policy(`
+ # Bug 529208
+ dmesg_run(sysadm_t, sysadm_r)
+ ')
+
+ optional_policy(`
dnsmasq_admin(sysadm_t, sysadm_r)
')
^ permalink raw reply related [flat|nested] 2+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/roles/, policy/modules/admin/
@ 2014-11-28 10:04 Sven Vermeulen
2014-11-27 22:18 ` [gentoo-commits] proj/hardened-refpolicy:master " Sven Vermeulen
0 siblings, 1 reply; 2+ messages in thread
From: Sven Vermeulen @ 2014-11-28 10:04 UTC (permalink / raw
To: gentoo-commits
commit: 9d002b3d54f8278c9856d71a828cb59816384376
Author: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Thu Nov 27 22:15:40 2014 +0000
Commit: Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Thu Nov 27 22:15:40 2014 +0000
URL: http://sources.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=9d002b3d
Fix bug #529208 - Grant dmesg access to /dev/kmsg and allow dmesg for sysadm_t
---
policy/modules/admin/dmesg.if | 28 ++++++++++++++++++++++++++++
policy/modules/admin/dmesg.te | 3 +++
policy/modules/roles/sysadm.te | 5 +++++
3 files changed, 36 insertions(+)
diff --git a/policy/modules/admin/dmesg.if b/policy/modules/admin/dmesg.if
index e1973c7..1b6e1b2 100644
--- a/policy/modules/admin/dmesg.if
+++ b/policy/modules/admin/dmesg.if
@@ -38,3 +38,31 @@ interface(`dmesg_exec',`
corecmd_search_bin($1)
can_exec($1, dmesg_exec_t)
')
+
+# This should be in an ifdef distro_gentoo but that is not allowed in an if file
+
+########################################
+## <summary>
+## Execute dmesg in the dmesg_t domain, and allow the calling role
+## the dmesg_t domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <param name="role">
+## <summary>
+## Role allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`dmesg_run,`
+ gen_require(`
+ type dmesg_t;
+ ')
+
+ dmesg_domtrans($1)
+ role $2 types dmesg_t;
+')
diff --git a/policy/modules/admin/dmesg.te b/policy/modules/admin/dmesg.te
index ee07743..544a430 100644
--- a/policy/modules/admin/dmesg.te
+++ b/policy/modules/admin/dmesg.te
@@ -63,4 +63,7 @@ ifdef(`distro_gentoo',`
# dmesg_t policy
#
dev_dontaudit_rw_generic_chr_files(dmesg_t) # early access when /dev/console is not relabeled by udev yet
+
+ # Bug 529208
+ dev_read_kmsg(dmesg_t)
')
diff --git a/policy/modules/roles/sysadm.te b/policy/modules/roles/sysadm.te
index 7e497b0..76da241 100644
--- a/policy/modules/roles/sysadm.te
+++ b/policy/modules/roles/sysadm.te
@@ -493,6 +493,11 @@ ifdef(`distro_gentoo',`
')
optional_policy(`
+ # Bug 529208
+ dmesg_run(sysadm_t, sysadm_r)
+ ')
+
+ optional_policy(`
dnsmasq_admin(sysadm_t, sysadm_r)
')
^ permalink raw reply related [flat|nested] 2+ messages in thread
end of thread, other threads:[~2014-11-28 10:04 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2014-11-28 10:04 [gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/roles/, policy/modules/admin/ Sven Vermeulen
2014-11-27 22:18 ` [gentoo-commits] proj/hardened-refpolicy:master " Sven Vermeulen
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox