From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <gentoo-commits+bounces-757402-garchives=archives.gentoo.org@lists.gentoo.org>
Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80])
	by finch.gentoo.org (Postfix) with ESMTP id 6DF951389E2
	for <garchives@archives.gentoo.org>; Sun, 21 Dec 2014 12:49:52 +0000 (UTC)
Received: from pigeon.gentoo.org (localhost [127.0.0.1])
	by pigeon.gentoo.org (Postfix) with SMTP id CE519E0B2D;
	Sun, 21 Dec 2014 12:49:51 +0000 (UTC)
Received: from smtp.gentoo.org (smtp.gentoo.org [140.211.166.183])
	(using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits))
	(No client certificate requested)
	by pigeon.gentoo.org (Postfix) with ESMTPS id 705B3E0B2D
	for <gentoo-commits@lists.gentoo.org>; Sun, 21 Dec 2014 12:49:51 +0000 (UTC)
Received: from oystercatcher.gentoo.org (oystercatcher.gentoo.org [148.251.78.52])
	(using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits))
	(No client certificate requested)
	by smtp.gentoo.org (Postfix) with ESMTPS id 1B7483402C3
	for <gentoo-commits@lists.gentoo.org>; Sun, 21 Dec 2014 12:49:50 +0000 (UTC)
Received: from localhost.localdomain (localhost [127.0.0.1])
	by oystercatcher.gentoo.org (Postfix) with ESMTP id 96742D030
	for <gentoo-commits@lists.gentoo.org>; Sun, 21 Dec 2014 12:49:48 +0000 (UTC)
From: "Jason Zaman" <gentoo@perfinion.com>
To: gentoo-commits@lists.gentoo.org
Content-Transfer-Encoding: 8bit
Content-type: text/plain; charset=UTF-8
Reply-To: gentoo-dev@lists.gentoo.org, "Jason Zaman" <gentoo@perfinion.com>
Message-ID: <1419083205.99b40156a93dcd1147049daca610b53d20eaa4b7.perfinion@gentoo>
Subject: [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
X-VCS-Repository: proj/hardened-refpolicy
X-VCS-Files: policy/modules/contrib/salt.te
X-VCS-Directories: policy/modules/contrib/
X-VCS-Committer: perfinion
X-VCS-Committer-Name: Jason Zaman
X-VCS-Revision: 99b40156a93dcd1147049daca610b53d20eaa4b7
X-VCS-Branch: master
Date: Sun, 21 Dec 2014 12:49:48 +0000 (UTC)
Precedence: bulk
List-Post: <mailto:gentoo-commits@lists.gentoo.org>
List-Help: <mailto:gentoo-commits+help@lists.gentoo.org>
List-Unsubscribe: <mailto:gentoo-commits+unsubscribe@lists.gentoo.org>
List-Subscribe: <mailto:gentoo-commits+subscribe@lists.gentoo.org>
List-Id: Gentoo Linux mail <gentoo-commits.gentoo.org>
X-BeenThere: gentoo-commits@lists.gentoo.org
X-Archives-Salt: 06489e22-a06d-496b-b3b9-35f986e5dd98
X-Archives-Hash: 8f75b230dad7ad5dd40b8bd14b4b9c37

commit:     99b40156a93dcd1147049daca610b53d20eaa4b7
Author:     Jason Zaman <jason <AT> perfinion <DOT> com>
AuthorDate: Sat Dec 20 13:46:45 2014 +0000
Commit:     Jason Zaman <gentoo <AT> perfinion <DOT> com>
CommitDate: Sat Dec 20 13:46:45 2014 +0000
URL:        http://sources.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=99b40156

salt: allow salt minion to ssh_manage_home_files

also dac_override and dac_read_search since some home dirs are not
world readable.

---
 policy/modules/contrib/salt.te | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/policy/modules/contrib/salt.te b/policy/modules/contrib/salt.te
index 279edfb..024a165 100644
--- a/policy/modules/contrib/salt.te
+++ b/policy/modules/contrib/salt.te
@@ -198,7 +198,7 @@ tunable_policy(`salt_master_read_nfs',`
 # salt_minion_t policy
 #
 
-allow salt_minion_t self:capability { fsetid chown net_admin sys_admin sys_tty_config };
+allow salt_minion_t self:capability { fsetid chown dac_override dac_read_search net_admin sys_admin sys_tty_config };
 allow salt_minion_t self:capability2 block_suspend;
 allow salt_minion_t self:process { signal signull };
 allow salt_minion_t self:tcp_socket create_stream_socket_perms;
@@ -294,6 +294,10 @@ optional_policy(`
 ')
 
 optional_policy(`
+	ssh_manage_home_files(salt_minion_t)
+')
+
+optional_policy(`
 	mount_domtrans(salt_minion_t)
 ')
 


From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <gentoo-commits+bounces-757228-garchives=archives.gentoo.org@lists.gentoo.org>
Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80])
	by finch.gentoo.org (Postfix) with ESMTP id 0AE661389E2
	for <garchives@archives.gentoo.org>; Sat, 20 Dec 2014 15:49:10 +0000 (UTC)
Received: from pigeon.gentoo.org (localhost [127.0.0.1])
	by pigeon.gentoo.org (Postfix) with SMTP id E53AAE098E;
	Sat, 20 Dec 2014 15:49:07 +0000 (UTC)
Received: from smtp.gentoo.org (smtp.gentoo.org [140.211.166.183])
	(using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits))
	(No client certificate requested)
	by pigeon.gentoo.org (Postfix) with ESMTPS id 9C1F9E098E
	for <gentoo-commits@lists.gentoo.org>; Sat, 20 Dec 2014 15:49:07 +0000 (UTC)
Received: from oystercatcher.gentoo.org (oystercatcher.gentoo.org [148.251.78.52])
	(using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits))
	(No client certificate requested)
	by smtp.gentoo.org (Postfix) with ESMTPS id 6DF0434069A
	for <gentoo-commits@lists.gentoo.org>; Sat, 20 Dec 2014 15:49:06 +0000 (UTC)
Received: from localhost.localdomain (localhost [127.0.0.1])
	by oystercatcher.gentoo.org (Postfix) with ESMTP id 1B348CEE1
	for <gentoo-commits@lists.gentoo.org>; Sat, 20 Dec 2014 15:49:05 +0000 (UTC)
From: "Jason Zaman" <gentoo@perfinion.com>
To: gentoo-commits@lists.gentoo.org
Content-Transfer-Encoding: 8bit
Content-type: text/plain; charset=UTF-8
Reply-To: gentoo-dev@lists.gentoo.org, "Jason Zaman" <gentoo@perfinion.com>
Message-ID: <1419083205.99b40156a93dcd1147049daca610b53d20eaa4b7.perfinion@gentoo>
Subject: [gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/contrib/
X-VCS-Repository: proj/hardened-refpolicy
X-VCS-Files: policy/modules/contrib/salt.te
X-VCS-Directories: policy/modules/contrib/
X-VCS-Committer: perfinion
X-VCS-Committer-Name: Jason Zaman
X-VCS-Revision: 99b40156a93dcd1147049daca610b53d20eaa4b7
X-VCS-Branch: next
Date: Sat, 20 Dec 2014 15:49:05 +0000 (UTC)
Precedence: bulk
List-Post: <mailto:gentoo-commits@lists.gentoo.org>
List-Help: <mailto:gentoo-commits+help@lists.gentoo.org>
List-Unsubscribe: <mailto:gentoo-commits+unsubscribe@lists.gentoo.org>
List-Subscribe: <mailto:gentoo-commits+subscribe@lists.gentoo.org>
List-Id: Gentoo Linux mail <gentoo-commits.gentoo.org>
X-BeenThere: gentoo-commits@lists.gentoo.org
X-Archives-Salt: 08cda980-fa7a-4c0e-a3e8-1bbd53c7fe09
X-Archives-Hash: fabccafe4ce42e4120ddb59d994a8210
Message-ID: <20141220154905.OeRB_q9lY8uOQoGtz3JEOtuTcJvbOomOmhuNoagkDhM@z>

commit:     99b40156a93dcd1147049daca610b53d20eaa4b7
Author:     Jason Zaman <jason <AT> perfinion <DOT> com>
AuthorDate: Sat Dec 20 13:46:45 2014 +0000
Commit:     Jason Zaman <gentoo <AT> perfinion <DOT> com>
CommitDate: Sat Dec 20 13:46:45 2014 +0000
URL:        http://sources.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=99b40156

salt: allow salt minion to ssh_manage_home_files

also dac_override and dac_read_search since some home dirs are not
world readable.

---
 policy/modules/contrib/salt.te | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/policy/modules/contrib/salt.te b/policy/modules/contrib/salt.te
index 279edfb..024a165 100644
--- a/policy/modules/contrib/salt.te
+++ b/policy/modules/contrib/salt.te
@@ -198,7 +198,7 @@ tunable_policy(`salt_master_read_nfs',`
 # salt_minion_t policy
 #
 
-allow salt_minion_t self:capability { fsetid chown net_admin sys_admin sys_tty_config };
+allow salt_minion_t self:capability { fsetid chown dac_override dac_read_search net_admin sys_admin sys_tty_config };
 allow salt_minion_t self:capability2 block_suspend;
 allow salt_minion_t self:process { signal signull };
 allow salt_minion_t self:tcp_socket create_stream_socket_perms;
@@ -294,6 +294,10 @@ optional_policy(`
 ')
 
 optional_policy(`
+	ssh_manage_home_files(salt_minion_t)
+')
+
+optional_policy(`
 	mount_domtrans(salt_minion_t)
 ')