From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <gentoo-commits+bounces-768042-garchives=archives.gentoo.org@lists.gentoo.org>
Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80])
	by finch.gentoo.org (Postfix) with ESMTP id 09BAB138ACF
	for <garchives@archives.gentoo.org>; Thu, 29 Jan 2015 20:53:11 +0000 (UTC)
Received: from pigeon.gentoo.org (localhost [127.0.0.1])
	by pigeon.gentoo.org (Postfix) with SMTP id 06BEBE085C;
	Thu, 29 Jan 2015 20:53:10 +0000 (UTC)
Received: from smtp.gentoo.org (smtp.gentoo.org [140.211.166.183])
	(using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits))
	(No client certificate requested)
	by pigeon.gentoo.org (Postfix) with ESMTPS id 54AF3E0866
	for <gentoo-commits@lists.gentoo.org>; Thu, 29 Jan 2015 20:53:09 +0000 (UTC)
Received: from oystercatcher.gentoo.org (oystercatcher.gentoo.org [148.251.78.52])
	(using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits))
	(No client certificate requested)
	by smtp.gentoo.org (Postfix) with ESMTPS id 5304C3406CA
	for <gentoo-commits@lists.gentoo.org>; Thu, 29 Jan 2015 20:53:08 +0000 (UTC)
Received: from localhost.localdomain (localhost [127.0.0.1])
	by oystercatcher.gentoo.org (Postfix) with ESMTP id E7533109D2
	for <gentoo-commits@lists.gentoo.org>; Thu, 29 Jan 2015 20:53:06 +0000 (UTC)
From: "Sven Vermeulen" <swift@gentoo.org>
To: gentoo-commits@lists.gentoo.org
Content-Transfer-Encoding: 8bit
Content-type: text/plain; charset=UTF-8
Reply-To: gentoo-dev@lists.gentoo.org, "Sven Vermeulen" <swift@gentoo.org>
Message-ID: <1422564661.554634acd986adb72fd1a7fb8a616b044387c0b8.swift@gentoo>
Subject: [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
X-VCS-Repository: proj/hardened-refpolicy
X-VCS-Files: policy/modules/contrib/afs.fc policy/modules/contrib/afs.te
X-VCS-Directories: policy/modules/contrib/
X-VCS-Committer: swift
X-VCS-Committer-Name: Sven Vermeulen
X-VCS-Revision: 554634acd986adb72fd1a7fb8a616b044387c0b8
X-VCS-Branch: master
Date: Thu, 29 Jan 2015 20:53:06 +0000 (UTC)
Precedence: bulk
List-Post: <mailto:gentoo-commits@lists.gentoo.org>
List-Help: <mailto:gentoo-commits+help@lists.gentoo.org>
List-Unsubscribe: <mailto:gentoo-commits+unsubscribe@lists.gentoo.org>
List-Subscribe: <mailto:gentoo-commits+subscribe@lists.gentoo.org>
List-Id: Gentoo Linux mail <gentoo-commits.gentoo.org>
X-BeenThere: gentoo-commits@lists.gentoo.org
X-Archives-Salt: 7542f2d4-ce5b-436e-be4b-cec621ac1294
X-Archives-Hash: 966cc5b124ddb59589bd779ed2bf0d9b

commit:     554634acd986adb72fd1a7fb8a616b044387c0b8
Author:     Chas Williams - CONTRACTOR <chas <AT> cmf <DOT> nrl <DOT> navy <DOT> mil>
AuthorDate: Mon Jan  5 00:19:15 2015 +0000
Commit:     Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Thu Jan 29 20:51:01 2015 +0000
URL:        http://sources.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=554634ac

afs: update labels, file contexts and allow access to urandom

Label the DAFS (demand attached) fileserver binaries afs_fsserver_exec_t.

Set the fcontext for the fileserver /vicep parititions and their contents.
Also set fcontext on the openafs-server init script.

Allow OpenAFS server binaries to access urandom.

---
 policy/modules/contrib/afs.fc | 14 +++++++++++---
 policy/modules/contrib/afs.te |  8 ++++++++
 2 files changed, 19 insertions(+), 3 deletions(-)

diff --git a/policy/modules/contrib/afs.fc b/policy/modules/contrib/afs.fc
index 8926c16..279b787 100644
--- a/policy/modules/contrib/afs.fc
+++ b/policy/modules/contrib/afs.fc
@@ -1,13 +1,18 @@
 /etc/(open)?afs(/.*)?	gen_context(system_u:object_r:afs_config_t,s0)
 
 /etc/rc\.d/init\.d/openafs-client	--	gen_context(system_u:object_r:afs_initrc_exec_t,s0)
+/etc/rc\.d/init\.d/openafs-server	--	gen_context(system_u:object_r:afs_initrc_exec_t,s0)
 /etc/rc\.d/init\.d/(open)?afs	--	gen_context(system_u:object_r:afs_initrc_exec_t,s0)
 
 /usr/afs/bin/bosserver	--	gen_context(system_u:object_r:afs_bosserver_exec_t,s0)
+/usr/afs/bin/dafileserver --	gen_context(system_u:object_r:afs_fsserver_exec_t,s0)
+/usr/afs/bin/dasalvager	--	gen_context(system_u:object_r:afs_fsserver_exec_t,s0)
+/usr/afs/bin/davolserver --	gen_context(system_u:object_r:afs_fsserver_exec_t,s0)
 /usr/afs/bin/fileserver	--	gen_context(system_u:object_r:afs_fsserver_exec_t,s0)
 /usr/afs/bin/kaserver	--	gen_context(system_u:object_r:afs_kaserver_exec_t,s0)
 /usr/afs/bin/ptserver	--	gen_context(system_u:object_r:afs_ptserver_exec_t,s0)
 /usr/afs/bin/salvager	--	gen_context(system_u:object_r:afs_fsserver_exec_t,s0)
+/usr/afs/bin/salvageserver --	gen_context(system_u:object_r:afs_fsserver_exec_t,s0)
 /usr/afs/bin/volserver	--	gen_context(system_u:object_r:afs_fsserver_exec_t,s0)
 /usr/afs/bin/vlserver	--	gen_context(system_u:object_r:afs_vlserver_exec_t,s0)
 
@@ -22,10 +27,14 @@
 
 /usr/afs/logs(/.*)?	gen_context(system_u:object_r:afs_logfile_t,s0)
 
+/usr/libexec/openafs/dafileserver --	gen_context(system_u:object_r:afs_fsserver_exec_t,s0)
+/usr/libexec/openafs/dasalvager	--	gen_context(system_u:object_r:afs_fsserver_exec_t,s0)
+/usr/libexec/openafs/davolserver --	gen_context(system_u:object_r:afs_fsserver_exec_t,s0)
 /usr/libexec/openafs/fileserver	--	gen_context(system_u:object_r:afs_fsserver_exec_t,s0)
 /usr/libexec/openafs/kaserver	--	gen_context(system_u:object_r:afs_kaserver_exec_t,s0)
 /usr/libexec/openafs/ptserver	--	gen_context(system_u:object_r:afs_ptserver_exec_t,s0)
 /usr/libexec/openafs/salvager	--	gen_context(system_u:object_r:afs_fsserver_exec_t,s0)
+/usr/libexec/openafs/salvagerserver --	gen_context(system_u:object_r:afs_fsserver_exec_t,s0)
 /usr/libexec/openafs/volserver	--	gen_context(system_u:object_r:afs_fsserver_exec_t,s0)
 /usr/libexec/openafs/vlserver	--	gen_context(system_u:object_r:afs_vlserver_exec_t,s0)
 
@@ -37,6 +46,5 @@
 
 /var/cache/(open)?afs(/.*)?	gen_context(system_u:object_r:afs_cache_t,s0)
 
-/vicepa	gen_context(system_u:object_r:afs_files_t,s0)
-/vicepb	gen_context(system_u:object_r:afs_files_t,s0)
-/vicepc	gen_context(system_u:object_r:afs_files_t,s0)
+/vicep[a-z][a-z]?(/.*)? gen_context(system_u:object_r:afs_files_t,s0)
+

diff --git a/policy/modules/contrib/afs.te b/policy/modules/contrib/afs.te
index 90ce637..6ba667d 100644
--- a/policy/modules/contrib/afs.te
+++ b/policy/modules/contrib/afs.te
@@ -140,6 +140,8 @@ files_read_usr_files(afs_bosserver_t)
 
 seutil_read_config(afs_bosserver_t)
 
+dev_read_urand(afs_bosserver_t)
+
 ########################################
 #
 # fileserver local policy
@@ -206,6 +208,8 @@ seutil_read_config(afs_fsserver_t)
 
 userdom_dontaudit_use_user_terminals(afs_fsserver_t)
 
+dev_read_urand(afs_fsserver_t)
+
 ########################################
 #
 # kaserver local policy
@@ -276,6 +280,8 @@ corenet_sendrecv_afs_pt_server_packets(afs_ptserver_t)
 
 userdom_dontaudit_use_user_terminals(afs_ptserver_t)
 
+dev_read_urand(afs_ptserver_t)
+
 ########################################
 #
 # vlserver local policy
@@ -307,6 +313,8 @@ corenet_sendrecv_afs_vl_server_packets(afs_vlserver_t)
 
 userdom_dontaudit_use_user_terminals(afs_vlserver_t)
 
+dev_read_urand(afs_vlserver_t)
+
 ########################################
 #
 # Global local policy