From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <gentoo-commits+bounces-768045-garchives=archives.gentoo.org@lists.gentoo.org>
Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80])
	by finch.gentoo.org (Postfix) with ESMTP id 69501138A1A
	for <garchives@archives.gentoo.org>; Thu, 29 Jan 2015 20:53:11 +0000 (UTC)
Received: from pigeon.gentoo.org (localhost [127.0.0.1])
	by pigeon.gentoo.org (Postfix) with SMTP id 5286DE0867;
	Thu, 29 Jan 2015 20:53:10 +0000 (UTC)
Received: from smtp.gentoo.org (smtp.gentoo.org [140.211.166.183])
	(using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits))
	(No client certificate requested)
	by pigeon.gentoo.org (Postfix) with ESMTPS id 82BE8E085C
	for <gentoo-commits@lists.gentoo.org>; Thu, 29 Jan 2015 20:53:09 +0000 (UTC)
Received: from oystercatcher.gentoo.org (oystercatcher.gentoo.org [148.251.78.52])
	(using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits))
	(No client certificate requested)
	by smtp.gentoo.org (Postfix) with ESMTPS id 8AAE7340756
	for <gentoo-commits@lists.gentoo.org>; Thu, 29 Jan 2015 20:53:08 +0000 (UTC)
Received: from localhost.localdomain (localhost [127.0.0.1])
	by oystercatcher.gentoo.org (Postfix) with ESMTP id 26214109D5
	for <gentoo-commits@lists.gentoo.org>; Thu, 29 Jan 2015 20:53:07 +0000 (UTC)
From: "Sven Vermeulen" <swift@gentoo.org>
To: gentoo-commits@lists.gentoo.org
Content-Transfer-Encoding: 8bit
Content-type: text/plain; charset=UTF-8
Reply-To: gentoo-dev@lists.gentoo.org, "Sven Vermeulen" <swift@gentoo.org>
Message-ID: <1422564668.cba6dc0028608f027f7e02ab1d4df155632a7a46.swift@gentoo>
Subject: [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
X-VCS-Repository: proj/hardened-refpolicy
X-VCS-Files: policy/modules/contrib/samhain.if policy/modules/contrib/samhain.te
X-VCS-Directories: policy/modules/contrib/
X-VCS-Committer: swift
X-VCS-Committer-Name: Sven Vermeulen
X-VCS-Revision: cba6dc0028608f027f7e02ab1d4df155632a7a46
X-VCS-Branch: master
Date: Thu, 29 Jan 2015 20:53:07 +0000 (UTC)
Precedence: bulk
List-Post: <mailto:gentoo-commits@lists.gentoo.org>
List-Help: <mailto:gentoo-commits+help@lists.gentoo.org>
List-Unsubscribe: <mailto:gentoo-commits+unsubscribe@lists.gentoo.org>
List-Subscribe: <mailto:gentoo-commits+subscribe@lists.gentoo.org>
List-Id: Gentoo Linux mail <gentoo-commits.gentoo.org>
X-BeenThere: gentoo-commits@lists.gentoo.org
X-Archives-Salt: 17a2051e-16e0-44d5-af27-e326c733a1ee
X-Archives-Hash: c025f0b0f1238028bf64538b5a84a01f

commit:     cba6dc0028608f027f7e02ab1d4df155632a7a46
Author:     Dominick Grift <dac.override <AT> gmail <DOT> com>
AuthorDate: Tue Jan 27 20:17:58 2015 +0000
Commit:     Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Thu Jan 29 20:51:08 2015 +0000
URL:        http://sources.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=cba6dc00

Various samhain fixes

connects to smtp port
resolves smtp dns name
missing samhain_domain attribute
reads random device
samhain_domains use unnamed pipes for internal comms
clarify why some rules are commented out for now in samhain_admin()
remove samhain_run() from samhain_admin()
samhain needs to be able to maintain directories in /var/lib

Signed-off-by: Dominick Grift <dac.override <AT> gmail.com>

---
 policy/modules/contrib/samhain.if |  8 +++-----
 policy/modules/contrib/samhain.te | 12 ++++++++++--
 2 files changed, 13 insertions(+), 7 deletions(-)

diff --git a/policy/modules/contrib/samhain.if b/policy/modules/contrib/samhain.if
index f0236d6..b1ebcee 100644
--- a/policy/modules/contrib/samhain.if
+++ b/policy/modules/contrib/samhain.if
@@ -16,7 +16,7 @@ template(`samhain_service_template',`
 		type samhain_exec_t;
 	')
 
-	type $1_t;
+	type $1_t, samhain_domain;
 	domain_type($1_t)
 	domain_entry_file($1_t, samhain_exec_t)
 
@@ -213,14 +213,14 @@ interface(`samhain_manage_pid_files',`
 interface(`samhain_admin',`
 	gen_require(`
 		attribute samhain_domain;
-		type samhain_t, samhaind_t, samhain_db_t, samhain_etc_t;
+		type samhain_db_t, samhain_etc_t;
 		type samhain_initrc_exec_t, samhain_log_t, samhain_var_run_t;
 	')
 
 	allow $1 samhain_domain:process { ptrace signal_perms };
 	ps_process_pattern($1, samhain_domain)
 
-	# pending
+	# duplicate role transition: remove samhain_admin(sysadm_t, sysadm_r) first
 	# init_labeled_script_domtrans($1, samhain_initrc_exec_t)
 	# domain_system_change_exemption($1)
 	# role_transition $2 samhain_initrc_exec_t system_r;
@@ -237,6 +237,4 @@ interface(`samhain_admin',`
 
 	files_list_pids($1)
 	admin_pattern($1, samhain_var_run_t)
-
-	# samhain_run($1, $2)
 ')

diff --git a/policy/modules/contrib/samhain.te b/policy/modules/contrib/samhain.te
index c41ce4b..3ed8e45 100644
--- a/policy/modules/contrib/samhain.te
+++ b/policy/modules/contrib/samhain.te
@@ -1,4 +1,4 @@
-policy_module(samhain, 1.2.0)
+policy_module(samhain, 1.2.1)
 
 ########################################
 #
@@ -50,8 +50,9 @@ ifdef(`enable_mls',`
 
 allow samhain_domain self:capability { dac_override dac_read_search fowner ipc_lock };
 dontaudit samhain_domain self:capability { sys_resource sys_ptrace };
-allow samhain_domain self:fd use;
 allow samhain_domain self:process { setsched setrlimit signull };
+allow samhain_domain self:fd use;
+allow samhain_domain self:fifo_file rw_fifo_file_perms;
 
 allow samhain_domain samhain_etc_t:file read_file_perms;
 
@@ -96,6 +97,7 @@ logging_send_syslog_msg(samhain_domain)
 #
 
 manage_files_pattern(samhain_t, samhain_db_t, samhain_db_t)
+manage_dirs_pattern(samhain_t, samhain_db_t, samhain_db_t)
 files_var_lib_filetrans(samhain_t, samhain_db_t, { file dir })
 
 domain_use_interactive_fds(samhain_t)
@@ -115,4 +117,10 @@ can_exec(samhaind_t, samhain_exec_t)
 
 read_files_pattern(samhaind_t, samhain_db_t, samhain_db_t)
 
+corenet_tcp_connect_smtp_port(samhaind_t)
+
+dev_read_rand(samhaind_t)
+
 init_use_script_ptys(samhaind_t)
+
+sysnet_dns_name_resolve(samhaind_t)