public inbox for gentoo-commits@lists.gentoo.org
 help / color / mirror / Atom feed
* [gentoo-commits] proj/hardened-refpolicy:swift commit in: policy/modules/kernel/
@ 2015-10-10 12:11 Sven Vermeulen
  0 siblings, 0 replies; 15+ messages in thread
From: Sven Vermeulen @ 2015-10-10 12:11 UTC (permalink / raw
  To: gentoo-commits

commit:     4cdea0f683f332134f3f93d79099f71d79d5f718
Author:     Luis Ressel <aranea <AT> aixah <DOT> de>
AuthorDate: Sat Aug  8 11:50:28 2015 +0000
Commit:     Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Thu Aug 27 19:05:48 2015 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=4cdea0f6

Mark APR build scripts as bin_t

I don't know why those are in /usr/share/build-1/ instead of
/usr/share/apr-0/build/ here, but it doesn't appear to be
Gentoo-specific.

 policy/modules/kernel/corecommands.fc | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/policy/modules/kernel/corecommands.fc b/policy/modules/kernel/corecommands.fc
index 0c4a15b..f465e43 100644
--- a/policy/modules/kernel/corecommands.fc
+++ b/policy/modules/kernel/corecommands.fc
@@ -292,6 +292,8 @@ ifdef(`distro_gentoo',`
 /usr/share/ajaxterm/qweb.py.* --	gen_context(system_u:object_r:bin_t,s0)
 /usr/share/apr-0/build/[^/]+\.sh --	gen_context(system_u:object_r:bin_t,s0)
 /usr/share/apr-0/build/libtool --	gen_context(system_u:object_r:bin_t,s0)
+/usr/share/build-1/[^/]+\.sh	--	gen_context(system_u:object_r:bin_t,s0)
+/usr/share/build-1/libtool	--	gen_context(system_u:object_r:bin_t,s0)
 /usr/share/build-1/mkdir.sh	--	gen_context(system_u:object_r:bin_t,s0)
 /usr/share/dayplanner/dayplanner --	gen_context(system_u:object_r:bin_t,s0)
 /usr/share/debconf/.+		--	gen_context(system_u:object_r:bin_t,s0)


^ permalink raw reply related	[flat|nested] 15+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:swift commit in: policy/modules/kernel/
@ 2018-01-18 16:15 Sven Vermeulen
  0 siblings, 0 replies; 15+ messages in thread
From: Sven Vermeulen @ 2018-01-18 16:15 UTC (permalink / raw
  To: gentoo-commits

commit:     1288708d6097b3d28587465b562b038d3df1bb14
Author:     Jason Zaman <jason <AT> perfinion <DOT> com>
AuthorDate: Wed Dec 13 18:15:36 2017 +0000
Commit:     Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Thu Dec 14 04:55:22 2017 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=1288708d

storage: Add fcontexts for NVMe disks

NVMe has several dev nodes for each device:
/dev/nvme0 is a char device for communicating with the controller
/dev/nvme0n1 is the block device that stores the data.
/dev/nvme0n1p1 is the first partition

 policy/modules/kernel/storage.fc | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/policy/modules/kernel/storage.fc b/policy/modules/kernel/storage.fc
index 375b10bc..c7e3ac0d 100644
--- a/policy/modules/kernel/storage.fc
+++ b/policy/modules/kernel/storage.fc
@@ -33,6 +33,8 @@
 /dev/mspblk.*		-b	gen_context(system_u:object_r:removable_device_t,s0)
 /dev/mtd.*		-b	gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
 /dev/nb[^/]+		-b	gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
+/dev/nvme[0-9]+		-c	gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
+/dev/nvme[0-9]n[^/]+	-b	gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
 /dev/optcd		-b	gen_context(system_u:object_r:removable_device_t,s0)
 /dev/p[fg][0-3]		-b	gen_context(system_u:object_r:removable_device_t,s0)
 /dev/pcd[0-3]		-b	gen_context(system_u:object_r:removable_device_t,s0)


^ permalink raw reply related	[flat|nested] 15+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/kernel/
@ 2017-05-18 17:03 Sven Vermeulen
  2017-05-18 17:02 ` [gentoo-commits] proj/hardened-refpolicy:swift " Sven Vermeulen
  0 siblings, 1 reply; 15+ messages in thread
From: Sven Vermeulen @ 2017-05-18 17:03 UTC (permalink / raw
  To: gentoo-commits

commit:     b494138d68f12e694aa6b467270d405a417dd2c3
Author:     Jason Zaman <jason <AT> perfinion <DOT> com>
AuthorDate: Sun May  7 17:44:58 2017 +0000
Commit:     Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Thu May 18 17:00:38 2017 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=b494138d

corecommands: add consolekit fcontexts

 policy/modules/kernel/corecommands.fc | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/policy/modules/kernel/corecommands.fc b/policy/modules/kernel/corecommands.fc
index fe1a5e13..320044e9 100644
--- a/policy/modules/kernel/corecommands.fc
+++ b/policy/modules/kernel/corecommands.fc
@@ -173,8 +173,10 @@ ifdef(`distro_gentoo',`
 /usr/lib/qt.*/bin(/.*)?			gen_context(system_u:object_r:bin_t,s0)
 /usr/lib/wicd/monitor\.py 	-- 	gen_context(system_u:object_r:bin_t, s0)
 /usr/lib/apt/methods.+		--	gen_context(system_u:object_r:bin_t,s0)
+/usr/lib/ConsoleKit/.*	--	gen_context(system_u:object_r:bin_t,s0)
+/usr/lib/ConsoleKit/run-seat.d(/.*)?	gen_context(system_u:object_r:bin_t,s0)
+/usr/lib/ConsoleKit/run-session.d(/.*)?	gen_context(system_u:object_r:bin_t,s0)
 /usr/lib/ConsoleKit/scripts(/.*)?	gen_context(system_u:object_r:bin_t,s0)
-/usr/lib/ConsoleKit/run-session.d(/.*)? gen_context(system_u:object_r:bin_t,s0)
 /usr/lib/courier(/.*)?			gen_context(system_u:object_r:bin_t,s0)
 /usr/lib/courier-imap/.*	--	gen_context(system_u:object_r:bin_t,s0)
 /usr/lib/cups(/.*)? 			gen_context(system_u:object_r:bin_t,s0)
@@ -332,7 +334,6 @@ ifdef(`distro_gentoo',`
 /usr/X11R6/lib(64)?/X11/xkb/xkbcomp --	gen_context(system_u:object_r:bin_t,s0)
 
 ifdef(`distro_debian',`
-/usr/lib/ConsoleKit/.*		--	gen_context(system_u:object_r:bin_t,s0)
 /usr/lib/gdm3/.*		--	gen_context(system_u:object_r:bin_t,s0)
 /usr/lib/udisks/.*		--	gen_context(system_u:object_r:bin_t,s0)
 /usr/share/bug/.*		--	gen_context(system_u:object_r:bin_t,s0)


^ permalink raw reply related	[flat|nested] 15+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:swift commit in: policy/modules/kernel/
@ 2017-05-18 16:54 Sven Vermeulen
  0 siblings, 0 replies; 15+ messages in thread
From: Sven Vermeulen @ 2017-05-18 16:54 UTC (permalink / raw
  To: gentoo-commits

commit:     44fb56ddcb130bb46f67d5bc1a4dc124cb35fe59
Author:     Guido Trentalancia <guido <AT> trentalancia <DOT> net>
AuthorDate: Sat Apr 29 18:17:47 2017 +0000
Commit:     Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Sun May  7 15:53:18 2017 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=44fb56dd

kernel: low-priority update

Update the kernel module with some low priority fixes.

Signed-off-by: Guido Trentalancia <guido <AT> trentalancia.net>

 policy/modules/kernel/kernel.te | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/policy/modules/kernel/kernel.te b/policy/modules/kernel/kernel.te
index 639b8454..87f5f9a4 100644
--- a/policy/modules/kernel/kernel.te
+++ b/policy/modules/kernel/kernel.te
@@ -276,6 +276,7 @@ dev_setattr_generic_blk_files(kernel_t)
 dev_setattr_generic_chr_files(kernel_t)
 dev_getattr_fs(kernel_t)
 dev_getattr_sysfs(kernel_t)
+dev_write_kmsg(kernel_t)
 
 # Mount root file system. Used when loading a policy
 # from initrd, then mounting the root filesystem
@@ -384,6 +385,7 @@ optional_policy(`
 
 optional_policy(`
 	plymouthd_read_lib_files(kernel_t)
+	plymouthd_read_pid_files(kernel_t)
 	plymouthd_read_spool_files(kernel_t)
 
 	term_use_ptmx(kernel_t)


^ permalink raw reply related	[flat|nested] 15+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:swift commit in: policy/modules/kernel/
@ 2016-07-03 11:34 Sven Vermeulen
  0 siblings, 0 replies; 15+ messages in thread
From: Sven Vermeulen @ 2016-07-03 11:34 UTC (permalink / raw
  To: gentoo-commits

commit:     54607cc91b1bf9ca7dbf3b9527776b5a0effefb1
Author:     Garrett Holmstrom <gholms <AT> devzero <DOT> com>
AuthorDate: Wed Jun 29 23:27:13 2016 +0000
Commit:     Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Sun Jul  3 11:27:12 2016 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=54607cc9

corecmd: Remove fcontext for /etc/sysconfig/libvirtd

/etc/sysconfig/libvirtd does not have the executable bit set, so it does
not make sense for it to be labelled bin_t.  I can't seem to find the
reason it was set that way originally.

Signed-off-by: Garrett Holmstrom <gholms <AT> devzero.com>

 policy/modules/kernel/corecommands.fc | 1 -
 1 file changed, 1 deletion(-)

diff --git a/policy/modules/kernel/corecommands.fc b/policy/modules/kernel/corecommands.fc
index 90541eb..c265d1f 100644
--- a/policy/modules/kernel/corecommands.fc
+++ b/policy/modules/kernel/corecommands.fc
@@ -105,7 +105,6 @@ ifdef(`distro_redhat',`
 
 /etc/sysconfig/crond		--	gen_context(system_u:object_r:bin_t,s0)
 /etc/sysconfig/init		--	gen_context(system_u:object_r:bin_t,s0)
-/etc/sysconfig/libvirtd		--	gen_context(system_u:object_r:bin_t,s0)
 /etc/sysconfig/netconsole	--	gen_context(system_u:object_r:bin_t,s0)
 /etc/sysconfig/readonly-root 	--	gen_context(system_u:object_r:bin_t,s0)
 


^ permalink raw reply related	[flat|nested] 15+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:swift commit in: policy/modules/kernel/
@ 2016-07-03 11:34 Sven Vermeulen
  0 siblings, 0 replies; 15+ messages in thread
From: Sven Vermeulen @ 2016-07-03 11:34 UTC (permalink / raw
  To: gentoo-commits

commit:     c2a380d8e68516d797985eb57246a0af54dbfe1e
Author:     Jason Zaman <jason <AT> perfinion <DOT> com>
AuthorDate: Tue Jun 21 17:09:47 2016 +0000
Commit:     Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Wed Jun 22 09:31:48 2016 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=c2a380d8

corecommands: Add fcontext for crossdev toolchains

 policy/modules/kernel/corecommands.fc | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/policy/modules/kernel/corecommands.fc b/policy/modules/kernel/corecommands.fc
index 35752e7..90541eb 100644
--- a/policy/modules/kernel/corecommands.fc
+++ b/policy/modules/kernel/corecommands.fc
@@ -347,8 +347,10 @@ ifdef(`distro_debian',`
 ')
 
 ifdef(`distro_gentoo', `
-/usr/.*-.*-linux-gnu/gcc-bin/.*(/.*)?	gen_context(system_u:object_r:bin_t,s0)
-/usr/.*-.*-linux-gnu/binutils-bin(/.*)?	gen_context(system_u:object_r:bin_t,s0)
+/usr/[^/]+-[^/]+-linux-gnu/gcc-bin/.*(/.*)?	gen_context(system_u:object_r:bin_t,s0)
+/usr/[^/]+-[^/]+-linux-gnu/binutils-bin(/.*)?	gen_context(system_u:object_r:bin_t,s0)
+/usr/[^/]+-[^/]+-linux-gnu/[^/]+/gcc-bin/.*(/.*)?	gen_context(system_u:object_r:bin_t,s0)
+/usr/[^/]+-[^/]+-linux-gnu/[^/]+/binutils-bin(/.*)?	gen_context(system_u:object_r:bin_t,s0)
 ')
 
 ifdef(`distro_redhat', `


^ permalink raw reply related	[flat|nested] 15+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:swift commit in: policy/modules/kernel/
@ 2016-07-03 11:34 Sven Vermeulen
  0 siblings, 0 replies; 15+ messages in thread
From: Sven Vermeulen @ 2016-07-03 11:34 UTC (permalink / raw
  To: gentoo-commits

commit:     fb5adde5e0a74184a838fba73f8f5d55102c89d2
Author:     Chris PeBenito <pebenito <AT> ieee <DOT> org>
AuthorDate: Fri Jul  1 00:36:16 2016 +0000
Commit:     Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Sun Jul  3 11:27:23 2016 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=fb5adde5

Module version bump for corecommands update from Garrett Holmstrom.

 policy/modules/kernel/corecommands.te | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/policy/modules/kernel/corecommands.te b/policy/modules/kernel/corecommands.te
index e944817..8bf3252 100644
--- a/policy/modules/kernel/corecommands.te
+++ b/policy/modules/kernel/corecommands.te
@@ -1,4 +1,4 @@
-policy_module(corecommands, 1.21.4)
+policy_module(corecommands, 1.21.5)
 
 ########################################
 #


^ permalink raw reply related	[flat|nested] 15+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:swift commit in: policy/modules/kernel/
@ 2015-10-10 12:11 Sven Vermeulen
  0 siblings, 0 replies; 15+ messages in thread
From: Sven Vermeulen @ 2015-10-10 12:11 UTC (permalink / raw
  To: gentoo-commits

commit:     028f1be9b96aeef997d18a421e05e4bbd2b20bbc
Author:     Chris PeBenito <cpebenito <AT> tresys <DOT> com>
AuthorDate: Tue Sep 15 12:39:21 2015 +0000
Commit:     Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Sun Sep 20 06:52:53 2015 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=028f1be9

Module version bump for vfio device from Alexander Wetzel.

 policy/modules/kernel/devices.te | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/policy/modules/kernel/devices.te b/policy/modules/kernel/devices.te
index eb12597..e5bcfcd 100644
--- a/policy/modules/kernel/devices.te
+++ b/policy/modules/kernel/devices.te
@@ -1,4 +1,4 @@
-policy_module(devices, 1.17.0)
+policy_module(devices, 1.17.1)
 
 ########################################
 #


^ permalink raw reply related	[flat|nested] 15+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:swift commit in: policy/modules/kernel/
@ 2015-10-10 12:11 Sven Vermeulen
  0 siblings, 0 replies; 15+ messages in thread
From: Sven Vermeulen @ 2015-10-10 12:11 UTC (permalink / raw
  To: gentoo-commits

commit:     50f8ca591816aac7bf881211f9b722955d59fc29
Author:     Alexander Wetzel <alexander.wetzel <AT> web <DOT> de>
AuthorDate: Sat Sep  5 07:41:48 2015 +0000
Commit:     Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Sun Sep 20 06:52:53 2015 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=50f8ca59

adds vfio device support to base policy

Signed-off-by: Alexander Wetzel <alexander.wetzel <AT> web.de>

 policy/modules/kernel/devices.fc |  1 +
 policy/modules/kernel/devices.if | 36 ++++++++++++++++++++++++++++++++++++
 policy/modules/kernel/devices.te |  3 +++
 3 files changed, 40 insertions(+)

diff --git a/policy/modules/kernel/devices.fc b/policy/modules/kernel/devices.fc
index d6ebfcd..a33e395 100644
--- a/policy/modules/kernel/devices.fc
+++ b/policy/modules/kernel/devices.fc
@@ -118,6 +118,7 @@
 ifdef(`distro_suse', `
 /dev/usbscanner		-c	gen_context(system_u:object_r:scanner_device_t,s0)
 ')
+/dev/vfio/.+		-c      gen_context(system_u:object_r:vfio_device_t,s0)
 /dev/vhost-net		-c	gen_context(system_u:object_r:vhost_device_t,s0)
 /dev/vbi.*		-c	gen_context(system_u:object_r:v4l_device_t,s0)
 /dev/vbox.*		-c	gen_context(system_u:object_r:xserver_misc_device_t,s0)

diff --git a/policy/modules/kernel/devices.if b/policy/modules/kernel/devices.if
index ed25979..835ec14 100644
--- a/policy/modules/kernel/devices.if
+++ b/policy/modules/kernel/devices.if
@@ -4611,6 +4611,42 @@ interface(`dev_write_video_dev',`
 
 ########################################
 ## <summary>
+##      Read and write vfio devices.
+## </summary>
+## <param name="domain">
+##      <summary>
+##      Domain allowed access.
+##      </summary>
+## </param>
+#
+interface(`dev_rw_vfio_dev',`
+	gen_require(`
+		type device_t, vfio_device_t;
+	')
+
+	rw_chr_files_pattern($1, device_t, vfio_device_t)
+')
+
+########################################
+## <summary>
+##      Relabel vfio devices.
+## </summary>
+## <param name="domain">
+##      <summary>
+##      Domain allowed access.
+##      </summary>
+## </param>
+#
+interface(`dev_relabelfrom_vfio_dev',`
+	gen_require(`
+		type device_t, vfio_device_t;
+	')
+
+	relabelfrom_chr_files_pattern($1, device_t, vfio_device_t)
+')
+
+############################
+## <summary>
 ##	Allow read/write the vhost net device
 ## </summary>
 ## <param name="domain">

diff --git a/policy/modules/kernel/devices.te b/policy/modules/kernel/devices.te
index 166c8f7..eb12597 100644
--- a/policy/modules/kernel/devices.te
+++ b/policy/modules/kernel/devices.te
@@ -273,6 +273,9 @@ dev_node(usbmon_device_t)
 type userio_device_t;
 dev_node(userio_device_t)
 
+type vfio_device_t;
+dev_node(vfio_device_t)
+
 type v4l_device_t;
 dev_node(v4l_device_t)
 


^ permalink raw reply related	[flat|nested] 15+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:swift commit in: policy/modules/kernel/
@ 2015-10-10 12:11 Sven Vermeulen
  0 siblings, 0 replies; 15+ messages in thread
From: Sven Vermeulen @ 2015-10-10 12:11 UTC (permalink / raw
  To: gentoo-commits

commit:     52bab858335f691b4469e369ff98c5f8ca521f3c
Author:     Chris PeBenito <cpebenito <AT> tresys <DOT> com>
AuthorDate: Tue Aug 11 12:46:41 2015 +0000
Commit:     Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Thu Aug 27 19:05:48 2015 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=52bab858

Module version bump for APR build script labeling from Luis Ressel.

 policy/modules/kernel/corecommands.te | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/policy/modules/kernel/corecommands.te b/policy/modules/kernel/corecommands.te
index fab919e..4c3554d 100644
--- a/policy/modules/kernel/corecommands.te
+++ b/policy/modules/kernel/corecommands.te
@@ -1,4 +1,4 @@
-policy_module(corecommands, 1.20.0)
+policy_module(corecommands, 1.20.1)
 
 ########################################
 #


^ permalink raw reply related	[flat|nested] 15+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:swift commit in: policy/modules/kernel/
@ 2015-07-13 17:35 Sven Vermeulen
  0 siblings, 0 replies; 15+ messages in thread
From: Sven Vermeulen @ 2015-07-13 17:35 UTC (permalink / raw
  To: gentoo-commits

commit:     de1e97adf612ca76797503eb1e8b8369dc428021
Author:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Sat Jul 11 14:10:08 2015 +0000
Commit:     Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Mon Jul 13 17:35:07 2015 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=de1e97ad

Enable Ceph as a valid SELinux-enabled file system

 policy/modules/kernel/filesystem.te | 1 +
 1 file changed, 1 insertion(+)

diff --git a/policy/modules/kernel/filesystem.te b/policy/modules/kernel/filesystem.te
index 32ecb93..840f0b2 100644
--- a/policy/modules/kernel/filesystem.te
+++ b/policy/modules/kernel/filesystem.te
@@ -22,6 +22,7 @@ sid fs gen_context(system_u:object_r:fs_t,s0)
 # Use xattrs for the following filesystem types.
 # Requires that a security xattr handler exist for the filesystem.
 fs_use_xattr btrfs gen_context(system_u:object_r:fs_t,s0);
+fs_use_xattr ceph gen_context(system_u:object_r:fs_t,s0);
 fs_use_xattr encfs gen_context(system_u:object_r:fs_t,s0);
 fs_use_xattr ext2 gen_context(system_u:object_r:fs_t,s0);
 fs_use_xattr ext3 gen_context(system_u:object_r:fs_t,s0);


^ permalink raw reply related	[flat|nested] 15+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:swift commit in: policy/modules/kernel/
@ 2015-07-11 14:41 Sven Vermeulen
  0 siblings, 0 replies; 15+ messages in thread
From: Sven Vermeulen @ 2015-07-11 14:41 UTC (permalink / raw
  To: gentoo-commits

commit:     fefd27c86ea6813d3834acb8d469b984f103869e
Author:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Sat Jul 11 14:41:06 2015 +0000
Commit:     Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Sat Jul 11 14:41:06 2015 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=fefd27c8

Move to list as it does not seem to be recognized

 policy/modules/kernel/filesystem.te | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/policy/modules/kernel/filesystem.te b/policy/modules/kernel/filesystem.te
index 706f4d9..840f0b2 100644
--- a/policy/modules/kernel/filesystem.te
+++ b/policy/modules/kernel/filesystem.te
@@ -22,6 +22,7 @@ sid fs gen_context(system_u:object_r:fs_t,s0)
 # Use xattrs for the following filesystem types.
 # Requires that a security xattr handler exist for the filesystem.
 fs_use_xattr btrfs gen_context(system_u:object_r:fs_t,s0);
+fs_use_xattr ceph gen_context(system_u:object_r:fs_t,s0);
 fs_use_xattr encfs gen_context(system_u:object_r:fs_t,s0);
 fs_use_xattr ext2 gen_context(system_u:object_r:fs_t,s0);
 fs_use_xattr ext3 gen_context(system_u:object_r:fs_t,s0);
@@ -308,7 +309,6 @@ allow filesystem_unconfined_type filesystem_type:filesystem *;
 allow filesystem_unconfined_type filesystem_type:{ dir file lnk_file sock_file fifo_file chr_file blk_file } *;
 
 ifdef(`distro_gentoo',`
-	fs_use_xattr ceph gen_context(system_u:object_r:fs_t,s0);
 	# Fix bug 535986 - Mark configfs_t as file type (and mountpoint probably as well)
 	files_mountpoint(configfs_t)
 ')


^ permalink raw reply related	[flat|nested] 15+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:swift commit in: policy/modules/kernel/
@ 2015-07-11 14:10 Sven Vermeulen
  0 siblings, 0 replies; 15+ messages in thread
From: Sven Vermeulen @ 2015-07-11 14:10 UTC (permalink / raw
  To: gentoo-commits

commit:     1569a84673e5a6ea4280940f1da9ef99bfd96e8a
Author:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Sat Jul 11 14:10:08 2015 +0000
Commit:     Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Sat Jul 11 14:10:08 2015 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=1569a846

Enable Ceph as a valid SELinux-enabled file system

 policy/modules/kernel/filesystem.te | 1 +
 1 file changed, 1 insertion(+)

diff --git a/policy/modules/kernel/filesystem.te b/policy/modules/kernel/filesystem.te
index 32ecb93..706f4d9 100644
--- a/policy/modules/kernel/filesystem.te
+++ b/policy/modules/kernel/filesystem.te
@@ -308,6 +308,7 @@ allow filesystem_unconfined_type filesystem_type:filesystem *;
 allow filesystem_unconfined_type filesystem_type:{ dir file lnk_file sock_file fifo_file chr_file blk_file } *;
 
 ifdef(`distro_gentoo',`
+	fs_use_xattr ceph gen_context(system_u:object_r:fs_t,s0);
 	# Fix bug 535986 - Mark configfs_t as file type (and mountpoint probably as well)
 	files_mountpoint(configfs_t)
 ')


^ permalink raw reply related	[flat|nested] 15+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:swift commit in: policy/modules/kernel/
@ 2015-06-09 13:24 Sven Vermeulen
  0 siblings, 0 replies; 15+ messages in thread
From: Sven Vermeulen @ 2015-06-09 13:24 UTC (permalink / raw
  To: gentoo-commits

commit:     c57bbb62bf1c2b1430977133c2f8a8c738479021
Author:     Jason Zaman <jason <AT> perfinion <DOT> com>
AuthorDate: Sat May 30 15:00:26 2015 +0000
Commit:     Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Sat May 30 15:00:26 2015 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=c57bbb62

add kdeconnect port 1714

 policy/modules/kernel/corenetwork.te.in | 1 +
 1 file changed, 1 insertion(+)

diff --git a/policy/modules/kernel/corenetwork.te.in b/policy/modules/kernel/corenetwork.te.in
index 70f4ee8..07e4a9e 100644
--- a/policy/modules/kernel/corenetwork.te.in
+++ b/policy/modules/kernel/corenetwork.te.in
@@ -165,6 +165,7 @@ network_port(kerberos, tcp,88,s0, udp,88,s0, tcp,750,s0, udp,750,s0)
 network_port(kerberos_admin, tcp,464,s0, udp,464,s0, tcp,749,s0)
 network_port(kerberos_master, tcp,4444,s0, udp,4444,s0)
 network_port(kismet, tcp,2501,s0)
+network_port(kdeconnect, tcp,1714,s0, udp,1714,s0)
 network_port(kprop, tcp,754,s0)
 network_port(ktalkd, udp,517,s0, udp,518,s0)
 network_port(l2tp, tcp,1701,s0, udp,1701,s0)


^ permalink raw reply related	[flat|nested] 15+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/kernel/
@ 2015-06-07  9:31 Sven Vermeulen
  2015-06-09 13:24 ` [gentoo-commits] proj/hardened-refpolicy:swift " Sven Vermeulen
  0 siblings, 1 reply; 15+ messages in thread
From: Sven Vermeulen @ 2015-06-07  9:31 UTC (permalink / raw
  To: gentoo-commits

commit:     2b907c6e33c8e7ada4826e2b94d699a8666eadf1
Author:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Sun Jun  7 09:17:36 2015 +0000
Commit:     Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Sun Jun  7 09:17:36 2015 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=2b907c6e

Add dev_dontaudit_usbmon_dev interface

This will allow us to hide avc denials for applications erroneously
trying to read the usbmon device files.

 policy/modules/kernel/devices.if | 19 +++++++++++++++++++
 1 file changed, 19 insertions(+)

diff --git a/policy/modules/kernel/devices.if b/policy/modules/kernel/devices.if
index 5ab0f6e..ed25979 100644
--- a/policy/modules/kernel/devices.if
+++ b/policy/modules/kernel/devices.if
@@ -5008,3 +5008,22 @@ interface(`dev_relabel_cpu_online',`
 	dev_search_sysfs($1)
 	allow $1 cpu_online_t:file relabel_file_perms;
 ')
+
+########################################
+## <summary>
+##	Dont audit attempts to read usbmon devices
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain for which the attempts do not need to be audited
+##	</summary>
+## </param>
+#
+interface(`dev_dontaudit_read_usbmon_dev',`
+	gen_require(`
+		type usbmon_device_t;
+	')
+
+	dontaudit $1 usbmon_device_t:chr_file read_file_perms;
+')
+


^ permalink raw reply related	[flat|nested] 15+ messages in thread

end of thread, other threads:[~2018-01-18 16:15 UTC | newest]

Thread overview: 15+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2015-10-10 12:11 [gentoo-commits] proj/hardened-refpolicy:swift commit in: policy/modules/kernel/ Sven Vermeulen
  -- strict thread matches above, loose matches on Subject: below --
2018-01-18 16:15 Sven Vermeulen
2017-05-18 17:03 [gentoo-commits] proj/hardened-refpolicy:master " Sven Vermeulen
2017-05-18 17:02 ` [gentoo-commits] proj/hardened-refpolicy:swift " Sven Vermeulen
2017-05-18 16:54 Sven Vermeulen
2016-07-03 11:34 Sven Vermeulen
2016-07-03 11:34 Sven Vermeulen
2016-07-03 11:34 Sven Vermeulen
2015-10-10 12:11 Sven Vermeulen
2015-10-10 12:11 Sven Vermeulen
2015-10-10 12:11 Sven Vermeulen
2015-07-13 17:35 Sven Vermeulen
2015-07-11 14:41 Sven Vermeulen
2015-07-11 14:10 Sven Vermeulen
2015-06-09 13:24 Sven Vermeulen
2015-06-07  9:31 [gentoo-commits] proj/hardened-refpolicy:next " Sven Vermeulen
2015-06-09 13:24 ` [gentoo-commits] proj/hardened-refpolicy:swift " Sven Vermeulen

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox