From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <gentoo-commits+bounces-751025-garchives=archives.gentoo.org@lists.gentoo.org>
Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80])
	by finch.gentoo.org (Postfix) with ESMTP id C92BF1389E2
	for <garchives@archives.gentoo.org>; Fri, 28 Nov 2014 10:04:18 +0000 (UTC)
Received: from pigeon.gentoo.org (localhost [127.0.0.1])
	by pigeon.gentoo.org (Postfix) with SMTP id A9907E08E6;
	Fri, 28 Nov 2014 10:04:10 +0000 (UTC)
Received: from smtp.gentoo.org (smtp.gentoo.org [140.211.166.183])
	(using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits))
	(No client certificate requested)
	by pigeon.gentoo.org (Postfix) with ESMTPS id 04907E08B8
	for <gentoo-commits@lists.gentoo.org>; Fri, 28 Nov 2014 10:04:08 +0000 (UTC)
Received: from oystercatcher.gentoo.org (oystercatcher.gentoo.org [148.251.78.52])
	(using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits))
	(No client certificate requested)
	by smtp.gentoo.org (Postfix) with ESMTPS id 01F3F3404AF
	for <gentoo-commits@lists.gentoo.org>; Fri, 28 Nov 2014 10:04:08 +0000 (UTC)
Received: from localhost.localdomain (localhost [127.0.0.1])
	by oystercatcher.gentoo.org (Postfix) with ESMTP id 6CA29B154
	for <gentoo-commits@lists.gentoo.org>; Fri, 28 Nov 2014 10:04:04 +0000 (UTC)
From: "Sven Vermeulen" <swift@gentoo.org>
To: gentoo-commits@lists.gentoo.org
Content-Transfer-Encoding: 8bit
Content-type: text/plain; charset=UTF-8
Reply-To: gentoo-dev@lists.gentoo.org, "Sven Vermeulen" <swift@gentoo.org>
Message-ID: <1417126540.9d002b3d54f8278c9856d71a828cb59816384376.swift@gentoo>
Subject: [gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/roles/, policy/modules/admin/
X-VCS-Repository: proj/hardened-refpolicy
X-VCS-Files: policy/modules/admin/dmesg.if policy/modules/admin/dmesg.te policy/modules/roles/sysadm.te
X-VCS-Directories: policy/modules/admin/ policy/modules/roles/
X-VCS-Committer: swift
X-VCS-Committer-Name: Sven Vermeulen
X-VCS-Revision: 9d002b3d54f8278c9856d71a828cb59816384376
X-VCS-Branch: next
Date: Fri, 28 Nov 2014 10:04:04 +0000 (UTC)
Precedence: bulk
List-Post: <mailto:gentoo-commits@lists.gentoo.org>
List-Help: <mailto:gentoo-commits+help@lists.gentoo.org>
List-Unsubscribe: <mailto:gentoo-commits+unsubscribe@lists.gentoo.org>
List-Subscribe: <mailto:gentoo-commits+subscribe@lists.gentoo.org>
List-Id: Gentoo Linux mail <gentoo-commits.gentoo.org>
X-BeenThere: gentoo-commits@lists.gentoo.org
X-Archives-Salt: e50e06fc-df41-4772-81a0-43ba06c763bf
X-Archives-Hash: 23e36f15b5d5d16b5c8b85c55cabb2a9

commit:     9d002b3d54f8278c9856d71a828cb59816384376
Author:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Thu Nov 27 22:15:40 2014 +0000
Commit:     Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Thu Nov 27 22:15:40 2014 +0000
URL:        http://sources.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=9d002b3d

Fix bug #529208 - Grant dmesg access to /dev/kmsg and allow dmesg for sysadm_t

---
 policy/modules/admin/dmesg.if  | 28 ++++++++++++++++++++++++++++
 policy/modules/admin/dmesg.te  |  3 +++
 policy/modules/roles/sysadm.te |  5 +++++
 3 files changed, 36 insertions(+)

diff --git a/policy/modules/admin/dmesg.if b/policy/modules/admin/dmesg.if
index e1973c7..1b6e1b2 100644
--- a/policy/modules/admin/dmesg.if
+++ b/policy/modules/admin/dmesg.if
@@ -38,3 +38,31 @@ interface(`dmesg_exec',`
 	corecmd_search_bin($1)
 	can_exec($1, dmesg_exec_t)
 ')
+
+# This should be in an ifdef distro_gentoo but that is not allowed in an if file
+
+########################################
+## <summary>
+##	Execute dmesg in the dmesg_t domain, and allow the calling role
+##	the dmesg_t domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <param name="role">
+##	<summary>
+##	Role allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`dmesg_run,`
+	gen_require(`
+		type dmesg_t;
+	')
+
+	dmesg_domtrans($1)
+	role $2 types dmesg_t;
+')

diff --git a/policy/modules/admin/dmesg.te b/policy/modules/admin/dmesg.te
index ee07743..544a430 100644
--- a/policy/modules/admin/dmesg.te
+++ b/policy/modules/admin/dmesg.te
@@ -63,4 +63,7 @@ ifdef(`distro_gentoo',`
 	# dmesg_t policy
 	#
 	dev_dontaudit_rw_generic_chr_files(dmesg_t) # early access when /dev/console is not relabeled by udev yet
+
+	# Bug 529208
+	dev_read_kmsg(dmesg_t)
 ')

diff --git a/policy/modules/roles/sysadm.te b/policy/modules/roles/sysadm.te
index 7e497b0..76da241 100644
--- a/policy/modules/roles/sysadm.te
+++ b/policy/modules/roles/sysadm.te
@@ -493,6 +493,11 @@ ifdef(`distro_gentoo',`
 	')
 
 	optional_policy(`
+		# Bug 529208
+		dmesg_run(sysadm_t, sysadm_r)
+	')
+
+	optional_policy(`
 		dnsmasq_admin(sysadm_t, sysadm_r)
 	')
 


From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <gentoo-commits+bounces-750962-garchives=archives.gentoo.org@lists.gentoo.org>
Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80])
	by finch.gentoo.org (Postfix) with ESMTP id 33D031389E2
	for <garchives@archives.gentoo.org>; Thu, 27 Nov 2014 22:19:04 +0000 (UTC)
Received: from pigeon.gentoo.org (localhost [127.0.0.1])
	by pigeon.gentoo.org (Postfix) with SMTP id ED17EE0884;
	Thu, 27 Nov 2014 22:19:02 +0000 (UTC)
Received: from smtp.gentoo.org (smtp.gentoo.org [140.211.166.183])
	(using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits))
	(No client certificate requested)
	by pigeon.gentoo.org (Postfix) with ESMTPS id 8A5F1E0884
	for <gentoo-commits@lists.gentoo.org>; Thu, 27 Nov 2014 22:19:02 +0000 (UTC)
Received: from oystercatcher.gentoo.org (oystercatcher.gentoo.org [148.251.78.52])
	(using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits))
	(No client certificate requested)
	by smtp.gentoo.org (Postfix) with ESMTPS id 52D723401D6
	for <gentoo-commits@lists.gentoo.org>; Thu, 27 Nov 2014 22:19:01 +0000 (UTC)
Received: from localhost.localdomain (localhost [127.0.0.1])
	by oystercatcher.gentoo.org (Postfix) with ESMTP id EE7E76E3B
	for <gentoo-commits@lists.gentoo.org>; Thu, 27 Nov 2014 22:18:59 +0000 (UTC)
From: "Sven Vermeulen" <swift@gentoo.org>
To: gentoo-commits@lists.gentoo.org
Content-Transfer-Encoding: 8bit
Content-type: text/plain; charset=UTF-8
Reply-To: gentoo-dev@lists.gentoo.org, "Sven Vermeulen" <swift@gentoo.org>
Message-ID: <1417126540.9d002b3d54f8278c9856d71a828cb59816384376.swift@gentoo>
Subject: [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/roles/, policy/modules/admin/
X-VCS-Repository: proj/hardened-refpolicy
X-VCS-Files: policy/modules/admin/dmesg.if policy/modules/admin/dmesg.te policy/modules/roles/sysadm.te
X-VCS-Directories: policy/modules/roles/ policy/modules/admin/
X-VCS-Committer: swift
X-VCS-Committer-Name: Sven Vermeulen
X-VCS-Revision: 9d002b3d54f8278c9856d71a828cb59816384376
X-VCS-Branch: master
Date: Thu, 27 Nov 2014 22:18:59 +0000 (UTC)
Precedence: bulk
List-Post: <mailto:gentoo-commits@lists.gentoo.org>
List-Help: <mailto:gentoo-commits+help@lists.gentoo.org>
List-Unsubscribe: <mailto:gentoo-commits+unsubscribe@lists.gentoo.org>
List-Subscribe: <mailto:gentoo-commits+subscribe@lists.gentoo.org>
List-Id: Gentoo Linux mail <gentoo-commits.gentoo.org>
X-BeenThere: gentoo-commits@lists.gentoo.org
X-Archives-Salt: 1c14336b-cd37-43bc-bda3-116bd9a115c0
X-Archives-Hash: 3fd73bd791b37a955f5fe52e64bdb69a
Message-ID: <20141127221859.D9HbSuHAnwWpM68gwyRyG8IPPoc2D7FwJuZU5kl-gB8@z>

commit:     9d002b3d54f8278c9856d71a828cb59816384376
Author:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Thu Nov 27 22:15:40 2014 +0000
Commit:     Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Thu Nov 27 22:15:40 2014 +0000
URL:        http://sources.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=9d002b3d

Fix bug #529208 - Grant dmesg access to /dev/kmsg and allow dmesg for sysadm_t

---
 policy/modules/admin/dmesg.if  | 28 ++++++++++++++++++++++++++++
 policy/modules/admin/dmesg.te  |  3 +++
 policy/modules/roles/sysadm.te |  5 +++++
 3 files changed, 36 insertions(+)

diff --git a/policy/modules/admin/dmesg.if b/policy/modules/admin/dmesg.if
index e1973c7..1b6e1b2 100644
--- a/policy/modules/admin/dmesg.if
+++ b/policy/modules/admin/dmesg.if
@@ -38,3 +38,31 @@ interface(`dmesg_exec',`
 	corecmd_search_bin($1)
 	can_exec($1, dmesg_exec_t)
 ')
+
+# This should be in an ifdef distro_gentoo but that is not allowed in an if file
+
+########################################
+## <summary>
+##	Execute dmesg in the dmesg_t domain, and allow the calling role
+##	the dmesg_t domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <param name="role">
+##	<summary>
+##	Role allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`dmesg_run,`
+	gen_require(`
+		type dmesg_t;
+	')
+
+	dmesg_domtrans($1)
+	role $2 types dmesg_t;
+')

diff --git a/policy/modules/admin/dmesg.te b/policy/modules/admin/dmesg.te
index ee07743..544a430 100644
--- a/policy/modules/admin/dmesg.te
+++ b/policy/modules/admin/dmesg.te
@@ -63,4 +63,7 @@ ifdef(`distro_gentoo',`
 	# dmesg_t policy
 	#
 	dev_dontaudit_rw_generic_chr_files(dmesg_t) # early access when /dev/console is not relabeled by udev yet
+
+	# Bug 529208
+	dev_read_kmsg(dmesg_t)
 ')

diff --git a/policy/modules/roles/sysadm.te b/policy/modules/roles/sysadm.te
index 7e497b0..76da241 100644
--- a/policy/modules/roles/sysadm.te
+++ b/policy/modules/roles/sysadm.te
@@ -493,6 +493,11 @@ ifdef(`distro_gentoo',`
 	')
 
 	optional_policy(`
+		# Bug 529208
+		dmesg_run(sysadm_t, sysadm_r)
+	')
+
+	optional_policy(`
 		dnsmasq_admin(sysadm_t, sysadm_r)
 	')