* [gentoo-commits] proj/hardened-refpolicy:swift commit in: policy/modules/kernel/
@ 2015-06-09 13:24 Sven Vermeulen
0 siblings, 0 replies; 15+ messages in thread
From: Sven Vermeulen @ 2015-06-09 13:24 UTC (permalink / raw
To: gentoo-commits
commit: c57bbb62bf1c2b1430977133c2f8a8c738479021
Author: Jason Zaman <jason <AT> perfinion <DOT> com>
AuthorDate: Sat May 30 15:00:26 2015 +0000
Commit: Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Sat May 30 15:00:26 2015 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=c57bbb62
add kdeconnect port 1714
policy/modules/kernel/corenetwork.te.in | 1 +
1 file changed, 1 insertion(+)
diff --git a/policy/modules/kernel/corenetwork.te.in b/policy/modules/kernel/corenetwork.te.in
index 70f4ee8..07e4a9e 100644
--- a/policy/modules/kernel/corenetwork.te.in
+++ b/policy/modules/kernel/corenetwork.te.in
@@ -165,6 +165,7 @@ network_port(kerberos, tcp,88,s0, udp,88,s0, tcp,750,s0, udp,750,s0)
network_port(kerberos_admin, tcp,464,s0, udp,464,s0, tcp,749,s0)
network_port(kerberos_master, tcp,4444,s0, udp,4444,s0)
network_port(kismet, tcp,2501,s0)
+network_port(kdeconnect, tcp,1714,s0, udp,1714,s0)
network_port(kprop, tcp,754,s0)
network_port(ktalkd, udp,517,s0, udp,518,s0)
network_port(l2tp, tcp,1701,s0, udp,1701,s0)
^ permalink raw reply related [flat|nested] 15+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:swift commit in: policy/modules/kernel/
@ 2018-01-18 16:15 Sven Vermeulen
0 siblings, 0 replies; 15+ messages in thread
From: Sven Vermeulen @ 2018-01-18 16:15 UTC (permalink / raw
To: gentoo-commits
commit: 1288708d6097b3d28587465b562b038d3df1bb14
Author: Jason Zaman <jason <AT> perfinion <DOT> com>
AuthorDate: Wed Dec 13 18:15:36 2017 +0000
Commit: Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Thu Dec 14 04:55:22 2017 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=1288708d
storage: Add fcontexts for NVMe disks
NVMe has several dev nodes for each device:
/dev/nvme0 is a char device for communicating with the controller
/dev/nvme0n1 is the block device that stores the data.
/dev/nvme0n1p1 is the first partition
policy/modules/kernel/storage.fc | 2 ++
1 file changed, 2 insertions(+)
diff --git a/policy/modules/kernel/storage.fc b/policy/modules/kernel/storage.fc
index 375b10bc..c7e3ac0d 100644
--- a/policy/modules/kernel/storage.fc
+++ b/policy/modules/kernel/storage.fc
@@ -33,6 +33,8 @@
/dev/mspblk.* -b gen_context(system_u:object_r:removable_device_t,s0)
/dev/mtd.* -b gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
/dev/nb[^/]+ -b gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
+/dev/nvme[0-9]+ -c gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
+/dev/nvme[0-9]n[^/]+ -b gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
/dev/optcd -b gen_context(system_u:object_r:removable_device_t,s0)
/dev/p[fg][0-3] -b gen_context(system_u:object_r:removable_device_t,s0)
/dev/pcd[0-3] -b gen_context(system_u:object_r:removable_device_t,s0)
^ permalink raw reply related [flat|nested] 15+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/kernel/
@ 2017-05-18 17:03 Sven Vermeulen
2017-05-18 17:02 ` [gentoo-commits] proj/hardened-refpolicy:swift " Sven Vermeulen
0 siblings, 1 reply; 15+ messages in thread
From: Sven Vermeulen @ 2017-05-18 17:03 UTC (permalink / raw
To: gentoo-commits
commit: b494138d68f12e694aa6b467270d405a417dd2c3
Author: Jason Zaman <jason <AT> perfinion <DOT> com>
AuthorDate: Sun May 7 17:44:58 2017 +0000
Commit: Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Thu May 18 17:00:38 2017 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=b494138d
corecommands: add consolekit fcontexts
policy/modules/kernel/corecommands.fc | 5 +++--
1 file changed, 3 insertions(+), 2 deletions(-)
diff --git a/policy/modules/kernel/corecommands.fc b/policy/modules/kernel/corecommands.fc
index fe1a5e13..320044e9 100644
--- a/policy/modules/kernel/corecommands.fc
+++ b/policy/modules/kernel/corecommands.fc
@@ -173,8 +173,10 @@ ifdef(`distro_gentoo',`
/usr/lib/qt.*/bin(/.*)? gen_context(system_u:object_r:bin_t,s0)
/usr/lib/wicd/monitor\.py -- gen_context(system_u:object_r:bin_t, s0)
/usr/lib/apt/methods.+ -- gen_context(system_u:object_r:bin_t,s0)
+/usr/lib/ConsoleKit/.* -- gen_context(system_u:object_r:bin_t,s0)
+/usr/lib/ConsoleKit/run-seat.d(/.*)? gen_context(system_u:object_r:bin_t,s0)
+/usr/lib/ConsoleKit/run-session.d(/.*)? gen_context(system_u:object_r:bin_t,s0)
/usr/lib/ConsoleKit/scripts(/.*)? gen_context(system_u:object_r:bin_t,s0)
-/usr/lib/ConsoleKit/run-session.d(/.*)? gen_context(system_u:object_r:bin_t,s0)
/usr/lib/courier(/.*)? gen_context(system_u:object_r:bin_t,s0)
/usr/lib/courier-imap/.* -- gen_context(system_u:object_r:bin_t,s0)
/usr/lib/cups(/.*)? gen_context(system_u:object_r:bin_t,s0)
@@ -332,7 +334,6 @@ ifdef(`distro_gentoo',`
/usr/X11R6/lib(64)?/X11/xkb/xkbcomp -- gen_context(system_u:object_r:bin_t,s0)
ifdef(`distro_debian',`
-/usr/lib/ConsoleKit/.* -- gen_context(system_u:object_r:bin_t,s0)
/usr/lib/gdm3/.* -- gen_context(system_u:object_r:bin_t,s0)
/usr/lib/udisks/.* -- gen_context(system_u:object_r:bin_t,s0)
/usr/share/bug/.* -- gen_context(system_u:object_r:bin_t,s0)
^ permalink raw reply related [flat|nested] 15+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:swift commit in: policy/modules/kernel/
2017-05-18 17:03 [gentoo-commits] proj/hardened-refpolicy:master " Sven Vermeulen
@ 2017-05-18 17:02 ` Sven Vermeulen
0 siblings, 0 replies; 15+ messages in thread
From: Sven Vermeulen @ 2017-05-18 17:02 UTC (permalink / raw
To: gentoo-commits
commit: b494138d68f12e694aa6b467270d405a417dd2c3
Author: Jason Zaman <jason <AT> perfinion <DOT> com>
AuthorDate: Sun May 7 17:44:58 2017 +0000
Commit: Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Thu May 18 17:00:38 2017 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=b494138d
corecommands: add consolekit fcontexts
policy/modules/kernel/corecommands.fc | 5 +++--
1 file changed, 3 insertions(+), 2 deletions(-)
diff --git a/policy/modules/kernel/corecommands.fc b/policy/modules/kernel/corecommands.fc
index fe1a5e13..320044e9 100644
--- a/policy/modules/kernel/corecommands.fc
+++ b/policy/modules/kernel/corecommands.fc
@@ -173,8 +173,10 @@ ifdef(`distro_gentoo',`
/usr/lib/qt.*/bin(/.*)? gen_context(system_u:object_r:bin_t,s0)
/usr/lib/wicd/monitor\.py -- gen_context(system_u:object_r:bin_t, s0)
/usr/lib/apt/methods.+ -- gen_context(system_u:object_r:bin_t,s0)
+/usr/lib/ConsoleKit/.* -- gen_context(system_u:object_r:bin_t,s0)
+/usr/lib/ConsoleKit/run-seat.d(/.*)? gen_context(system_u:object_r:bin_t,s0)
+/usr/lib/ConsoleKit/run-session.d(/.*)? gen_context(system_u:object_r:bin_t,s0)
/usr/lib/ConsoleKit/scripts(/.*)? gen_context(system_u:object_r:bin_t,s0)
-/usr/lib/ConsoleKit/run-session.d(/.*)? gen_context(system_u:object_r:bin_t,s0)
/usr/lib/courier(/.*)? gen_context(system_u:object_r:bin_t,s0)
/usr/lib/courier-imap/.* -- gen_context(system_u:object_r:bin_t,s0)
/usr/lib/cups(/.*)? gen_context(system_u:object_r:bin_t,s0)
@@ -332,7 +334,6 @@ ifdef(`distro_gentoo',`
/usr/X11R6/lib(64)?/X11/xkb/xkbcomp -- gen_context(system_u:object_r:bin_t,s0)
ifdef(`distro_debian',`
-/usr/lib/ConsoleKit/.* -- gen_context(system_u:object_r:bin_t,s0)
/usr/lib/gdm3/.* -- gen_context(system_u:object_r:bin_t,s0)
/usr/lib/udisks/.* -- gen_context(system_u:object_r:bin_t,s0)
/usr/share/bug/.* -- gen_context(system_u:object_r:bin_t,s0)
^ permalink raw reply related [flat|nested] 15+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:swift commit in: policy/modules/kernel/
@ 2017-05-18 16:54 Sven Vermeulen
0 siblings, 0 replies; 15+ messages in thread
From: Sven Vermeulen @ 2017-05-18 16:54 UTC (permalink / raw
To: gentoo-commits
commit: 44fb56ddcb130bb46f67d5bc1a4dc124cb35fe59
Author: Guido Trentalancia <guido <AT> trentalancia <DOT> net>
AuthorDate: Sat Apr 29 18:17:47 2017 +0000
Commit: Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Sun May 7 15:53:18 2017 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=44fb56dd
kernel: low-priority update
Update the kernel module with some low priority fixes.
Signed-off-by: Guido Trentalancia <guido <AT> trentalancia.net>
policy/modules/kernel/kernel.te | 2 ++
1 file changed, 2 insertions(+)
diff --git a/policy/modules/kernel/kernel.te b/policy/modules/kernel/kernel.te
index 639b8454..87f5f9a4 100644
--- a/policy/modules/kernel/kernel.te
+++ b/policy/modules/kernel/kernel.te
@@ -276,6 +276,7 @@ dev_setattr_generic_blk_files(kernel_t)
dev_setattr_generic_chr_files(kernel_t)
dev_getattr_fs(kernel_t)
dev_getattr_sysfs(kernel_t)
+dev_write_kmsg(kernel_t)
# Mount root file system. Used when loading a policy
# from initrd, then mounting the root filesystem
@@ -384,6 +385,7 @@ optional_policy(`
optional_policy(`
plymouthd_read_lib_files(kernel_t)
+ plymouthd_read_pid_files(kernel_t)
plymouthd_read_spool_files(kernel_t)
term_use_ptmx(kernel_t)
^ permalink raw reply related [flat|nested] 15+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:swift commit in: policy/modules/kernel/
@ 2016-07-03 11:34 Sven Vermeulen
0 siblings, 0 replies; 15+ messages in thread
From: Sven Vermeulen @ 2016-07-03 11:34 UTC (permalink / raw
To: gentoo-commits
commit: fb5adde5e0a74184a838fba73f8f5d55102c89d2
Author: Chris PeBenito <pebenito <AT> ieee <DOT> org>
AuthorDate: Fri Jul 1 00:36:16 2016 +0000
Commit: Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Sun Jul 3 11:27:23 2016 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=fb5adde5
Module version bump for corecommands update from Garrett Holmstrom.
policy/modules/kernel/corecommands.te | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/policy/modules/kernel/corecommands.te b/policy/modules/kernel/corecommands.te
index e944817..8bf3252 100644
--- a/policy/modules/kernel/corecommands.te
+++ b/policy/modules/kernel/corecommands.te
@@ -1,4 +1,4 @@
-policy_module(corecommands, 1.21.4)
+policy_module(corecommands, 1.21.5)
########################################
#
^ permalink raw reply related [flat|nested] 15+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:swift commit in: policy/modules/kernel/
@ 2016-07-03 11:34 Sven Vermeulen
0 siblings, 0 replies; 15+ messages in thread
From: Sven Vermeulen @ 2016-07-03 11:34 UTC (permalink / raw
To: gentoo-commits
commit: 54607cc91b1bf9ca7dbf3b9527776b5a0effefb1
Author: Garrett Holmstrom <gholms <AT> devzero <DOT> com>
AuthorDate: Wed Jun 29 23:27:13 2016 +0000
Commit: Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Sun Jul 3 11:27:12 2016 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=54607cc9
corecmd: Remove fcontext for /etc/sysconfig/libvirtd
/etc/sysconfig/libvirtd does not have the executable bit set, so it does
not make sense for it to be labelled bin_t. I can't seem to find the
reason it was set that way originally.
Signed-off-by: Garrett Holmstrom <gholms <AT> devzero.com>
policy/modules/kernel/corecommands.fc | 1 -
1 file changed, 1 deletion(-)
diff --git a/policy/modules/kernel/corecommands.fc b/policy/modules/kernel/corecommands.fc
index 90541eb..c265d1f 100644
--- a/policy/modules/kernel/corecommands.fc
+++ b/policy/modules/kernel/corecommands.fc
@@ -105,7 +105,6 @@ ifdef(`distro_redhat',`
/etc/sysconfig/crond -- gen_context(system_u:object_r:bin_t,s0)
/etc/sysconfig/init -- gen_context(system_u:object_r:bin_t,s0)
-/etc/sysconfig/libvirtd -- gen_context(system_u:object_r:bin_t,s0)
/etc/sysconfig/netconsole -- gen_context(system_u:object_r:bin_t,s0)
/etc/sysconfig/readonly-root -- gen_context(system_u:object_r:bin_t,s0)
^ permalink raw reply related [flat|nested] 15+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:swift commit in: policy/modules/kernel/
@ 2016-07-03 11:34 Sven Vermeulen
0 siblings, 0 replies; 15+ messages in thread
From: Sven Vermeulen @ 2016-07-03 11:34 UTC (permalink / raw
To: gentoo-commits
commit: c2a380d8e68516d797985eb57246a0af54dbfe1e
Author: Jason Zaman <jason <AT> perfinion <DOT> com>
AuthorDate: Tue Jun 21 17:09:47 2016 +0000
Commit: Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Wed Jun 22 09:31:48 2016 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=c2a380d8
corecommands: Add fcontext for crossdev toolchains
policy/modules/kernel/corecommands.fc | 6 ++++--
1 file changed, 4 insertions(+), 2 deletions(-)
diff --git a/policy/modules/kernel/corecommands.fc b/policy/modules/kernel/corecommands.fc
index 35752e7..90541eb 100644
--- a/policy/modules/kernel/corecommands.fc
+++ b/policy/modules/kernel/corecommands.fc
@@ -347,8 +347,10 @@ ifdef(`distro_debian',`
')
ifdef(`distro_gentoo', `
-/usr/.*-.*-linux-gnu/gcc-bin/.*(/.*)? gen_context(system_u:object_r:bin_t,s0)
-/usr/.*-.*-linux-gnu/binutils-bin(/.*)? gen_context(system_u:object_r:bin_t,s0)
+/usr/[^/]+-[^/]+-linux-gnu/gcc-bin/.*(/.*)? gen_context(system_u:object_r:bin_t,s0)
+/usr/[^/]+-[^/]+-linux-gnu/binutils-bin(/.*)? gen_context(system_u:object_r:bin_t,s0)
+/usr/[^/]+-[^/]+-linux-gnu/[^/]+/gcc-bin/.*(/.*)? gen_context(system_u:object_r:bin_t,s0)
+/usr/[^/]+-[^/]+-linux-gnu/[^/]+/binutils-bin(/.*)? gen_context(system_u:object_r:bin_t,s0)
')
ifdef(`distro_redhat', `
^ permalink raw reply related [flat|nested] 15+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:swift commit in: policy/modules/kernel/
@ 2015-10-10 12:11 Sven Vermeulen
0 siblings, 0 replies; 15+ messages in thread
From: Sven Vermeulen @ 2015-10-10 12:11 UTC (permalink / raw
To: gentoo-commits
commit: 50f8ca591816aac7bf881211f9b722955d59fc29
Author: Alexander Wetzel <alexander.wetzel <AT> web <DOT> de>
AuthorDate: Sat Sep 5 07:41:48 2015 +0000
Commit: Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Sun Sep 20 06:52:53 2015 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=50f8ca59
adds vfio device support to base policy
Signed-off-by: Alexander Wetzel <alexander.wetzel <AT> web.de>
policy/modules/kernel/devices.fc | 1 +
policy/modules/kernel/devices.if | 36 ++++++++++++++++++++++++++++++++++++
policy/modules/kernel/devices.te | 3 +++
3 files changed, 40 insertions(+)
diff --git a/policy/modules/kernel/devices.fc b/policy/modules/kernel/devices.fc
index d6ebfcd..a33e395 100644
--- a/policy/modules/kernel/devices.fc
+++ b/policy/modules/kernel/devices.fc
@@ -118,6 +118,7 @@
ifdef(`distro_suse', `
/dev/usbscanner -c gen_context(system_u:object_r:scanner_device_t,s0)
')
+/dev/vfio/.+ -c gen_context(system_u:object_r:vfio_device_t,s0)
/dev/vhost-net -c gen_context(system_u:object_r:vhost_device_t,s0)
/dev/vbi.* -c gen_context(system_u:object_r:v4l_device_t,s0)
/dev/vbox.* -c gen_context(system_u:object_r:xserver_misc_device_t,s0)
diff --git a/policy/modules/kernel/devices.if b/policy/modules/kernel/devices.if
index ed25979..835ec14 100644
--- a/policy/modules/kernel/devices.if
+++ b/policy/modules/kernel/devices.if
@@ -4611,6 +4611,42 @@ interface(`dev_write_video_dev',`
########################################
## <summary>
+## Read and write vfio devices.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`dev_rw_vfio_dev',`
+ gen_require(`
+ type device_t, vfio_device_t;
+ ')
+
+ rw_chr_files_pattern($1, device_t, vfio_device_t)
+')
+
+########################################
+## <summary>
+## Relabel vfio devices.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`dev_relabelfrom_vfio_dev',`
+ gen_require(`
+ type device_t, vfio_device_t;
+ ')
+
+ relabelfrom_chr_files_pattern($1, device_t, vfio_device_t)
+')
+
+############################
+## <summary>
## Allow read/write the vhost net device
## </summary>
## <param name="domain">
diff --git a/policy/modules/kernel/devices.te b/policy/modules/kernel/devices.te
index 166c8f7..eb12597 100644
--- a/policy/modules/kernel/devices.te
+++ b/policy/modules/kernel/devices.te
@@ -273,6 +273,9 @@ dev_node(usbmon_device_t)
type userio_device_t;
dev_node(userio_device_t)
+type vfio_device_t;
+dev_node(vfio_device_t)
+
type v4l_device_t;
dev_node(v4l_device_t)
^ permalink raw reply related [flat|nested] 15+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:swift commit in: policy/modules/kernel/
@ 2015-10-10 12:11 Sven Vermeulen
0 siblings, 0 replies; 15+ messages in thread
From: Sven Vermeulen @ 2015-10-10 12:11 UTC (permalink / raw
To: gentoo-commits
commit: 028f1be9b96aeef997d18a421e05e4bbd2b20bbc
Author: Chris PeBenito <cpebenito <AT> tresys <DOT> com>
AuthorDate: Tue Sep 15 12:39:21 2015 +0000
Commit: Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Sun Sep 20 06:52:53 2015 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=028f1be9
Module version bump for vfio device from Alexander Wetzel.
policy/modules/kernel/devices.te | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/policy/modules/kernel/devices.te b/policy/modules/kernel/devices.te
index eb12597..e5bcfcd 100644
--- a/policy/modules/kernel/devices.te
+++ b/policy/modules/kernel/devices.te
@@ -1,4 +1,4 @@
-policy_module(devices, 1.17.0)
+policy_module(devices, 1.17.1)
########################################
#
^ permalink raw reply related [flat|nested] 15+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:swift commit in: policy/modules/kernel/
@ 2015-10-10 12:11 Sven Vermeulen
0 siblings, 0 replies; 15+ messages in thread
From: Sven Vermeulen @ 2015-10-10 12:11 UTC (permalink / raw
To: gentoo-commits
commit: 52bab858335f691b4469e369ff98c5f8ca521f3c
Author: Chris PeBenito <cpebenito <AT> tresys <DOT> com>
AuthorDate: Tue Aug 11 12:46:41 2015 +0000
Commit: Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Thu Aug 27 19:05:48 2015 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=52bab858
Module version bump for APR build script labeling from Luis Ressel.
policy/modules/kernel/corecommands.te | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/policy/modules/kernel/corecommands.te b/policy/modules/kernel/corecommands.te
index fab919e..4c3554d 100644
--- a/policy/modules/kernel/corecommands.te
+++ b/policy/modules/kernel/corecommands.te
@@ -1,4 +1,4 @@
-policy_module(corecommands, 1.20.0)
+policy_module(corecommands, 1.20.1)
########################################
#
^ permalink raw reply related [flat|nested] 15+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:swift commit in: policy/modules/kernel/
@ 2015-10-10 12:11 Sven Vermeulen
0 siblings, 0 replies; 15+ messages in thread
From: Sven Vermeulen @ 2015-10-10 12:11 UTC (permalink / raw
To: gentoo-commits
commit: 4cdea0f683f332134f3f93d79099f71d79d5f718
Author: Luis Ressel <aranea <AT> aixah <DOT> de>
AuthorDate: Sat Aug 8 11:50:28 2015 +0000
Commit: Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Thu Aug 27 19:05:48 2015 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=4cdea0f6
Mark APR build scripts as bin_t
I don't know why those are in /usr/share/build-1/ instead of
/usr/share/apr-0/build/ here, but it doesn't appear to be
Gentoo-specific.
policy/modules/kernel/corecommands.fc | 2 ++
1 file changed, 2 insertions(+)
diff --git a/policy/modules/kernel/corecommands.fc b/policy/modules/kernel/corecommands.fc
index 0c4a15b..f465e43 100644
--- a/policy/modules/kernel/corecommands.fc
+++ b/policy/modules/kernel/corecommands.fc
@@ -292,6 +292,8 @@ ifdef(`distro_gentoo',`
/usr/share/ajaxterm/qweb.py.* -- gen_context(system_u:object_r:bin_t,s0)
/usr/share/apr-0/build/[^/]+\.sh -- gen_context(system_u:object_r:bin_t,s0)
/usr/share/apr-0/build/libtool -- gen_context(system_u:object_r:bin_t,s0)
+/usr/share/build-1/[^/]+\.sh -- gen_context(system_u:object_r:bin_t,s0)
+/usr/share/build-1/libtool -- gen_context(system_u:object_r:bin_t,s0)
/usr/share/build-1/mkdir.sh -- gen_context(system_u:object_r:bin_t,s0)
/usr/share/dayplanner/dayplanner -- gen_context(system_u:object_r:bin_t,s0)
/usr/share/debconf/.+ -- gen_context(system_u:object_r:bin_t,s0)
^ permalink raw reply related [flat|nested] 15+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:swift commit in: policy/modules/kernel/
@ 2015-07-13 17:35 Sven Vermeulen
0 siblings, 0 replies; 15+ messages in thread
From: Sven Vermeulen @ 2015-07-13 17:35 UTC (permalink / raw
To: gentoo-commits
commit: de1e97adf612ca76797503eb1e8b8369dc428021
Author: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Sat Jul 11 14:10:08 2015 +0000
Commit: Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Mon Jul 13 17:35:07 2015 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=de1e97ad
Enable Ceph as a valid SELinux-enabled file system
policy/modules/kernel/filesystem.te | 1 +
1 file changed, 1 insertion(+)
diff --git a/policy/modules/kernel/filesystem.te b/policy/modules/kernel/filesystem.te
index 32ecb93..840f0b2 100644
--- a/policy/modules/kernel/filesystem.te
+++ b/policy/modules/kernel/filesystem.te
@@ -22,6 +22,7 @@ sid fs gen_context(system_u:object_r:fs_t,s0)
# Use xattrs for the following filesystem types.
# Requires that a security xattr handler exist for the filesystem.
fs_use_xattr btrfs gen_context(system_u:object_r:fs_t,s0);
+fs_use_xattr ceph gen_context(system_u:object_r:fs_t,s0);
fs_use_xattr encfs gen_context(system_u:object_r:fs_t,s0);
fs_use_xattr ext2 gen_context(system_u:object_r:fs_t,s0);
fs_use_xattr ext3 gen_context(system_u:object_r:fs_t,s0);
^ permalink raw reply related [flat|nested] 15+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:swift commit in: policy/modules/kernel/
@ 2015-07-11 14:41 Sven Vermeulen
0 siblings, 0 replies; 15+ messages in thread
From: Sven Vermeulen @ 2015-07-11 14:41 UTC (permalink / raw
To: gentoo-commits
commit: fefd27c86ea6813d3834acb8d469b984f103869e
Author: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Sat Jul 11 14:41:06 2015 +0000
Commit: Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Sat Jul 11 14:41:06 2015 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=fefd27c8
Move to list as it does not seem to be recognized
policy/modules/kernel/filesystem.te | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/policy/modules/kernel/filesystem.te b/policy/modules/kernel/filesystem.te
index 706f4d9..840f0b2 100644
--- a/policy/modules/kernel/filesystem.te
+++ b/policy/modules/kernel/filesystem.te
@@ -22,6 +22,7 @@ sid fs gen_context(system_u:object_r:fs_t,s0)
# Use xattrs for the following filesystem types.
# Requires that a security xattr handler exist for the filesystem.
fs_use_xattr btrfs gen_context(system_u:object_r:fs_t,s0);
+fs_use_xattr ceph gen_context(system_u:object_r:fs_t,s0);
fs_use_xattr encfs gen_context(system_u:object_r:fs_t,s0);
fs_use_xattr ext2 gen_context(system_u:object_r:fs_t,s0);
fs_use_xattr ext3 gen_context(system_u:object_r:fs_t,s0);
@@ -308,7 +309,6 @@ allow filesystem_unconfined_type filesystem_type:filesystem *;
allow filesystem_unconfined_type filesystem_type:{ dir file lnk_file sock_file fifo_file chr_file blk_file } *;
ifdef(`distro_gentoo',`
- fs_use_xattr ceph gen_context(system_u:object_r:fs_t,s0);
# Fix bug 535986 - Mark configfs_t as file type (and mountpoint probably as well)
files_mountpoint(configfs_t)
')
^ permalink raw reply related [flat|nested] 15+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:swift commit in: policy/modules/kernel/
@ 2015-07-11 14:10 Sven Vermeulen
0 siblings, 0 replies; 15+ messages in thread
From: Sven Vermeulen @ 2015-07-11 14:10 UTC (permalink / raw
To: gentoo-commits
commit: 1569a84673e5a6ea4280940f1da9ef99bfd96e8a
Author: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Sat Jul 11 14:10:08 2015 +0000
Commit: Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Sat Jul 11 14:10:08 2015 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=1569a846
Enable Ceph as a valid SELinux-enabled file system
policy/modules/kernel/filesystem.te | 1 +
1 file changed, 1 insertion(+)
diff --git a/policy/modules/kernel/filesystem.te b/policy/modules/kernel/filesystem.te
index 32ecb93..706f4d9 100644
--- a/policy/modules/kernel/filesystem.te
+++ b/policy/modules/kernel/filesystem.te
@@ -308,6 +308,7 @@ allow filesystem_unconfined_type filesystem_type:filesystem *;
allow filesystem_unconfined_type filesystem_type:{ dir file lnk_file sock_file fifo_file chr_file blk_file } *;
ifdef(`distro_gentoo',`
+ fs_use_xattr ceph gen_context(system_u:object_r:fs_t,s0);
# Fix bug 535986 - Mark configfs_t as file type (and mountpoint probably as well)
files_mountpoint(configfs_t)
')
^ permalink raw reply related [flat|nested] 15+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/kernel/
@ 2015-06-07 9:31 Sven Vermeulen
2015-06-09 13:24 ` [gentoo-commits] proj/hardened-refpolicy:swift " Sven Vermeulen
0 siblings, 1 reply; 15+ messages in thread
From: Sven Vermeulen @ 2015-06-07 9:31 UTC (permalink / raw
To: gentoo-commits
commit: 2b907c6e33c8e7ada4826e2b94d699a8666eadf1
Author: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Sun Jun 7 09:17:36 2015 +0000
Commit: Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Sun Jun 7 09:17:36 2015 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=2b907c6e
Add dev_dontaudit_usbmon_dev interface
This will allow us to hide avc denials for applications erroneously
trying to read the usbmon device files.
policy/modules/kernel/devices.if | 19 +++++++++++++++++++
1 file changed, 19 insertions(+)
diff --git a/policy/modules/kernel/devices.if b/policy/modules/kernel/devices.if
index 5ab0f6e..ed25979 100644
--- a/policy/modules/kernel/devices.if
+++ b/policy/modules/kernel/devices.if
@@ -5008,3 +5008,22 @@ interface(`dev_relabel_cpu_online',`
dev_search_sysfs($1)
allow $1 cpu_online_t:file relabel_file_perms;
')
+
+########################################
+## <summary>
+## Dont audit attempts to read usbmon devices
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain for which the attempts do not need to be audited
+## </summary>
+## </param>
+#
+interface(`dev_dontaudit_read_usbmon_dev',`
+ gen_require(`
+ type usbmon_device_t;
+ ')
+
+ dontaudit $1 usbmon_device_t:chr_file read_file_perms;
+')
+
^ permalink raw reply related [flat|nested] 15+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:swift commit in: policy/modules/kernel/
2015-06-07 9:31 [gentoo-commits] proj/hardened-refpolicy:next " Sven Vermeulen
@ 2015-06-09 13:24 ` Sven Vermeulen
0 siblings, 0 replies; 15+ messages in thread
From: Sven Vermeulen @ 2015-06-09 13:24 UTC (permalink / raw
To: gentoo-commits
commit: 2b907c6e33c8e7ada4826e2b94d699a8666eadf1
Author: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Sun Jun 7 09:17:36 2015 +0000
Commit: Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Sun Jun 7 09:17:36 2015 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=2b907c6e
Add dev_dontaudit_usbmon_dev interface
This will allow us to hide avc denials for applications erroneously
trying to read the usbmon device files.
policy/modules/kernel/devices.if | 19 +++++++++++++++++++
1 file changed, 19 insertions(+)
diff --git a/policy/modules/kernel/devices.if b/policy/modules/kernel/devices.if
index 5ab0f6e..ed25979 100644
--- a/policy/modules/kernel/devices.if
+++ b/policy/modules/kernel/devices.if
@@ -5008,3 +5008,22 @@ interface(`dev_relabel_cpu_online',`
dev_search_sysfs($1)
allow $1 cpu_online_t:file relabel_file_perms;
')
+
+########################################
+## <summary>
+## Dont audit attempts to read usbmon devices
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain for which the attempts do not need to be audited
+## </summary>
+## </param>
+#
+interface(`dev_dontaudit_read_usbmon_dev',`
+ gen_require(`
+ type usbmon_device_t;
+ ')
+
+ dontaudit $1 usbmon_device_t:chr_file read_file_perms;
+')
+
^ permalink raw reply related [flat|nested] 15+ messages in thread
end of thread, other threads:[~2018-01-18 16:15 UTC | newest]
Thread overview: 15+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2015-06-09 13:24 [gentoo-commits] proj/hardened-refpolicy:swift commit in: policy/modules/kernel/ Sven Vermeulen
-- strict thread matches above, loose matches on Subject: below --
2018-01-18 16:15 Sven Vermeulen
2017-05-18 17:03 [gentoo-commits] proj/hardened-refpolicy:master " Sven Vermeulen
2017-05-18 17:02 ` [gentoo-commits] proj/hardened-refpolicy:swift " Sven Vermeulen
2017-05-18 16:54 Sven Vermeulen
2016-07-03 11:34 Sven Vermeulen
2016-07-03 11:34 Sven Vermeulen
2016-07-03 11:34 Sven Vermeulen
2015-10-10 12:11 Sven Vermeulen
2015-10-10 12:11 Sven Vermeulen
2015-10-10 12:11 Sven Vermeulen
2015-10-10 12:11 Sven Vermeulen
2015-07-13 17:35 Sven Vermeulen
2015-07-11 14:41 Sven Vermeulen
2015-07-11 14:10 Sven Vermeulen
2015-06-07 9:31 [gentoo-commits] proj/hardened-refpolicy:next " Sven Vermeulen
2015-06-09 13:24 ` [gentoo-commits] proj/hardened-refpolicy:swift " Sven Vermeulen
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox